Wireless Access

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

Split Tunnel

I followed the guide in my bootcamp manual for setting up a split tunnel SSID, but it is still routing all traffic through the corporate lan instead of routing internet through the local router .  Any help would be appreciated.  I have the following policy rules.  I only have thiss one policy for the role that is assignd to the user. 

 

IPv4 user ru-lan any permit Low
IPv4 ru-lan any any permit Low
IPv4 user any any route src-nat Low
IPv4 any any svc-dhcp permit

 

Eric

 

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: Split Tunnel

[ Edited ]

- The dhcp rule should be at the top

- make sure your ap is configured as a rap

- make sure your virtual ap forwarding mode is split tunnel

- make sure your user actually is in that role

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

Re: Split Tunnel

Thanks for the quick response.  The DHCP rule i actually first....for some reason it pasted differently.  My AP is configured as a RAP.  The mode is slit-tunnel.  The user is assigned the role that has this policy.  Is there something else I'm missing?  Am I supposed to get an IP from the corporate Lan or my local network?

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: Split Tunnel

You are supposed to get it from Corporate LAN.

 

make your last rule "any any any route src-nat low"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

Re: Split Tunnel

It seems like I did everything I was supposed to.

 

(arubahost1) #show rights remote-test-splittunnel

Derived Role = 'remote-test-splittunnel'

----------------
Position Name Type Location
-------- ---- ---- --------
1 split-tunnel session

split-tunnel
------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low 4
2 user ru-lan any permit Low 4
3 ru-lan any any permit Low 4
4 user any any route src-nat Low 4

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: Split Tunnel

the only thing now is to confirm that your user is ending up in that role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

Re: Split Tunnel

I get an IP from my corporate Lan.  But when I traceroute to anything on the internet it goes through the corporate Lan still.

Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

Re: Split Tunnel

Here is the proof that the user is getting that role.  

 

(arubahost1) #show user ap-name eric-home

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
129.85.53.238 00:24:d6:12:a0:2e eric remote-test-splittunnel 00:00:35 802.1x eric-home Associated(Remote) remote-test-splittunnel/6c:f3:7f:63:69:92/a-HT remote-test-splittunnel-aaa_prof split tunnel Win 7

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: Split Tunnel

You need to type "show datapath user ap-name <name of ap> table" to see what ACLs your traffic is hitting.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-30-2014

Re: Split Tunnel

(arubahost1) #show datapath user ap-name eric-home table


Datapath User Table Entries
---------------------------

Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor
FM(Forward Mode): S - Split, B - Bridge, N - N/A

IP MAC ACLs Contract Location Age Sessions Flags Vlan FM IdleTMO
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- -- -------
192.168.11.1 6C:F3:7F:CE:36:98 2700/0 0/0 0 482 0/65535 P 4095 N 300
10.1.1.204 6C:F3:7F:CE:36:98 2700/0 0/0 0 0 1/65535 P 1 N 300
10.1.1.209 20:02:AF:3A:60:D5 59/0 0/0 0 0 6/65535 1 B 300
129.85.53.238 00:24:D6:12:A0:2E 71/0 0/0 0 0 22/65535 53 S 300
10.9.4.6 00:1A:1E:01:50:80 2703/0 0/0 0 482 0/65535 P 0 N 300
0.0.0.0 00:24:D6:12:A0:2E 71/0 0/0 0 0 0/65535 P 53 S 300
0.0.0.0 20:02:AF:3A:60:D5 59/0 0/0 0 0 6/65535 1 B 300

Search Airheads
Showing results for 
Search instead for 
Did you mean: