Wireless Access

Reply
Occasional Contributor I

Re: Split tunnel Src NAT

HI

I have following problem

I configured RAP access point from series 335. Access point is with public address and sucesfully connected with my controller 7010 with version 8.2

A controller is configured as MD node and i have Aruba MM deployed in vidtual machine.

I have to create split tunnel for corporate SSID with radius authentication i CLEARPASS and this is working only in TUNNEL mode.

I create RAP-SPLIT user role like this:

any any service dhcp permit

any any service dns permit

any alias (corp network X.X.255.255) permit

alias (corp network X.X.255.255) any permit

any any any route-source-nat

In aruba SSID virtual AP profile i configured split-tunnel forwarding mode.

Every RAP Access point is connected to controllers and have IP from Pool of aruba MM controller this DHCP pool is not routed of corporate network.

split 1 .PNG

 When wireless client is connected to Split-Tunnel SSID is authenticated sucessfuly and have ip address From corporate DHCP server subnet BUT dont have internet.

Thank you for your help.

Guru Elite

Re: Split tunnel Src NAT

What is the actual mask in the network statement?

any alias (corp network X.X.255.255) permit

alias (corp network X.X.255.255) any permit

 

Anytihng ending with .255 designates a host and not a network.  More likely it would be:

 

any alias (corp network X.X.255.0) permit

alias (corp network X.X.255.0) any permit


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: Split tunnel Src NAT

Hi Colin Thank you for your reply.

My corporate Network is in 192.16.0.0 subnet

in Alias i configure following

Alias Corp-Network

192.168.0.0

255.255.0.0

split2.PNG

Guru Elite

Re: Split tunnel Src NAT

To see what the AP is doing with that traffic on that user, I would type:

 

show datapath session ap-name <name of ap> table <ip address of client

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Highlighted
Occasional Contributor I

Re: Split tunnel Src NAT

Ok.

I aply following Role for all users connected in rap split tunnel SSID in attached file.

I olso must addet following :

When i connect to RAP ap from console i dont have ping to 8.8.8.8 when RAP is connected to controller

If my RAP ap losse connection to controller he have full reachability to 8.8.8.8 or 8.8.4.4 split3.PNG

Occasional Contributor I

Re: Split tunnel Src NAT

Hi Colin

Why the RAP access point dont have access to internet ?

Access point is connected to controller like RAP access point and have public IP address. I have controller 7010 with port connected to internet with publat ic address. In port is applied inbound access list that permit only nat service, tftp service and icmp cervice do i miss samting else. Access point succesfully connected to controller and have private address from MM controller.Capture4.PNGCapture5.PNG

Guru Elite

Re: Split tunnel Src NAT

Does the RAP connect to the controller?  If yes, it does have internet access.  Which test is failing?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: Split tunnel Src NAT

Yys the RAP succesfully connect to controller :

213.16.36.151   213.16.36.150   17   64445 4500   0/0     0    48  0   0/0/4       20e  1224       452139     FC

213.16.36.150   213.16.36.151   17   4500  64445  0/0     1    0   14  0/0/4       20e  259        69227      F

I connect to RAP with console cable and try to ping 8.8.8.8

 

 

        <<<<<       Welcome to the Access Point     >>>>>

~ # [   80.144047] __ieee80211_smart_ant_init: devname = wifi0,  interface_id = 0
[   80.226623] VAP device aruba001 created osifp: (c530a6c0) os_if: (dbff8000)
[   80.624797] 0x340, 0x0, 0x40 )
[   80.665854] __ieee80211_smart_ant_init: devname = wifi1,  interface_id = 1
[   80.748280] VAP device aruba101 created osifp: (c4160580) os_if: (c5288000)
[   81.541891] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   84.466523] build_inb_sa keylen 20 auth dest c5292000 src c5bc38d9
[   84.541317] enc len 32 dest c5292340 src c5bc38b8
[   84.598016] memcpy done
[   98.695262] build_inb_sa keylen 20 auth dest c52929c0 src c52b21b9
[   98.769512] enc len 32 dest c5292d00 src c52b2198
[   98.826022] memcpy done
[   99.971595] asap_mod: asap_dpa.c:3683:dpaa_add_flow() dpaa_add_flow set allowclear flow for tunnel 2
[  100.083325] fsl_dpa_gre: setting Manip!
[  100.700310] asap_mod: asap_dpa.c:3775:dpaa_update_mtu() update flow mtu, 0->1200
[  100.790297] fsl_dpa_gre: setting Manip!
[  100.884759] ASAP_FIREWALL_REM_MCAST "500 0 1 1"
[  100.967055] wlan_mlme_app_ie_delete: appie is NULL. Do nothing.
[  102.076419] ASAP_FIREWALL_REM_MCAST "500 1 1 1"
[  102.163038] wlan_mlme_app_ie_delete: appie is NULL. Do nothing.
[  103.961534] asap_firewall_eth_type_trans: skb protocol/pkt_type 8100/0 expected 8100/2

~ #
~ #
~ #
~ #
~ #
~ #
~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

 

I start to tinking is this problem with split tunnel SSID or not.

When i configure SSID with tunnel forwarding mode I have no problem with end diveces and users

When i change the mode to split-tunnel users authentication is OK and get address from corporate DHCP but they dont have connection to internet and corporate resurce.

 

Occasional Contributor I

Re: Split tunnel Src NAT

in Mobility Controller I see the RAP access point like WIRED device connected to internet port of MD controller 7010 and this "wired client" is with defalt logon role for controller. Capture6.PNGCapture7.PNG

Occasional Contributor I

Re: Split tunnel Src NAT

Hi Colin,

I sucesfully deployed RAP-Split Tunnel on Wireless and LAN. My mistace is in role of remote users....

I asket you one last question We have second controller 7010. I dont know is best practise to deploy thease to controllers in L2-Classic controller cluster or not for RAPs. We have and fiew CAP access points in our corporate network. I posted current working deployment and deployment with cluster.Without Cluster.jpgWith Cluster.jpg

Please advaice.

Thank you.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: