Wireless Access

Reply
Occasional Contributor II

RAP and Split-tunnel problem

Hello everyone,

 

We have this situation:

 

2x Controllers 7030 ArubaOS 8.2.1.0

17x Campus AP

1x RAP for branch office

Clearpass 6.7.1

 

VLAN ID 135 - Controller is the gateway and there is no traffic blocked in the network.

 

When we configure the SSID to tunnel-mode the client can resolve names, is redirected to portal and login without problems.

When we change the SSID to split-tunnel, the client can ping DNS servers but can't resolve names, and consequently can't redirected to cppm guest portal and login.

 

Any ideia?

 

 

 


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Guru Elite

Re: RAP and Split-tunnel problem

What is your split-tunnel ACL?

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP and Split-tunnel problem

Hi,

 

There is. The alias pt-guest is the cppm IP Address

 

(CTR-AP-LC-01) [mynode] #show rights pt-guest-guest-logon

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'pt-guest-guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 110/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = PT-GUEST

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-pt-guest-guest-logon-sacl session
3 pt-guest-guest-logon session
4 logon-control session
5 captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-pt-guest-guest-logon-sacl
-------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
pt-guest-guest-logon
--------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any pt-guest svc-http permit Low 4
2 any pt-guest svc-https permit Low 4
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Guru Elite

Re: RAP and Split-tunnel problem

From the looks of it, DNS should work.

 

You can type "show datapath session ap-name <name of rap>" when you are trying to reach your DNS server to see what is happening to your sessions.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP and Split-tunnel problem

.


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Occasional Contributor II

Re: RAP and Split-tunnel problem

.


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Occasional Contributor II

Re: RAP and Split-tunnel problem

.


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Occasional Contributor II

Re: RAP and Split-tunnel problem

.


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Occasional Contributor II

Re: RAP and Split-tunnel problem

I also filtered my laptop's IP 10.199.5.8. The DNS Servers are 10.198.50.10 and 10.198.50.6. I've already tried to use another laptop, so, we can discard this. Follow attached.


At.te,
Andre Fernandes
ACMP | ACCP | ACSA
Guru Elite

Re: RAP and Split-tunnel problem

There are two columns, tAge and Packets that are missing from your output.

 

Are you sure that access point is configured as a remote AP?  

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: