Wireless Access

Contributor I

Problem with split tunnel on RAP108


I am hoping someone can help with an issue we are seeing using split tunnel with a RAP108. Please refer to the attached diagram to see the setup.

The wireless client connects fine after authenticating via 802.1x and receives and IP address from the corporate network and it can access all corporate resources as expected. The client runs an application that needs to query a local GPS device to note its exact position. The GPS has a fixed IP of and is connected to the Eth1 port of the RAP. The port is configured as an access port and is set as bridge. The split tunnel role has two rules in its associated policy

1. route src nat any traffic destined for

2. permit all other traffic

The problem is that the device cannot communicate correctly with the GPS. We have swapped the GPS for a laptop and run a wireshark capture and sent a ping from the corporate device. The wireshark shows that the 'GPS' laptop receives the ping request and responds but the corporate device does not receive the reply. The request comes from the Eth0 interface IP address of the RAP so the src NAT is working correctly. The GPS laptop can ping the 4G router and the RAP successfully so I am not sure where the issue lies. Any help is much appreciated.



Guru Elite

Re: Problem with split tunnel on RAP108

Have you tried plugging the GPS device into the same switch that the AP and 4G router are on, on the 192.168.1.x subnet to see if it works?  Your device that is querying the GPS devices does not get an address on the 192.168.1.x subnet, does it?

Use the "show datapath session ap-name <name of ap> table <ip address of device>" command to see the flows of that device on that RAP.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: Problem with split tunnel on RAP108

Thank you for the reply. We have now resolved this - it was the wired port configuration

1. If the RAP Eth1 port is configured as trusted, the ping reply will never reach back to the split tunnel device. The packet is bridged and has no chance to be translated back to the wireless client.


2. When putting the RAP Eth1 port as not trusted, the wired user will show in the user table with the logon role.


3. It is necessary to create an AAA profile and a new role for the wired device.


4. The wired role needs to allow incoming traffic



The new role firewall policy was defined as follows:

Position        Source           Destination                                             Service           Action
--------             ----------           ----------------                                             -----------          ----------
1                     any                any                                                          svc-dhcp         permit
2                     user               any                                                           udp 68            deny
3                     any                network       any                 permit    


The source in the 3rd rule has to be 'any' and not 'user'  


Search Airheads
Showing results for 
Search instead for 
Did you mean: