Wireless Access

I am doing a new Campus install for VIA/VPN and running into issues. 

 

I have a Controller in a DMZ with Public and Private addresses

 

VLAN 10 - Public IP 

VLAN 20 - Private IP

Default Route - Private Network

 

VIA Client can pull Connection Profile across the internet and successfully connect to the VIA controller. The role assigned allows full access. 

 

The client cannot ping anything but the two VLAN interface addresses. 

The controller cannot ping the client at all.

 

I have an identical Lab setup and this configuration works without issue. Using the same client, across the internet (using the lab connection profiles of course) I can ping the client from controller CLI without sourcing the Interface. The LAB has default GW point to private network as well. 

 

I have tested various VPN Pools on the controller. I tried one that uses the same address space as the Private network and have tried another one with a new network that doesnt exists in the infrastructure. No matter what network I configure, I can always ping from the controller to the client in my Lab. In the problem network, I can never ping the client. 

 

I am lost :-(

Is the VIA pool routable?

Yes and no I have tried a IP address range in the same range as a private Network and I have also tried a whole new network range with routes in the infrastructure back to the controller. Either way I can do this in the lab and be able to ping either type of network from the controller's interface.

Is there another type of route I should be configuring for the VPN Pool specifically on the controller?

 

If the Client is terminating VPN tunnel directly on the controller and being handed an IP from the pool, I would think the controller should see this as a locally attached/connected device and be able to ping it with no need to route. 

If the VPN pool addresses are not routable on your local network, you need to either have an any any any source-nat rule for your users or you need a static route on your local network  pointing to your controller for that private network.

 

As to why your controller cannot ping those clients, you should open a TAC case to see what you are doing wrong.,

Thanks. Routes are in place. The non-pinging of clients is just another symptom which I believe leads to a configuration issue on the controller. I will open a tac case and post back the results.

Thanks for the help guys.

What are the rules in the role that your client is placed in?

To simplify things... allow any any

Well... jumped back into testing this morning and everything is working. I tested with both a bogus VPN Pool (123.123.123.50-60) and the real pool which is the same network as the inside private interface. Both can now be ping from CLI and now I can also route from the infrastructure for the real private network.

 

Frustrating. I guess I am happy it is resolved. 

 

Again, thanks for the quick responses. 

I think I see what may be happening, I had Split-Tunnelling enabled in the connection profile in the production environment. With this enabled, there must be other configurations I am not considering. As soon as it is enabled and I clear and download the new profiles onto the client, the client cannot be ping nor can it reach resources (by IP, havent tried dns) on the production network. I will hit the books to see what else needs configured.