Security

Hi all,

Bit of an odd one; we’re trying to rule out our new Aruba VPN being an issue.

We have a 7210 controller working with Clearpass to allow access to users with the VIA client.

This is connecting and holding the link fine. Clearpass showing profile download and connection ... no problems there.

On the controller, I have made a new role and set 2 policies - the default ‘allow all’ and a new one which allows all traffic from source of user. We have a firewall down stream of this controller doing further control.

I can see a user coming in, I run the command ‘show datapath session | include their IP address’

I can see the traffic going back and fourth different internal services.

However, our laptop isn’t quite seeing this traffic successfully. Is the above command enough to definitively say it’s not the controller doing something strange? I can’t see any D flags in the sessions etc ...

Thanks

if you see TCP sessions with a Y flag, that means that traffic is only going in a single direction.
For VPN client traffic, you either need to source-Nat the traffic out the controller with an ACL in the role, or the IP address the client gets must be in the subnet of an IP interface on the controller.

Thanks - I should clarify the following:

The laptop is getting through to most of the internal network. Traffic is definitely passing through the firewall and controller etc.

It’s the odd bits of traffic which seem to be not getting a response. I’ll do some more testing and look out for that flag.

Could be a laptop thing but just seems like a weird default / inherit ACL maybe causing problems.

Also - if we’re using L2TP pools for the IP addresses, does it still need an interface / VLAN on the controller to match that range?

Yes, unless there is an ACL in the user role to source Nat the traffic, OR your network has a static route pointing to your controller for the pool's subnet.

Yes we have a static route to the controller from the firewall. Then I’ve redistributed this into OSPF from the firewall.

It’s strange how it’s only some network traffic. I’m beginning to think it’s the laptop

Do you have split tunneling enabled?

No it’s not - I haven’t ticked that in the VIA client so presume that means it’s disabled.

Would there be any inherit options that cause issue with some traffic but not others?

Merry Christmas by the way :-)

Ps. I meant I haven’t ticked the split tunnel option in the via client profile

The ACL in the user role or Split Tunneling would be two guesses.  The rest probably would be in you infrastructure.

On the MM, I would CD to the MD that terminates the VIA connections and type:

 

show configuration datastore object via_connection_profile

 

That will tell you what VIA connection profiles you have and whether or not they have split tunneling configured.

This was a routing issue further within our infrastructure like you said. Thanks for your help