Wireless Access

Reply
Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

need help with split-tunnel

Hi Aruba,

 

I'm wondering if someone could help me. i'm setting up split tunnel in a RAP. I've managed to make the ssid to be up, a user can connect to the ssid and i can see in the monitoring that the user is in split-tunnel. The user is getting an IP address in their range at the remote site (10.84.3.0 /24), he has a default gateway as well (10.84.3.9). however they can't do anything, they can't go internet, they can't reach any IP at the HQ (10.27.0.0/24) and worse they can't even ping their local default gateway (10.84.3.9). My firewall policy is as follows....

 

any   any        svc-dhcp  permit

any   any          svc-dns   permit

any   any          svc-gre   permit

user    HQ      any       permit

user    any          any       route src-nat

 

The alias HQ contains the network IP address of our HQ. I don't know if i'm missing something here. I've played with the firewall policy but no success. The connection between our HQ and remote site is through Site-to-Site VPN. I hope someone can help me.

Thanks in advance.

 

 

Richard.

Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

Re: need help with split-tunnel

I forgot to mention that the split-tunnel client is getting the correct role, meaning the role that the policy above is applied.

 

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: need help with split-tunnel

In Split-tunnel, the user must get the ip address of the headend, NOT the remote site.  Is your Virtual AP configured a split-tunnel?  If it was, a client would NOT get an ip address from the remote site.  In addition, the Virtual AP vlan should be a VLAN that exists at the headend..

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

Re: need help with split-tunnel

when you say headend you mean my HQ right? i configured the vlan in vap as the vlan that exists in the remote site, that's probably why they are getting that ip address. my forwarding mode is split-tunnel. i realized that what's happening is like a bridge. I will try changing the vlan tomorrow and see how it goes. thank man.

Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

Re: need help with split-tunnel

Hi cjoseph,

 

I tried to change the vlan in vap to a vlan that is available in the HQ, but now the client can't get ip address. I tried to change the Session ACL in the AP System Profile to allowall first to see if it change something but still the same issue. i am not sure what i am missing here. please help. thanks.

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: need help with split-tunnel


imus_rl wrote:

Hi cjoseph,

 

I tried to change the vlan in vap to a vlan that is available in the HQ, but now the client can't get ip address. I tried to change the Session ACL in the AP System Profile to allowall first to see if it change something but still the same issue. i am not sure what i am missing here. please help. thanks.


- That VLAN in the Virtual AP must be one that is on an access port on the controller

- Do NOT touch the AP system profile

- To test, first make the Virtual AP tunneled and the default 802.1x role something like "allow all" to make sure it is working.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: