Wireless Access

Reply
Occasional Contributor I
Posts: 5
Registered: ‎07-29-2013

RAP-2 split tunnel and local resources

I am trying to configure split tunnel over a RAP-2, and I'm 98% of the way there but I still have one thing I can't get to work.

 

On the controller I have configured a Policy with the rules:
     any     any     svc-dhcp     permit
     user     alias(Destinations_internal_networks)    any     permit
     any     any     any     route src-nat

 

I am able to tunnel in from the remote site to the main office on the internal networks, and all other network traffic is being routed out to the Internet via the local network. However, I am unable to access local resources such as my wireless printer or network shares. I can ping anything on the local network (192.168.2.0/24), but the connections won't come up.

 

Any suggestions?

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: RAP-2 split tunnel and local resources

 

How are you trying to connect to those printers, via IP or name ? 

 

Can you do a show datapath session table <ipaddress> ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 5
Registered: ‎07-29-2013

Re: RAP-2 split tunnel and local resources

I'm trying to connect by name, though IP may be an option if it's the only way.

 

The show datapath command on the controller comes up empty.

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: RAP-2 split tunnel and local resources

 

Are you already able to access those by printers name through the wire with that same laptop ?

 

 

You may have to change the LMHOST file if you are using a Windows laptop 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 5
Registered: ‎07-29-2013

Re: RAP-2 split tunnel and local resources

Normally I connect wirelessly with my laptop over my local SSID and it works fine.  When I change to the RAP SSID, I get all the network functionality as stated earlier, but my printer icon greys out and goes offline (although I can still ping it).

 

I'll look into the LMHOST file.  Can you give a little guidance on what to put in there?

 

 

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: RAP-2 split tunnel and local resources

 

Try the following under the user-role and see if this helps :

 

Create an Alias 

(controller) (config) #netdestination LOCAL-SEGMENT

(controller) (config-dest) # network 192.168.0.0 255.255.0.0

 

Create an ACL allowing this traffic 

(controller)#ip access-list session ALLOW-LOCAL-SEGMENT

(controller) (config-sess-ALLOW-LOCAL-SEGMENT)#any alias  LOCAL-SEGMENT any permit

 

And turn on All Profile Management_2013-07-29_14-04-23.pngunder the System profile of the RAP AP-Group

 

If this doesn't work you may have to do by IP or open a TAC case to see if there's anything else you might need to do.

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 5
Registered: ‎07-29-2013

Re: RAP-2 split tunnel and local resources

I'll give that a try tonight and let you know how it works.  Thanks for all your help!

Occasional Contributor I
Posts: 5
Registered: ‎07-29-2013

Re: RAP-2 split tunnel and local resources

Just one more question -- in that final command (any alias LOCAL-SEGMENT any permit), can you confirm "permit"?  Wouldn't that send the packet through the tunnel to the office internal network, when I want it to remain local?

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: RAP-2 split tunnel and local resources


Gawain wrote:

Just one more question -- in that final command (any alias LOCAL-SEGMENT any permit), can you confirm "permit"?  Wouldn't that send the packet through the tunnel to the office internal network, when I want it to remain local?


The "permit" action should send the traffic into the tunnel.  The Remote-AP local network access command should accomplish the following...FYI:

 

The remote-AP local network access feature allows local network access between clients connected to a RAP without routing the traffic back to the controller. When two clients that are connected to a split-tunnel SSID or wired port are on the same VLAN, the traffic between them always is switched locally. However, if these two clients are on different VLANs, the traffic is routed via the controller. When remote-AP local network access is enabled, the RAP switches the traffic locally instead of routing the traffic back and forth through the controller. Similarly, for bridge mode clients on different VLANs, the remote-AP local network access feature switches the traffic locally instead of forwarding it to the upstream router when the “user any any route src-nat” firewall rule is triggered.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: