(In my Zombie voice)
Brains, brains give me your brains.
I have a 7005 controller at a remote site and a 7210 RAP/VPN controller as the hub with a standard IPSEC tunnel between the two of them over an internet connection. AOS 6.5.3.3. This particular setup happens to be in China. I have other setups exactly like this in the other parts of the world including one in my house in the US. US one goes to a US VPN/RAP controller.
I have guest users who after web authenticating launch a VPN client. I think it is an AT&T VPN client. The VPN establishes but they are unable to pass any traffic over the connection. My companys VPN client works fine. Occasionally they get some traffic working but it is barely working. For instance last night they said Outlook worked but Skype and web browsing did not. Then we re-authenticated the guest and they would say now Skype works but Outlook does and web doesnt. Sometimes nothing works, never has it all worked.
I have a support case open. One thing I noticed is the crypto tunnel MTU is default at 1500. I can not ping with DF flag anything bigger than 932 across the IPSEC tunnel controller IP to controller IP. I tried lowering crypto tunnel mtu to the lowest 1024 but still can not ping larger than 923 with DF set. Same results on my other Aruba VPN controllers and tunnels.
Exact setup / flow is:
- unmanaged switch with APs (guest wired or wireless) AP SAP MTU default.
- 7005 with no split tunnel all traffic goes to RAP controller.
- IPSEC tunnel over ISP
- ASA firewall with public IP natted to internl RAP controller IP.
- RAP controller when all traffic is forwarded via a PBR to the Cisco core LAN.
- From the LAN it follows the routing table and out the ASA FW on a different fw context.
Any idea why the this clients VPN traffic will not pass but connects? Any suggestions on the MTU of the controllers ipsec tunnel? Clients role on the controller allows all external traffic. ASA firewall enforces from there.