Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Problem with split tunnel on RAP108

This thread has been viewed 0 times

  • 1.  Problem with split tunnel on RAP108

    Posted Nov 20, 2015 04:46 AM
      |   view attached

    Hi,

    I am hoping someone can help with an issue we are seeing using split tunnel with a RAP108. Please refer to the attached diagram to see the setup.

    The wireless client connects fine after authenticating via 802.1x and receives and IP address from the corporate network and it can access all corporate resources as expected. The client runs an application that needs to query a local GPS device to note its exact position. The GPS has a fixed IP of 192.168.1.200 and is connected to the Eth1 port of the RAP. The port is configured as an access port and is set as bridge. The split tunnel role has two rules in its associated policy

    1. route src nat any traffic destined for 192.168.1.200

    2. permit all other traffic

    The problem is that the device cannot communicate correctly with the GPS. We have swapped the GPS for a laptop and run a wireshark capture and sent a ping from the corporate device. The wireshark shows that the 'GPS' laptop receives the ping request and responds but the corporate device does not receive the reply. The request comes from the Eth0 interface IP address of the RAP so the src NAT is working correctly. The GPS laptop can ping the 4G router and the RAP successfully so I am not sure where the issue lies. Any help is much appreciated.

    Thanks

    Stewart  



  • 2.  RE: Problem with split tunnel on RAP108

    EMPLOYEE
    Posted Nov 20, 2015 07:38 AM

    Have you tried plugging the GPS device into the same switch that the AP and 4G router are on, on the 192.168.1.x subnet to see if it works?  Your device that is querying the GPS devices does not get an address on the 192.168.1.x subnet, does it?

    Use the "show datapath session ap-name <name of ap> table <ip address of device>" command to see the flows of that device on that RAP.



  • 3.  RE: Problem with split tunnel on RAP108
    Best Answer

    Posted Nov 26, 2015 09:59 AM

    Thank you for the reply. We have now resolved this - it was the wired port configuration


    1. If the RAP Eth1 port is configured as trusted, the ping reply will never reach back to the split tunnel device. The packet is bridged and has no chance to be translated back to the wireless client.

     

    2. When putting the RAP Eth1 port as not trusted, the wired user will show in the user table with the logon role.

     

    3. It is necessary to create an AAA profile and a new role for the wired device.

     

    4. The wired role needs to allow incoming traffic

     

     

    The new role firewall policy was defined as follows:

    Position        Source           Destination                                             Service           Action
    --------             ----------           ----------------                                             -----------          ----------
    1                     any                any                                                          svc-dhcp         permit
    2                     user               any                                                           udp 68            deny
    3                     any                network 192.168.1.0  255.255.255.0       any                 permit    

     

    The source in the 3rd rule has to be 'any' and not 'user'