Wireless Access

I have a corporate site that has multiple branches connecting back to corporate office with RAP3 connections.

 

I have it set so that corporate 10.1.X.X traffic flows down the tunnel and all other (Internet) traffic goes out split tunnel thus freeing up corporate bandwidth. Setup is working good and they have been running this way for around 4-5 months now.

 

Just recently branch offices are now calling in saying they can no longer get Internet traffic. They can however reach the corporate 10.1.X.X network without any issues. When I look in the controller I can see the RAP connection up with no problems. I have the branch office reset their ISP cable modem and then they are able to get internet again. This however only seems to fix the problem for a few days and they have to reset the ISP device again. Last time before they reset the ISP box I had them plug straight into it and see if they could get internet and they could surf web pages without a problem. The tunnel back to corporate has never gone down except for just a few minutes when they do reset the ISP.

 

So everything points towards the ISP but this problem is happening in about 3-4 branches accross the US and envolves several different ISP's so I thought I would post on here and see if anyone had any ideas.......

 

 

Thanks for reading this long post. This forum and communiity of Aruba engineers and field techs are a great resource and I look forward to hearing any responses or suggestions you may have.

 

Thanks

J

 

It is very interesting that the RAP3 still up if they can't access the internet .

 

How are they trying to connect wireless or wired ?

 

Both wireless and wired port experience the problem. I have also heard that some pc's in branch can get Internet while others can not. When they reboot the ISP device they all get Internet again (for a day or two)

The tunneled 10.1.x.x traffic never goes down. If I don't split tunnel and send all the Internet traffic towards corporate it stays up with no problem. It's like the ISP device gets overwhelmed and has to get its ARP/MAC addresses cleared out something. Not sure, it's a strange problem for sure.

A few things to try :

 

- Trace route from the client to the internet, how far does it get?

- Are you able to resolve any external addresses?

- What do you see if you do a "show datapath session" ?

- Might be worth running a packet capture and seeing if the 3 way hand shake completes

 

Regards

Has anyone found a solution to this?  i am having this same issue.  It seems to come and go without any intervention but it will last for hours before resolving itself.  

To note, I am having this problem with RAP3 and RAP155.  They both terminate to 7210 controller running 6.3.1.3

#7210

amvita,

 

Please post the role that the user gets when split tunneled, including the ACL.  On the commandline, show us the output of "show rights <role>"

Here's the output.  Please note that the split tunnel has been working properly but now is exhibiting the behavior.

 

 #show rights BC_remote-employee-role

Derived Role = 'BC_remote-employee-role'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 57/0
 Max Sessions = 65535


access-list List
----------------
Position  Name                      Type     Location
--------  ----                      ----     --------
1         BC_common-dhcp-acl        session  
2         BC_sip-session-allow-acl  session  
3         BC_remote-emp-acl         session  

BC_common-dhcp-acl
------------------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          udp 68    deny                             Low                                                           4
2         any     any          svc-dhcp  permit                           Low                                                           4
BC_sip-session-allow-acl
------------------------
Priority  Source         Destination    Service      Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------         -----------    -------      ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user           BC_sip-server  svc-sip-udp  permit                           High                                                          4
2         user           BC_sip-server  svc-sip-tcp  permit                           High                                                          4
3         BC_sip-server  user           svc-sip-udp  permit                           High                                                          4
4         BC_sip-server  user           svc-sip-tcp  permit                           High                                                          4
BC_remote-emp-acl
-----------------
Priority  Source               Destination          Service  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------               -----------          -------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         BC_internal-network  BC_internal-network  any      permit                                  Low                                                           4
2         user                 any                  any      route src-nat                           Low                                                           4

Expired Policies (due to time constraints) = 0

That looks right.  You should open a TAC case to see if they can get to the bottom of this.