07-06-2015 07:05 AM
I have a Remote AP (RAP) that works great, except that I cannot ping it from my desktop and I need that capability. Both my desktop and the Mobility Controller lie behind the firewall. When I ping from my desktop we can see that the RAP receives the ping and responds to the controller through its VPN tunnel. But when the controller routes the echo reply to my desktop it hits the firewall and the firewall blocks it. Changing the firewall is not an option.
Shouldn’t I be able to configure the RAP with a split-tunnel on the Wired Port so that it responds to my echo request directly instead of sending the reply to the controller through its VPN tunnel?
I have created a Wired AP Profile for Port 0, which is the only wired port, and set the “Forward Mode” to “split-tunnel.’ I created a policy where the first rule is: “Source = any, Dest = any, Service/App = any, Action = src-nat” and applied it to a User Role and assigned the User Role to the “Initial role” of the AAA profile.
I have not been able to get it to work and am unclear on how to proceed. This is the first time I have experimented with a Wired AP Profile, Policies and User Roles so I am hoping someone can explain how this can be done. I have read many Aruba documents but can’t find anything that directly addresses my questions.
Just to be clear, my goal is for the RAP to receive an echo request and send an echo reply directly back to the originator (bypassing the VPN tunnel). I don’t care about supporting wired traffic from the remote office and my only wired port is ETH0.
Solved! Go to Solution.
07-06-2015 07:16 AM
Whether a RAP will or will not answer to solicited traffic depends on the session-acl parameter in the AP system profile. http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/ap_system_profile.htm
Please take a look at what session ACL is assigned in the AP system profile of the RAP.
The configuration of the wired port does not determine whether or not a RAP itself answers pings.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
07-06-2015 07:18 AM
If you enable Split tunnel forwarding mode( VAP profile), it will show effect on only wireless traffic not on the wired traffic.
We can not ping the wired interface of the AP from the client. it is expected behaviour.
Please share your need, why do you want to ping the AP's wired interface so that we can find any other alternative way to chive it.
[Is my post helped you ? Give Kudos :) ]
07-06-2015 12:07 PM
Thank you, thank you, thank you! That was the clue I needed. The default Session ACL had a rule for svc-icmp to "permit." I changed this from "permit" to "route src-nat" and it now works. I don't totally understand the difference between "route src-nat" and plain ol' "src-nat" but it works.