Wireless Access

(In my Zombie voice)
Brains, brains give me your brains.

I have a 7005 controller at a remote site and a 7210 RAP/VPN controller as the hub with a standard IPSEC tunnel between the two of them over an internet connection.  AOS 6.5.3.3.  This particular setup happens to be in China.  I have other setups exactly like this in the other parts of the world including one in my house in the US.  US one goes to a US VPN/RAP controller.

I have guest users who after web authenticating launch a VPN client.  I think it is an AT&T VPN client.  The VPN establishes but they are unable to pass any traffic over the connection.  My companys VPN client works fine.  Occasionally they get some traffic working but it is barely working.  For instance last night they said Outlook worked but Skype and web browsing did not.  Then we re-authenticated the guest and they would say now Skype works but Outlook does and web doesnt.  Sometimes nothing works, never has it all worked.

I have a support case open.  One thing I noticed is the crypto tunnel MTU is default at 1500.  I can not ping with DF flag anything bigger than 932 across the IPSEC tunnel controller IP to controller IP.  I tried lowering crypto tunnel mtu to the lowest 1024 but still can not ping larger than 923 with DF set.  Same results on my other Aruba VPN controllers and tunnels.

Exact setup / flow is:

• unmanaged switch with APs (guest wired or wireless)  AP SAP MTU default.
• 7005 with no split tunnel all traffic goes to RAP controller.
• IPSEC tunnel over ISP
• ASA firewall with public IP natted to internl RAP controller IP.
• RAP controller when all traffic is forwarded via a PBR to the Cisco core LAN.
• From the LAN it follows the routing table and out the ASA FW on a different fw context.

Any idea why the this clients VPN traffic will not pass but connects?  Any suggestions on the MTU of the controllers ipsec tunnel?  Clients role on the controller allows all external traffic.  ASA firewall enforces from there.

With tunnels inside of tunnels, MTU issues are common. If your tests are showing that packets larger than 932 bytes can't make it through without fragmentation, try setting your MTU lower than 932 bytes.

Apparently the 932 byte packets with the DF set is only a limitation of pinging from Remote controller to VPN hub controller IPs per Aruba.  I later discovered I could ping from my home in Houston over a RAP all the way to a user on the remote controller in China using a 1400 byte packet with DF set without issue.

On the note about adjusting the MTU of the IPSec tunnel:
Aruba support says this:

Regarding the MTU change option for the site to site VPN, we do not have any specific configuration with which we can change the site to site VPN MTU.

My response:

I am not satisfied with your response about being able to adjust the MTU on a VPN tunnel. I already know there is a global command "Crypto ipsec mtu <1024-1500>. I assume doing this adjust the mtu on all tunnels to the selected value and I can see this by doing a show crypto ipsec mtu. But there must be a way to adjust per tunnel as it is common to have to adjust MTU on VPN tunnels and each needs to be unique in some cases. Additionally if I use the global command there must be a way to see that the tunnel in question shows the MTU setting via a show command or debug????

Does anyone have any experience with verifyin the MTU size of the actual tunnels individually?

show datapath tunnel table

---

@kmookkandi wrote:
Could you inbox me your TAC case number?

---

Actually I gave up on the issue as RAPs and other VPN clients were working fine over the same connection.  For my client I blocked the IPSEC traffic from my guest network and this allowed their VPN client to fail over to SSL VPN which worked for them.

Hello, Would you have a procedure to set up a vpn so that users can connect to their box on the company network? I just tried but I do not understand why my nat source does not tick ....

Please be specific about yout setup and what is not working.

Hello,

I work on a controller aruba 7210 my boss asks me to set up a vpn between the terminals and the controller to allow users to connect a terminal on the box internet and have access to the lan hospital. I took a public address that is redirected to my controller through our firewall.

I see the terminal passed on the firewall by the public address but the terminal is not attached to my controller.

I enclose a copy of my service.

Thank you for your help sincerment

---

@jo_it wrote:

Hello,

I work on a controller aruba 7210 my boss asks me to set up a vpn between the terminals and the controller to allow users to connect a terminal on the box internet and have access to the lan hospital. I took a public address that is redirected to my controller through our firewall.

I see the terminal passed on the firewall by the public address but the terminal is not attached to my controller.

I enclose a copy of my service.

Thank you for your help sincerment

---

Since your issue is different than the original problem (possible IPSec interoperability rather than tunnels inside of tunnels), I would suggest starting a new thread for better visibility.