Wireless Access

Reply
Occasional Contributor II

RAP and Split-tunnel problem

Hello everyone,

 

We have this situation:

 

2x Controllers 7030 ArubaOS 8.2.1.0

17x Campus AP

1x RAP for branch office

Clearpass 6.7.1

 

VLAN ID 135 - Controller is the gateway and there is no traffic blocked in the network.

 

When we configure the SSID to tunnel-mode the client can resolve names, is redirected to portal and login without problems.

When we change the SSID to split-tunnel, the client can ping DNS servers but can't resolve names, and consequently can't redirected to cppm guest portal and login.

 

Any ideia?

 

 

 

Guru Elite

Re: RAP and Split-tunnel problem

What is your split-tunnel ACL?

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP and Split-tunnel problem

Hi,

 

There is. The alias pt-guest is the cppm IP Address

 

(CTR-AP-LC-01) [mynode] #show rights pt-guest-guest-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'pt-guest-guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 110/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = PT-GUEST

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-pt-guest-guest-logon-sacl session
3 pt-guest-guest-logon session
4 logon-control session
5 captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-pt-guest-guest-logon-sacl
-------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
pt-guest-guest-logon
--------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any pt-guest svc-http permit Low 4
2 any pt-guest svc-https permit Low 4
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

Guru Elite

Re: RAP and Split-tunnel problem

From the looks of it, DNS should work.

 

You can type "show datapath session ap-name <name of rap>" when you are trying to reach your DNS server to see what is happening to your sessions.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP and Split-tunnel problem

.

Occasional Contributor II

Re: RAP and Split-tunnel problem

.

Occasional Contributor II

Re: RAP and Split-tunnel problem

.

Occasional Contributor II

Re: RAP and Split-tunnel problem

.

Occasional Contributor II

Re: RAP and Split-tunnel problem

I also filtered my laptop's IP 10.199.5.8. The DNS Servers are 10.198.50.10 and 10.198.50.6. I've already tried to use another laptop, so, we can discard this. Follow attached.

Guru Elite

Re: RAP and Split-tunnel problem

There are two columns, tAge and Packets that are missing from your output.

 

Are you sure that access point is configured as a remote AP?  

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: