Wireless Access

Reply
Contributor II
Posts: 56
Registered: ‎12-17-2011

VPN problems

[ Edited ]

I have a few clients that need to connect to their corporate networks via various VPN client software and they're complaining that they can't connect and the connection times out. I've added the vpnlogon policy in the captive portal profile for the auth-guest user-role as shown below. Since the controller itself is not terminating any VPN sessions, is there anything else I need to do? Shouldn't this user-role allow for all vpn traffic to/from the controller?

 

user-role auth-guest
 session-acl cplogout
 session-acl logon-control
 session-acl auth-guest-access
 session-acl vpnlogon
 ipv6 session-acl v6-logon-control
 session-acl drop-and-log

 

 

Update:

 

Ok, I've looked into the problem a little more. After configuring the auth-guest role to remove all policies except the cplogout and logon-control and adding the allowall policy as well, I still have the same issue. The current authenticated user role looks like this:

 

user-role auth-guest
 session-acl cplogout
 session-acl logon-control
 session-acl allowall

 


Doing a show datapath session table for the particular user trying to use his VPN client, I see that only traffic to/from UDP 500 to the VPN servers is being blocked:

 

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       I - Deep inspect, U - Locally destined

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
x.x.x.x            y.y.y.y             17   500   500    0/0     0 96  0   tunnel 71   6    FDC

 

 

Does anyone have any ideas as to what could be causing this traffic to be blocked? I should add that the controller is not the default gateway for this traffic but a firewall instead. But would I see traffic being blocked by the firewall as being "denied" here at the controller as I'm seeing above?

Moderator
Posts: 87
Registered: ‎04-10-2007

Re: VPN problems

The vpnlogon policy looks like this:

 


1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4

 

Does the vpn client use something other than these protocols?

 

Kevin

Moderator
Posts: 53
Registered: ‎04-09-2007

Re: VPN problems

I would suggest adding UDP 10000 to the vpnlogon policy since some VPN clients use that.  Add svc-natt (UDP/4500) as well, and make sure SSL (TCP/443) is allowed somewhere.

 

Regards, 


Austin

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: VPN problems

The logon-control policy already allows for svc-natt. The auth-guest-access allows for https.

MVP
Posts: 512
Registered: ‎05-11-2011

Re: VPN problems

I believe it's cjoseph that has a post listing this as recommended update for the vpn-policy:

 

Step #1 - The policy, apply from the command line of the controller,
under the config t mode

!
ip access-list session VPN-Clients
user any svc-l2tp permit
user any svc-esp permit
user any svc-ike permit
user any tcp 17 permit
user any udp 51 permit
user any udp 4500 permit
user any tcp 10000 10001 permit
user any udp 10000 10001 permit
user any svc-pptp permit
user any svc-gre permit
!

Step #2 -- Associate the new policy with the guest account as follows
(also from command line)

!
user-role guest
access-list session VPN-Clients
!

 

This might not completely solve your issue tho.

In a scenario where the Controller is the default gateway and doing NAT we've found that some VPN clients (especially microsoft vpn) doesn't work for our guest user. This is supposedly fixed in the recent 6.1.2.6 release, but we've not been able to test this yet.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: VPN problems

[ Edited ]

Ok, I've looked into the problem a little more. After configuring the auth-guest role to remove all policies except the cplogout and logon-control and adding the allowall policy as well, I still have the same issue. The current authenticated user role looks like this:

 

user-role auth-guest
 session-acl cplogout
 session-acl logon-control
 session-acl allowall

 


Doing a show datapath session table for the particular user trying to use his VPN client, I see that only traffic to/from UDP 500 to the VPN servers is being blocked:

 

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       I - Deep inspect, U - Locally destined

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----
x.x.x.x            y.y.y.y             17   500   500    0/0     0 96  0   tunnel 71   6    FDC

 

 

 

Does anyone have any ideas as to what could be causing this traffic to be blocked? I should add that the controller is not the default gateway for this traffic but a firewall instead. But would I see traffic being blocked by the firewall as being "denied" here at the controller as I'm seeing above?

 

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: VPN problems

Wait a minute! Am I making all the changes to the wrong user-role? The captive portal authentication profile assigns a role of auth-guest to users that authenticate via the captive portal but their role shows up as guest after they authenticate, instead of auth-guest. I always thought that was a GUI thing. Do I need to apply these rules to the guest user-role, i.e. the VPN policies?

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: VPN problems


arubamonkey wrote:

Wait a minute! Am I making all the changes to the wrong user-role? The captive portal authentication profile assigns a role of auth-guest to users that authenticate via the captive portal but their role shows up as guest after they authenticate, instead of auth-guest. I always thought that was a GUI thing. Do I need to apply these rules to the guest user-role, i.e. the VPN policies?


When a user authenticates, type "show user" to see what role he gets AFTER he authenticates.

 

That is the role you are concerned about.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: VPN problems

The role after CP authentication is guest.

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: VPN problems

So that is the role that you change.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: