Controllerless Networks

Contributor I

AP-225 split tunneling showing with Invalid (I) Flag

I've setup AP profile for split tunneling and it's showing with Invalid (I) Flag on Controller, see config below. When I change forward-mode to 'tunnel' all is fine (except split tunneling doesnt work lol;) Please advice


wlan virtual-ap "Aruba-CP-Radius-vap_prof2"
aaa-profile "Aruba-CP-Radius-aaa_prof2"
ssid-profile "Aruba-CP-Radius-ssid_prof2"
vlan 176
forward-mode split-tunnel

aaa profile "Aruba-CP-Radius-aaa_prof2"
authentication-dot1x "CFN-Main-dot1x"
dot1x-default-role "split-usr"
dot1x-server-group "CFN-RADIUS-server-grp"


user-role split-usr
access-list session split-acl


ip access-list session split-acl
any any svc-dhcp permit
any alias Net_10.29.0.0-16 any permit
user any any src-nat

Re: AP-225 split tunneling showing with Invalid (I) Flag

Do you AP configured as RAP or CAP ? Does your AP connected from remote-site/other network ?
if it working as CAP , Split tunneling isnt possible

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite

Re: AP-225 split tunneling showing with Invalid (I) Flag

Split-tunnel is only possible if the AP is configured as a RAP.


Tunnel, bridge and decrypt-tunnel are available when operating as a campus AP.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Guru

Re: AP-225 split tunneling showing with Invalid (I) Flag

Is that a name VLAN ?

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Contributor I

Re: AP-225 split tunneling showing with Invalid (I) Flag

Yes, it's does it mean I have to change to RAP and then set IKE PSK ? Does RAP connect to controller public IP or  private IP (in my case it's IPsec tunnel from my home remote network to DC firewall - so AP to Controller communication is thru IPsec). I'm not sure what decrypt-tunnel is for


vlan 176 (id 176) is on controller side 


(Aruba-7210) #show vlan 176

VLAN Description Ports AAA Profile
---- ----------- ----- -----------
176 VLAN0176 GE0/0/0 N/A

Search Airheads
Showing results for 
Search instead for 
Did you mean: