03-29-2012 07:29 AM
We have our RAP environment setup in a split tunnel. Employees can connect to the Corp SSID which is in split tunnel mode. Users can ping their GW (192.168.1.1) and the RAP IP (192.168.1.4 in this example). Any pings to home network attached devices (printers, pc, etc) result in one sucessful ping, followed by time outs. Any subsequent pings all time out until the RAP is power cycled in which case the same pattern is repeated - one successful ping and then all timeouts. I also tried rebooting the PC after attempting and it was all timeouts. The only way to reset it so the first ping goes through is by rebooting the RAP. I did a packet capture behind the RAP and see the first ICMP Ping Request and Reply and then no additional traffic. Is it posisble the RAP is updating its ARP table through the tunnel? I do not think there is a way to view the ARP table on the RAPs. We are running 6.1.3. I also tried applying "broadcast-filter arp" and "broadcast-filter all" on the VAP, but no difference was noticed.
03-29-2012 09:16 AM - edited 03-29-2012 09:18 AM
Where are these home devices connected? Are they connected to the home linksys router from which the RAP gets its IP or to a bridge port on the RAP. Depending on this you have to make sure that the aliases and the user roles are defined properly. See the last 3 or 4 posts in this thread http://community.arubanetworks.com/t5/Access-Points-and-Mesh-Routers/RAP-VLAN-Considerations/td-p/29918/page/2 for details on defining proper user roles and firewall policies.
03-29-2012 09:22 AM
The printers are connected to the user's home ISP-provided Router. The RAP also uses this as an uplink. Split-Tunnel to all other external resources (ex. google.com) work fine; it is only the home network based pcs/printers on the 192.168.1.x subnet. If I move the RAP to another controller with the same exact config, but no other clients, this split tunnel works fine to their printer. Also, if the user statically sets their printer to a random IP (such as 192.168.1.178) it works, but if its in the normal low end of the DHCP scope (such as 192.168.1.4) it does not --- which leads me to believe this is ARP related.
03-30-2012 08:53 AM
So your split-tunnel ACL looks something like this?
any any svc-dhcp permit
user alias CorporateNetwork any permit
user any any route src-nat
If you do a tracert to the internet from your client, does it go through the tunnel, or out the local interface?
04-02-2012 05:42 AM - edited 04-02-2012 05:46 AM
Yes that is how our ACL is structured.
A tracert to the Internet goes out the local ISP connection. The Split-Tunnel works fine in that sense, it is only when trying to connect to a device on the home LAN.
04-02-2012 11:38 AM
1. Make sure none of your aliases include the address you are having issues with. I once had issues when I added a set of IP's to blocked alias list by mistake. This is a common human error.
2. Do you have any other SSID's on Ports on these RAP operating i bridge mode. If so, check the DHCP scope used for these bridge mode devices in the AP system profile. If there is a overlap in scope between the home router and bridge mode subnet, you might running into such issues.
04-02-2012 11:42 AM
Our Enterprise_Network alias does not contain any 192.168.x.x addressing.
No, nothing in bridged mode. We have 2 SSIDs and wired port profiles all setup for split-tunnel.
I have also tried putting at the top of the ACL (below DHCP and DNS), but no difference:
user network 192.168.1.0 255.255.255.0 any route src-nat
04-02-2012 12:01 PM
Everything you have been doing seems to be right. If this is a very critical issue that has to be resolved immediately then it is better to contact Aruba TAC to figure this out. Let us know what happens.