Wireless Access

Reply
Occasional Contributor II

Help with VIA?

I'm a relative newbie with Aruba and am trying to get remote access to our office network set up using VIA and a Mobility Controller 3400.  I've gone through the setup process described in the PDF version of the Aruba Virtual Intranet Access User Guide and have gotten to the point where a VIA client connects, downloads a profile and then immediately disconnects.  The web login also works and a user is able to download the client from there after authenticating.

 

 I've run out of things to troubleshoot and would appreciate any suggestions or helpful tips anyone might have on getting this running.  For simplicty, I'm using the internal authentication on the mobility controller for authentication but would eventually want to use Active Directory on a Windows Server 2012 box for authentication in the future.

 

Thanks for any suggestions you might have!

Aruba Employee

Re: Help with VIA?

 

If you're saying the client has a valid profile, and when connecting using that profile, the connection fails, the following info

can be helpful.

 

Sometimes the most useful info is from the client Diagnostic logging, and basic

connectivity testing from client to the controller.

 

Ensure the profile downloaded has provided a valid IP for the controlle.

 

On the controller, check the datapath during the client connect to see inbound traffic,

we're usually looking for ports 443, 4500, 500

 

show datapath session

 

Enable debug logging:

 

 logging level debugging user-debug <client mac>
 logging level debugging security process crypto subcat ike

 logging level debugging security process authmgr

Check inbound IPSEC traffic

 

show crypto isakmp sa

show crypto ipsec sa

show datapath tunnel

 

If this proves ineffective, I'd recommend to open a case with Aruba Technical Support, provide the VIA client logs, and any controller data you've gathered.

 

Hope this Helps.

Shawn Adams
Aruba Networks Customer Advocacy
Aruba

Re: Help with VIA?

A couple of things to note and check:

 

  • By proving that a client can connect to /via and download the client and profile, you have proven that your VIA Web Authentication Profiles are working properly; including the authentication profile being used for it.  
  • The VIA Connection Profile is going to dictate what happens next from a connection/authentication standpoint; confirm the downloaded profile has the proper IP/DNS name for the controller
  • Confirm UDP 4500 is open between the VIA client and the controller
  • Do you have an L2TP pool setup?
  • What OS is the VIA client?
  • What type of authentication are you using within your VIA Connection profile that is downloaded to the client; IKE v1 or v2; if v2 is it eap-mschapv2, eap-tls or user-cert?
  • Check the VIA connection logs
  • Check the system log on the controller (show log system XX; for last XX events....check when it fails)
  • Enable debugging as suggested by sadams above
------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II

Re: Help with VIA?

Just had some issues myself with VIA client.

I had web authentication working, client downloaded, it even downloaded a profile and connected. Just ran default settings more or less.Everything looked sweet.

After a machine restart I couldn't get a connection. 

Investigating the connection profile advanced settings, I saw that auto log in, and use windows credentials was ticked.

That might be your issue as well. That the downloaded profile actually tries to authenticate using windows credentials, with auto log in.

Occasional Contributor II

Re: Help with VIA?

Thanks for the suggestions.  I ended up having to open a TAC, which resolved the issue - the IKE key had not been configured.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: