I don't have a definitive answer for you, but there is a separation between the datapath (traffic flowing through the device) and management path (traffic to/from the device); so it may well be possible what you see. As this is quite deep in the inner working of the controller/gateway, you may need to work with TAC or your local Aruba SE to find the exact information from engineering. If you can workaround the situation, that may be preferred.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 05, 2024 09:28 AM
From: SomeArubaGuy
Subject: AOS PBR Not Working
Hi,
I have an AOS VMC Appliance and I need to configure PBR for traffic sourcing from a loopback on the VMC Appliance. I have PBR working for user traffic that is sourced from behind the VMC, but traffic from the VMC itself (tunnel IP & loopback IP) doesn't work. If I don't use PBR to do this, and just use static routes, everything works.
Does PBR not apply to traffic generated from the device itself? This makes sense to me since the access-list is applied to the VLAN, and if I'm sourcing traffic from that VLAN it would technically be 'out' traffic and not 'in' traffic.
Here's an example. I want the host routes to go through my IPsec tunnel. These IPs are used to establish the GRE tunnel inside the IPsec tunnel (because for the real config, I need a tunnel-group for traffic failover). The 'any' traffic routes through the tunnel fine (when it's up via static routes, which I dont want to use) but the host routes (which are the GRE & loopback IP) don't work when strictly doing PBR.
ip access-list route to_hubs
any network 172.16.0.0 255.255.255.0 any route tunnel 1 <-works
host 172.131.255.2 host 172.131.255.1 any route ipsec-map aruba-ipsec <-doesn't work via PBR but the same routes via static routes works
interface vlan 50
ip access-group in "to_hubs"
interface tunnel 1
ip address 172.131.255.2 255.255.255.252
Thanks for your help