Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Issue accessing services behind NAT address of RAP

This thread has been viewed 19 times

  • 1.  Issue accessing services behind NAT address of RAP

    Posted Feb 19, 2021 09:51 AM
    Hi all,

    we have deployed RAPs for our users. Two users complained that they are not able to connect from RAP SSIDs to their home servers through the internet. We we are able to reproduce the issue. As soon as you try to access through a SSID of a RAP to the public IP address of the CPE where the RAP is connect the packet does not leave the controller.
    Below a sketch of the situation.

    Sketch of issue
    Is this a known behavior? Is this possible a bug inside the controller? We have seen this issue with ArubaOS 6.x and ArubaOS 8.7.x. We know at least from one other customer that they observe the same behavior.
    Can other ones with a RAP setup confirm this issue?
    My current working hypothesis is, that the controller picks the packet from L2 stream and pushes the packet via IPSec tunnel to the RAP which drops the unknown packet.
    Regards,
    Benedikt


    ------------------------------
    Benedikt Neuffer
    ------------------------------


  • 2.  RE: Issue accessing services behind NAT address of RAP

    EMPLOYEE
    Posted Feb 24, 2021 08:14 AM
    You did not say if the user SSID was split-tunneled, bridged or fully tunneled on the RAP..

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 3.  RE: Issue accessing services behind NAT address of RAP

    Posted Feb 24, 2021 08:28 AM
    Sorry, I am a newbie on Aruba WiFi. The SSID is full tunneled traverses the central data center as shown in the sketch.

    ------------------------------
    Benedikt Neuffer
    ------------------------------

    Original Message


  • 4.  RE: Issue accessing services behind NAT address of RAP

    EMPLOYEE
    Posted Feb 24, 2021 09:31 AM
    The user should have access to anything that the datacenter subnet should have access to, then...

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 5.  RE: Issue accessing services behind NAT address of RAP

    Posted Feb 24, 2021 10:00 AM
    Everyone is telling me that. Other customers too. Then they test it in their environment and report that they see the same behavior. This looks like a bug for me.

    ------------------------------
    Benedikt Neuffer
    ------------------------------

    Original Message


  • 6.  RE: Issue accessing services behind NAT address of RAP

    EMPLOYEE
    Posted Feb 24, 2021 11:08 AM
    Why don't you establish a wired port on that datacenter user vlan and test it, then?  Is the default gateway of that user vlan the controller?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 7.  RE: Issue accessing services behind NAT address of RAP

    Posted Feb 24, 2021 11:34 AM
    The controller is not the gateway. Between the controller and the router is a switching infrastructure. If one connect a client directly to the switching infrastructure everything works fine.

    ------------------------------
    Benedikt Neuffer
    ------------------------------

    Original Message