If ping ok and http/https not. Check DNS.
My setup might be different, but for Apply policy I don't use route acl only role-assignment(aaa-profile)
Also lan port(G0/0/1) on Gateway is untrusted (the ones with vlan's tagged towards lan)
Original Message:
Sent: Jul 08, 2024 06:36 AM
From: EnzoJ
Subject: BGW issue with tunnel to SASE Axis Security
The user has the correct role I already verified.
I added the route policy where you mentioned, see picture.
But no succes.
What I see in the datapath is that it goes through axis tunnel.
But 2 clients can not do https or https or even say that there isn't internet.
I can ping to 8.8.8.8 and everything outside.
Original Message:
Sent: Jul 08, 2024 05:36 AM
From: OK96
Subject: BGW issue with tunnel to SASE Axis Security
quote:
But I see also that the return traffic comes directly and not from Axis.
Sound like Axis not intercepting?
Have you created an aaa-profile with an initial role set.
Have you Applied policy (Config>Security>Apply policy) to the vlan?
Can it be hitting your setup policy ? just above your axis-pbr policy.
Verify with:
show datapath session table
show datapath route
show user (is the traffic going to the tunnel)
other than that this looks fine.
------------------------------
Ole Morten Kårbø
ACP - Campus Access Professional
ACEA | ACSP | APS CX10000 | APS Central | APS SD-Branch
Netnordic Norway
Original Message:
Sent: Jul 08, 2024 04:54 AM
From: EnzoJ
Subject: BGW issue with tunnel to SASE Axis Security
Hey,
I have lab where a 9005 gateway with some AP's.
When I do a simple setup without SASE or anything I can reach the internet and everything works.
When I enabled the pbr of axis, then I can not reach the internet.
I receive a local IP address and can ping the default gateway but couldn't go outside.
According to Central the Axis tunnels are up and running & on manage portal of axis it says it's also connected.
When I look into the sessions of the gateway I see that it uses the correct pbr and sends the traffic to axis portal.
But I see also that the return traffic comes directly and not from Axis.
Is that the issue?
In the policy of axis I only blocked gambling websites for testing.
I made a rule below that allows everything from this test site.
In the pbr I want that all onedrive traffic goes local and the rest via Axis.
I applied to the nexthop routing and then the "test" role.
Any ideas why it doesn't work?