Just hit an interesting issue on 6.3.1.2 using VIA. Anybody else seen this?
A user connects as normal...
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
1.0.0.10 00:00:00:00:00:00 jcornford default-via-role 00:00:24 VIA-VPN 194.74.186.235 N/A tunnel Windows
194.74.186.235 00:00:00:00:00:00 logon 00:00:24 N/A tunnel
User Entries: 4/4
Here's some info about the role...
user-role default-via-role
via "demo-via"
access-list session src-nat-private-dest-to-inside
access-list session src-nat-to-outside
access-list session v6-allowall
access-list session allowall
!
ip access-list session src-nat-private-dest-to-inside
user alias private-nets any src-nat pool aruba-vlan-1920-ip
!
ip access-list session src-nat-to-outside
user any any src-nat pool aruba-vlan-82-ip
!
The VLAN 82 ip pool is public. The VLAN 1920 ip is private obviously.
I initiate a connection to a public IP, destination port 34032. I have sensible reasons for this, and it used to work on 6.3.1.1 I'm sure. The session doesn't connect (and note that yes, this session normally connects from anywhere else).
So here's the weird thing. Bearing in mind I have a deny and log rule at the end of my logon role, when this session doesn't connect, I get this in the log...
Feb 6 09:33:15 authmgr[2269]: <124006> <WARN> |authmgr| {546} TCP srcip=1.0.0.10 srcport=49297 dstip=X.X.X.X(PUBLIC) dstport=34032, action=deny, role=logon, policy=deny-and-log
And this in the table...
1.0.0.10 X.X.X.X(PUBLIC) 6 49297 34032 0/0 0 0 0 tunnel 9 2 0 0 FSDYC
What's really weird about this, is that the log suggests it's matching the "logon" role, rather than the "default-via-role". Especially as the source IP is matching a user table entry which is in the "default-via-role" role!?!?
Am I missing something here?