Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎07-07-2015

Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

Environment:

Aruba Controller 620

Version: 6.3.1.20

RAP:  RAP5WN

Campus AP: AP105

 

Configuration:

RAP5---->Internet----> Controller 620 ----> AP105

SSID: Company-A-Branch

Split tunnel broadcasted to RAP5WN in remote branches

 

SSID: Company-A-Main

in Tunnel mode broacasted to AP105 Campus AP

 

For both SSID, they have the following same config except the mode above.

 

VLAN: 1

Dynamic Multicast Optimization (DMO) --> OFF

Drop Broadcast and Multicast -->OFF

Convert Broadcast ARP requests to unicast --> OFF

 

VLAN 1 Settings:

IGMP --> OFF

Enable BCMC Optimization --> OFF

 

Hi there,

 

I've a really strange problem with multicast packets being sent from Wifi users connected to Company-A-Branch but it is able to receive multicast packets being sent from Wifi users connected to Company-A-Main.  In a wireshark capture from a computer connected to Company-A-Branch, it sees no multicast packets from another device on Company-A-Branch on the same RAP5 locally.

 

However, if I change Company-A-Branch mode from Split-Tunnel to Tunnel, then everything works instantly.  Multicast packets sent locally can be received locally and across to devices in Company-A-Main.  

 

I would like to understand whether this is by design that split tunnel drops multi-cast or there is some additional parameters that I'm missing?

 

David

 

 

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

It depends.  What is the firewall policy for users in the role at the RAP-5?  What kind of multicast traffic is it?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎07-07-2015

Re: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

Hi Colin,

 

The session ACL under the RAP AP System points to allowall policy which is

 

IPv4 any any any permit Low

 

David

 

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

I mean the ACL in the user role assigned to the split tunnel SSID.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎07-07-2015

Re: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

The mutlicast packets are some push to talk packets encrptyed 

 

ACL as follows

 

split-tunnel

------------

Priority  Source  Destination  Service    Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------  -----------  -------    ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         user    any          udp 68     deny                                    Low                                                           4

2         any     any          svc-dhcp   permit                                  Low                                                           4

3         any     any          svc-dns    permit                                  Low                                                           4

4         any     any          IPSec-ESP  permit                                  Low                                                           4

5         any     any          svc-ike    permit                                  Low                                                           4

6         any     any          any        route src-nat                           Low                                                           4

allowall

--------

Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         any     any          any      permit                           Low                                                           4

 

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

Do the multicast packets correspond to the line here?

 

any     any          IPSec-ESP  permit                                  Low    

 

To find out what traffic is being sent in a split tunneled SSID, type:

 

show datapath session ap-name <name of ap> table <ip address of client>

to see what traffic is being sent by the client and how it is being handled when the PTT is active.  Please send the output of that so we can understand what is going on.  I honestly have never seen IPSEC sent to a multicat destination before...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎07-07-2015

Re: Multicast Packets Getting Dropped from RAP Connected to SSID in Split Tunnel Mode

Hi Colin

 

Sorry for the late reply.  Here is the output while on the split-tunnel SSD

 

 

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags 

--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----

192.168.78.50   31.13.76.101    6    43568 443    0       0 0   6   local       1d8  0         0          SRC 

192.168.78.50   216.58.221.106  6    37428 443    0       0 0   8   local       279  0         0          SRC 

234.5.6.6       192.168.78.50   17   2010  45472  0       0 0   0   local       b    0         0          FY 

192.168.78.50   192.168.78.254  6    48193 80     0       0 0   0   dev18       12   0         0          FHCI 

192.168.78.50   173.194.203.188 6    40062 5228   0       0 0   8   local       26a  0         0          SRC 

192.168.78.254  192.168.78.50   6    80    42827  0       0 0   0   dev18       12   0         0          FH 

192.168.78.50   210.5.174.66    6    38772 5222   0       0 0   8   local       282  0         0          SRC 

192.168.78.50   192.168.78.254  6    42827 80     0       0 0   0   dev18       12   0         0          HCI 

192.168.78.50   75.101.136.208  6    48101 443    0       0 0   3   local       e1   0         0          SRC 

192.168.78.50   234.5.6.6       17   45472 2010   0       0 0   0   local       b    0         0          FRC 

 

 

192.168.78.50   64.233.188.188  6    40961 5228   0       0 0   4   local       283  0         0          SRC 

192.168.78.50   31.13.76.66     6    38065 443    0       0 0   6   local       1d9  0         0          SRC 

192.168.78.50   31.13.76.101    6    42130 443    0       0 0   8   local       284  0         0          SRC 

192.168.78.50   218.189.210.3   17   45475 123    0       0 0   1   local       33   0         0          FSRC 

192.168.78.254  192.168.78.50   6    80    48193  0       0 0   0   dev18       13   0         0          FH 

 

 

 

While on the the tunnel mode SSID 

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags 

--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----

192.168.78.50   234.5.6.6       17   40615 2010   0       0 0   0   dev12       11   0         0          FC 

 

I am not sure about the policy

any     any          IPSec-ESP  permit                                  Low    

 

As this seems to have came default when we first installed the Aruba Controller.   And we weren't sure whether it is needed.  What we wanted was split tunnel in that policy.  So I assume all we need moving forward is?

 

ip access-list session split-tunnel               

 

  any any any  route src-nat 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: