Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

This thread has been viewed 1 times

  • 1.  Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

    Posted Dec 06, 2016 07:38 PM

    Environment:

    Aruba Controller 620

    Version: 6.3.1.20

    RAP:  RAP5WN

    Campus AP: AP105

     

    Configuration:

    RAP5---->Internet----> Controller 620 ----> AP105

    SSID: Company-A-Branch

    Split tunnel broadcasted to RAP5WN in remote branches

     

    SSID: Company-A-Main

    in Tunnel mode broacasted to AP105 Campus AP

     

    For both SSID, they have the following same config except the mode above.

     

    VLAN: 1

    Dynamic Multicast Optimization (DMO) --> OFF

    Drop Broadcast and Multicast -->OFF

    Convert Broadcast ARP requests to unicast --> OFF

     

    VLAN 1 Settings:

    IGMP --> OFF

    Enable BCMC Optimization --> OFF

     

    Hi there,

     

    I've a really strange problem with multicast packets being sent from Wifi users connected to Company-A-Branch but it is able to receive multicast packets being sent from Wifi users connected to Company-A-Main.  In a wireshark capture from a computer connected to Company-A-Branch, it sees no multicast packets from another device on Company-A-Branch on the same RAP5 locally.

     

    However, if I change Company-A-Branch mode from Split-Tunnel to Tunnel, then everything works instantly.  Multicast packets sent locally can be received locally and across to devices in Company-A-Main.  

     

    I would like to understand whether this is by design that split tunnel drops multi-cast or there is some additional parameters that I'm missing?

     

    David

     

     



  • 2.  RE: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

    EMPLOYEE
    Posted Dec 07, 2016 06:54 AM

    It depends.  What is the firewall policy for users in the role at the RAP-5?  What kind of multicast traffic is it?



  • 3.  RE: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

    Posted Dec 08, 2016 06:27 PM

    Hi Colin,

     

    The session ACL under the RAP AP System points to allowall policy which is

     

    IPv4 any any any permit Low

     

    David

     



  • 4.  RE: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

    EMPLOYEE
    Posted Dec 08, 2016 07:26 PM

    I mean the ACL in the user role assigned to the split tunnel SSID.



  • 5.  RE: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

    Posted Dec 08, 2016 07:39 PM

    The mutlicast packets are some push to talk packets encrptyed 

     

    ACL as follows

     

    split-tunnel

    ------------

    Priority  Source  Destination  Service    Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

    --------  ------  -----------  -------    ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

    1         user    any          udp 68     deny                                    Low                                                           4

    2         any     any          svc-dhcp   permit                                  Low                                                           4

    3         any     any          svc-dns    permit                                  Low                                                           4

    4         any     any          IPSec-ESP  permit                                  Low                                                           4

    5         any     any          svc-ike    permit                                  Low                                                           4

    6         any     any          any        route src-nat                           Low                                                           4

    allowall

    --------

    Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

    --------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

    1         any     any          any      permit                           Low                                                           4

     



  • 6.  RE: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

    EMPLOYEE
    Posted Dec 09, 2016 12:23 AM

    Do the multicast packets correspond to the line here?

     

    any     any          IPSec-ESP  permit                                  Low    

     

    To find out what traffic is being sent in a split tunneled SSID, type:

     

    show datapath session ap-name <name of ap> table <ip address of client>

    to see what traffic is being sent by the client and how it is being handled when the PTT is active.  Please send the output of that so we can understand what is going on.  I honestly have never seen IPSEC sent to a multicat destination before...



  • 7.  RE: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

    Posted Jan 04, 2017 09:16 PM

    Hi Colin

     

    Sorry for the late reply.  Here is the output while on the split-tunnel SSD

     

     

      Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags 

    --------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----

    192.168.78.50   31.13.76.101    6    43568 443    0       0 0   6   local       1d8  0         0          SRC 

    192.168.78.50   216.58.221.106  6    37428 443    0       0 0   8   local       279  0         0          SRC 

    234.5.6.6       192.168.78.50   17   2010  45472  0       0 0   0   local       b    0         0          FY 

    192.168.78.50   192.168.78.254  6    48193 80     0       0 0   0   dev18       12   0         0          FHCI 

    192.168.78.50   173.194.203.188 6    40062 5228   0       0 0   8   local       26a  0         0          SRC 

    192.168.78.254  192.168.78.50   6    80    42827  0       0 0   0   dev18       12   0         0          FH 

    192.168.78.50   210.5.174.66    6    38772 5222   0       0 0   8   local       282  0         0          SRC 

    192.168.78.50   192.168.78.254  6    42827 80     0       0 0   0   dev18       12   0         0          HCI 

    192.168.78.50   75.101.136.208  6    48101 443    0       0 0   3   local       e1   0         0          SRC 

    192.168.78.50   234.5.6.6       17   45472 2010   0       0 0   0   local       b    0         0          FRC 

     

     

    192.168.78.50   64.233.188.188  6    40961 5228   0       0 0   4   local       283  0         0          SRC 

    192.168.78.50   31.13.76.66     6    38065 443    0       0 0   6   local       1d9  0         0          SRC 

    192.168.78.50   31.13.76.101    6    42130 443    0       0 0   8   local       284  0         0          SRC 

    192.168.78.50   218.189.210.3   17   45475 123    0       0 0   1   local       33   0         0          FSRC 

    192.168.78.254  192.168.78.50   6    80    48193  0       0 0   0   dev18       13   0         0          FH 

     

     

     

    While on the the tunnel mode SSID 

      Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags 

    --------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----

    192.168.78.50   234.5.6.6       17   40615 2010   0       0 0   0   dev12       11   0         0          FC 

     

    I am not sure about the policy

    any     any          IPSec-ESP  permit                                  Low    

     

    As this seems to have came default when we first installed the Aruba Controller.   And we weren't sure whether it is needed.  What we wanted was split tunnel in that policy.  So I assume all we need moving forward is?

     

    ip access-list session split-tunnel               

     

      any any any  route src-nat