11-20-2015 01:45 AM
I am hoping someone can help with an issue we are seeing using split tunnel with a RAP108. Please refer to the attached diagram to see the setup.
The wireless client connects fine after authenticating via 802.1x and receives and IP address from the corporate network and it can access all corporate resources as expected. The client runs an application that needs to query a local GPS device to note its exact position. The GPS has a fixed IP of 192.168.1.200 and is connected to the Eth1 port of the RAP. The port is configured as an access port and is set as bridge. The split tunnel role has two rules in its associated policy
1. route src nat any traffic destined for 192.168.1.200
2. permit all other traffic
The problem is that the device cannot communicate correctly with the GPS. We have swapped the GPS for a laptop and run a wireshark capture and sent a ping from the corporate device. The wireshark shows that the 'GPS' laptop receives the ping request and responds but the corporate device does not receive the reply. The request comes from the Eth0 interface IP address of the RAP so the src NAT is working correctly. The GPS laptop can ping the 4G router and the RAP successfully so I am not sure where the issue lies. Any help is much appreciated.
Solved! Go to Solution.
11-20-2015 04:37 AM
Have you tried plugging the GPS device into the same switch that the AP and 4G router are on, on the 192.168.1.x subnet to see if it works? Your device that is querying the GPS devices does not get an address on the 192.168.1.x subnet, does it?
Use the "show datapath session ap-name <name of ap> table <ip address of device>" command to see the flows of that device on that RAP.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
11-26-2015 06:58 AM
Thank you for the reply. We have now resolved this - it was the wired port configuration
1. If the RAP Eth1 port is configured as trusted, the ping reply will never reach back to the split tunnel device. The packet is bridged and has no chance to be translated back to the wireless client.
2. When putting the RAP Eth1 port as not trusted, the wired user will show in the user table with the logon role.
3. It is necessary to create an AAA profile and a new role for the wired device.
4. The wired role needs to allow incoming traffic
The new role firewall policy was defined as follows:
Position Source Destination
-------- ---------- ----------------
1 any any
2 user any
3 any network 192.168.1.0 255.255.255.0 any permit
The source in the 3rd rule has to be 'any' and not 'user'