Wireless Access

Reply
Contributor II
Posts: 55
Registered: ‎08-14-2013

RAP155 AP 225 pass traffic differently

Hello All -

 

I've been trying to debug an issue we have at one of our offices.  Here are the details:

 

1. this is a remote office, connected to the main office (and the aruba 3400 controller) via a VPN tunnel with no rules on it (full access allowed both directions)

 

2. At the remote office we have AP225s and RAP155s

 

3. All APs are in the same AP group

 

4. Controller is running version 6.3.1.19

 

5. When connected to the AP, I have trouble connecting to an internal website - it usually never connects or if it does, it's really slow.

 

6. When connecting to the RAP I can get to the the same internal website within seconds

 

7. User is fully authenticated using a certificate and username/password to the system via Clearpass - both APs use the same settings for this

 

Everything should be the same - the only difference I can see on the 2 is that the AP's use the internal IP of the controller, and the RAP uses the external. I'm at a loss here as to what could be causing this issue. All of these APs are on the whitelist, we do have firewall policies on the user roles - but both APs are using the same rules.

 

Please let me know if you need more information.

 

Thank you

 

Gerri

Aruba Employee
Posts: 159
Registered: ‎02-14-2013

Re: RAP155 AP 225 pass traffic differently

Hi,


If I have understood correctly, your remote office and main office are connected by a VPN tunnel. The AP 225 communicates with the controller using its internal IP through the VPN tunnel. And RAP 155 reaches the controller using its external (public) IP and the traffic goes outside the VPN tunnel. Correct me if I'm wrong.


1. Do you see the slowness only for the internal website or for any website?
2. Try reducing the sap mtu on the AP system profile to 1200. 

 

(Controller) (config) #ap system-profile Test123
(Controller) (AP system profile "Test123") #mtu ?
<mtu> MTU on the wired link for the AP (1024-1578 bytes)  

 

Thanks,
Rajaguru Vincent

Thanks,
Rajaguru Vincent
CWNA | CWSP | CWAP | CWDP | ACMP
Contributor II
Posts: 55
Registered: ‎08-14-2013

Re: RAP155 AP 225 pass traffic differently

Thank you for the response - for the slowness - only seems to be from internal sites - but I've been focused on them, I'll try the change and see what happens - I'll let you know shortly.

 

Thanks!

Contributor II
Posts: 55
Registered: ‎08-14-2013

Re: RAP155 AP 225 pass traffic differently

Ok - I've made the change - sadly I messed up my remote system so I can't test - I've got somebody planning on testing first thing in the am - I'll let you know.

 

Thanks!

 

Gerri

Contributor II
Posts: 55
Registered: ‎08-14-2013

Re: RAP155 AP 225 pass traffic differently

Had somebody test at the site 2 internal websites are still not loading at all off the AP - they work off the RAP

 

any other thoughts?

 

Gerri

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: RAP155 AP 225 pass traffic differently

no direct solution, but i would start traffic captures, seeing how the traffic reaching (or not) the internal network via the AP and go from there. i suspect some NATing or routing issue, but it is difficult to know for sure without data.

Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: RAP155 AP 225 pass traffic differently

[ Edited ]
What is the forwarding mode of the ssid ? Is it tunnelled or split-tunnelled?

Have you tried to provision the 225 as a RAP?

What is the role that the users are in and the access list? Post the output of 'show rights <role-name'

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Contributor II
Posts: 55
Registered: ‎08-14-2013

Re: RAP155 AP 225 pass traffic differently

Split tunneled - 

 

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low Yes 4
2 any any svc-dns permit Low 4
3 any external.ip.address any permit Low 4
4 any external.ip.address any permit Low 4
5 any external.ip.address any permit Low 4
6 any external.ip.address svc-https permit Low 4
7 any external.ip.address svc-http permit Low 4
8 any external.ip.address svc-https permit Low 4
9 any external.ip.address svc-http permit Low 4
10 any external.ip.address any permit Low 4
11 any external.ip.address any permit Low 4
12 any external.ip.address svc-https permit Low 4
13 any external.ip.address svc-https permit Low 4
14 any external.ip.address svc-http permit Low 4
15 any wiki.internal.ip.address svc-http permit Low 4
16 any wiki.internal.ip.address svc-https permit Low 4
17 any Internal-Networks any permit Low 4
18 any Apple TVs tcp 7000 permit Low 4
19 any Apple TVs tcp 47000 permit Low 4
20 any Apple TVs tcp 7100 permit Low 4
21 any Apple TVs tcp 49228 permit Low 4
22 any Apple TVs tcp 50259 permit Low 4
23 any Apple TVs udp 62572 permit Low 4
24 any Apple TVs udp 54780 permit Low 4
25 any any any route src-nat Low Yes 4

 

All of the external IP addresses are specific for some of our tools etc to allow them full access as if they are in the main office. I added the wiki ip internal address to try to address the issue with the access from the remote office.

 

Not sure what you mean by adding the aps as a rap - the aps are currently in the white list and set up just like the rap (same provisioning).

 

thanks!

Contributor II
Posts: 55
Registered: ‎08-14-2013

Re: RAP155 AP 225 pass traffic differently

Difficult to get the traffic captures - I have one test system there and it always is connected to the RAP155 - not helpful - its a busy office so rebooting that device can be disruptive to get the system to switch (I have nobody in the office that can help - I am far away so it's all remote)

 

Since they have the issue and have to actually work - they plug into the network and it works fine - just not over wireless - we have been working on the VPN tunnel (the first one we have set up) thinking that it may be rules on the tunnel that are causing the issue too - we have removed all rules, set access on both ends and are still having issues. 

 

I'll set up some logging on specific systems and see if I can capture anything

 

thanks!

Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: RAP155 AP 225 pass traffic differently

When you do a 'show ap database', is there an R flag for the AP225s ?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: