Wireless Access

Reply
Regular Contributor I

Client VPN tunnel not working over Aruba VPN controllers

(In my Zombie voice)
Brains, brains give me your brains.

 

I have a 7005 controller at a remote site and a 7210 RAP/VPN controller as the hub with a standard IPSEC tunnel between the two of them over an internet connection.  AOS 6.5.3.3.  This particular setup happens to be in China.  I have other setups exactly like this in the other parts of the world including one in my house in the US.  US one goes to a US VPN/RAP controller.

 

I have guest users who after web authenticating launch a VPN client.  I think it is an AT&T VPN client.  The VPN establishes but they are unable to pass any traffic over the connection.  My companys VPN client works fine.  Occasionally they get some traffic working but it is barely working.  For instance last night they said Outlook worked but Skype and web browsing did not.  Then we re-authenticated the guest and they would say now Skype works but Outlook does and web doesnt.  Sometimes nothing works, never has it all worked.

 

I have a support case open.  One thing I noticed is the crypto tunnel MTU is default at 1500.  I can not ping with DF flag anything bigger than 932 across the IPSEC tunnel controller IP to controller IP.  I tried lowering crypto tunnel mtu to the lowest 1024 but still can not ping larger than 923 with DF set.  Same results on my other Aruba VPN controllers and tunnels.

 

Exact setup / flow is:

  • unmanaged switch with APs (guest wired or wireless)  AP SAP MTU default.
  • 7005 with no split tunnel all traffic goes to RAP controller.
  • IPSEC tunnel over ISP
  • ASA firewall with public IP natted to internl RAP controller IP.
  • RAP controller when all traffic is forwarded via a PBR to the Cisco core LAN.
  • From the LAN it follows the routing table and out the ASA FW on a different fw context.

Any idea why the this clients VPN traffic will not pass but connects?  Any suggestions on the MTU of the controllers ipsec tunnel?  Clients role on the controller allows all external traffic.  ASA firewall enforces from there.

Aruba Employee

Re: Client VPN tunnel not working over Aruba VPN controllers

With tunnels inside of tunnels, MTU issues are common. If your tests are showing that packets larger than 932 bytes can't make it through without fragmentation, try setting your MTU lower than 932 bytes.


Charlie Clemmer
Aruba Customer Engineering
Regular Contributor I

Re: Client VPN tunnel not working over Aruba VPN controllers

Apparently the 932 byte packets with the DF set is only a limitation of pinging from Remote controller to VPN hub controller IPs per Aruba.  I later discovered I could ping from my home in Houston over a RAP all the way to a user on the remote controller in China using a 1400 byte packet with DF set without issue.

 

On the note about adjusting the MTU of the IPSec tunnel:
Aruba support says this:

Regarding the MTU change option for the site to site VPN, we do not have any specific configuration with which we can change the site to site VPN MTU.

 

My response:

I am not satisfied with your response about being able to adjust the MTU on a VPN tunnel. I already know there is a global command "Crypto ipsec mtu <1024-1500>. I assume doing this adjust the mtu on all tunnels to the selected value and I can see this by doing a show crypto ipsec mtu. But there must be a way to adjust per tunnel as it is common to have to adjust MTU on VPN tunnels and each needs to be unique in some cases. Additionally if I use the global command there must be a way to see that the tunnel in question shows the MTU setting via a show command or debug????

 

Does anyone have any experience with verifyin the MTU size of the actual tunnels individually?

Highlighted
Guru Elite

Re: Client VPN tunnel not working over Aruba VPN controllers

show datapath tunnel table



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: