Wireless Access

I followed the guide in my bootcamp manual for setting up a split tunnel SSID, but it is still routing all traffic through the corporate lan instead of routing internet through the local router .  Any help would be appreciated.  I have the following policy rules.  I only have thiss one policy for the role that is assignd to the user. 

IPv4 user ru-lan any permit Low
IPv4 ru-lan any any permit Low
IPv4 user any any route src-nat Low
IPv4 any any svc-dhcp permit

Eric

- The dhcp rule should be at the top

- make sure your ap is configured as a rap

- make sure your virtual ap forwarding mode is split tunnel

- make sure your user actually is in that role

Thanks for the quick response.  The DHCP rule i actually first....for some reason it pasted differently.  My AP is configured as a RAP.  The mode is slit-tunnel.  The user is assigned the role that has this policy.  Is there something else I'm missing?  Am I supposed to get an IP from the corporate Lan or my local network?

You are supposed to get it from Corporate LAN.

make your last rule "any any any route src-nat low"

It seems like I did everything I was supposed to.

(arubahost1) #show rights remote-test-splittunnel

Derived Role = 'remote-test-splittunnel'

----------------
Position Name Type Location
-------- ---- ---- --------
1 split-tunnel session

split-tunnel
------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low 4
2 user ru-lan any permit Low 4
3 ru-lan any any permit Low 4
4 user any any route src-nat Low 4

the only thing now is to confirm that your user is ending up in that role.

I get an IP from my corporate Lan.  But when I traceroute to anything on the internet it goes through the corporate Lan still.

Here is the proof that the user is getting that role.  

(arubahost1) #show user ap-name eric-home

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
129.85.53.238 00:24:d6:12:a0:2e eric remote-test-splittunnel 00:00:35 802.1x eric-home Associated(Remote) remote-test-splittunnel/6c:f3:7f:63:69:92/a-HT remote-test-splittunnel-aaa_prof split tunnel Win 7

You need to type "show datapath user ap-name <name of ap> table" to see what ACLs your traffic is hitting.

(arubahost1) #show datapath user ap-name eric-home table

Datapath User Table Entries
---------------------------

Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor
FM(Forward Mode): S - Split, B - Bridge, N - N/A

IP MAC ACLs Contract Location Age Sessions Flags Vlan FM IdleTMO
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- -- -------
192.168.11.1 6C:F3:7F:CE:36:98 2700/0 0/0 0 482 0/65535 P 4095 N 300
10.1.1.204 6C:F3:7F:CE:36:98 2700/0 0/0 0 0 1/65535 P 1 N 300
10.1.1.209 20:02:AF:3A:60:D5 59/0 0/0 0 0 6/65535 1 B 300
129.85.53.238 00:24:D6:12:A0:2E 71/0 0/0 0 0 22/65535 53 S 300
10.9.4.6 00:1A:1E:01:50:80 2703/0 0/0 0 482 0/65535 P 0 N 300
0.0.0.0 00:24:D6:12:A0:2E 71/0 0/0 0 0 0/65535 P 53 S 300
0.0.0.0 20:02:AF:3A:60:D5 59/0 0/0 0 0 6/65535 1 B 300

The IP is 129.85.53.238.  It i hitting ACL 71, which is mapped to the policy i showed before.

The line with your client has port 53 (DNS) split tunneled, like it should be:

129.85.53.238 00:246:12:A0:2E 71/0 0/0 0 0 22/65535 53 S 300

 Pass some actual traffic and excute:

show datapath user ap-name eric-home table 129.85.53.238

 What gets tunneled and what gets sent back is determined by your destination ru-lan.  What is that defined as?

That 53 is the vlan, not DNS.  And RU-LAN is defined as my whole corporate ip space....129.85.0.0/16.  So any trafice destined for the internet should go through my local router.  But its not.  I ran that command but it doesnt take the IP addres after table.

Maybe this helps.

(arubahost1) #show datapath session ap-name eric-home table 129.85.53.238

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

RAP Flags: 1 - Class 1, 2 - Class 2, 3 - Class 3

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
108.160.163.97 129.85.53.238 6 80 54393 0 0 0 1 dev17 11c 0 0 F
108.160.163.97 129.85.53.238 6 80 54395 0 0 0 1 dev17 57 0 0
129.85.53.238 10.9.4.8 6 53917 22 0 0 0 0 dev17 380b 0 0 C
129.85.53.238 74.125.22.188 6 53849 443 0 0 0 1 dev17 3e0b 0 0 C
74.125.22.188 129.85.53.238 6 443 53849 0 0 0 1 dev17 3e0b 0 0
74.125.226.85 129.85.53.238 6 443 53844 0 0 0 0 dev17 3e13 0 0
129.85.53.238 192.96.201.129 6 53848 5938 0 0 0 0 dev17 3e0e 0 0 C
129.85.53.238 108.160.163.97 6 54395 80 0 0 0 1 dev17 57 0 0 CI
129.85.53.238 108.160.163.97 6 54393 80 0 0 0 1 dev17 11c 0 0 FCI
192.96.201.129 129.85.53.238 6 5938 53848 0 0 0 0 dev17 3e0e 0 0

129.85.53.238 74.125.226.73 6 54053 443 0 0 0 1 dev17 1df1 0 0 C
129.85.53.238 74.125.226.69 6 54128 443 0 0 0 2 dev17 12a4 0 0 C
129.85.53.238 173.194.123.34 6 54046 80 0 0 0 2 dev17 1e24 0 0 CI
24.143.204.35 129.85.53.238 6 80 54371 0 0 0 2 dev17 31f 0 0
129.85.53.238 74.125.226.85 6 53844 443 0 0 0 1 dev17 3e13 0 0 C
74.125.226.69 129.85.53.238 6 443 54128 0 0 0 2 dev17 12a4 0 0
64.233.171.189 129.85.53.238 6 443 54182 0 0 0 2 dev17 108b 0 0
74.125.226.73 129.85.53.238 6 443 54053 0 0 0 1 dev17 1df1 0 0
129.85.53.238 173.192.82.196 6 53877 80 0 0 0 1 dev17 3bbe 0 0 CI
129.85.53.255 129.85.53.238 17 17500 17500 0 0 0 1 dev17 15 0 0 FY

There is no "s" flag, so it is not hitting the route source-nat acl

Here is what we have in production:

any     any                  svc-dhcp     permit                                                          
any     internal-nets        any          permit                                  
any     any                  any          route src-nat                            

That did the trick.  Apparently, the suggestion I got was not good then.  It seems you cant use the "user" as the source or else it doesnt work right.  Thanks a bunch for helping me sort this out.

Eric