Wireless Access

Reply
Occasional Contributor I

Re: Split tunnel Src NAT

HI

I have following problem

I configured RAP access point from series 335. Access point is with public address and sucesfully connected with my controller 7010 with version 8.2

A controller is configured as MD node and i have Aruba MM deployed in vidtual machine.

I have to create split tunnel for corporate SSID with radius authentication i CLEARPASS and this is working only in TUNNEL mode.

I create RAP-SPLIT user role like this:

any any service dhcp permit

any any service dns permit

any alias (corp network X.X.255.255) permit

alias (corp network X.X.255.255) any permit

any any any route-source-nat

In aruba SSID virtual AP profile i configured split-tunnel forwarding mode.

Every RAP Access point is connected to controllers and have IP from Pool of aruba MM controller this DHCP pool is not routed of corporate network.

split 1 .PNG

 When wireless client is connected to Split-Tunnel SSID is authenticated sucessfuly and have ip address From corporate DHCP server subnet BUT dont have internet.

Thank you for your help.

Guru Elite

Re: Split tunnel Src NAT

What is the actual mask in the network statement?

any alias (corp network X.X.255.255) permit

alias (corp network X.X.255.255) any permit

 

Anytihng ending with .255 designates a host and not a network.  More likely it would be:

 

any alias (corp network X.X.255.0) permit

alias (corp network X.X.255.0) any permit



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Split tunnel Src NAT

Hi Colin Thank you for your reply.

My corporate Network is in 192.16.0.0 subnet

in Alias i configure following

Alias Corp-Network

192.168.0.0

255.255.0.0

split2.PNG

Guru Elite

Re: Split tunnel Src NAT

To see what the AP is doing with that traffic on that user, I would type:

 

show datapath session ap-name <name of ap> table <ip address of client


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Highlighted
Occasional Contributor I

Re: Split tunnel Src NAT

Ok.

I aply following Role for all users connected in rap split tunnel SSID in attached file.

I olso must addet following :

When i connect to RAP ap from console i dont have ping to 8.8.8.8 when RAP is connected to controller

If my RAP ap losse connection to controller he have full reachability to 8.8.8.8 or 8.8.4.4 split3.PNG

Occasional Contributor I

Re: Split tunnel Src NAT

Hi Colin

Why the RAP access point dont have access to internet ?

Access point is connected to controller like RAP access point and have public IP address. I have controller 7010 with port connected to internet with publat ic address. In port is applied inbound access list that permit only nat service, tftp service and icmp cervice do i miss samting else. Access point succesfully connected to controller and have private address from MM controller.Capture4.PNGCapture5.PNG

Guru Elite

Re: Split tunnel Src NAT

Does the RAP connect to the controller?  If yes, it does have internet access.  Which test is failing?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Split tunnel Src NAT

Yys the RAP succesfully connect to controller :

213.16.36.151   213.16.36.150   17   64445 4500   0/0     0    48  0   0/0/4       20e  1224       452139     FC

213.16.36.150   213.16.36.151   17   4500  64445  0/0     1    0   14  0/0/4       20e  259        69227      F

I connect to RAP with console cable and try to ping 8.8.8.8

 

 

        <<<<<       Welcome to the Access Point     >>>>>

~ # [   80.144047] __ieee80211_smart_ant_init: devname = wifi0,  interface_id = 0
[   80.226623] VAP device aruba001 created osifp: (c530a6c0) os_if: (dbff8000)
[   80.624797] 0x340, 0x0, 0x40 )
[   80.665854] __ieee80211_smart_ant_init: devname = wifi1,  interface_id = 1
[   80.748280] VAP device aruba101 created osifp: (c4160580) os_if: (c5288000)
[   81.541891] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   84.466523] build_inb_sa keylen 20 auth dest c5292000 src c5bc38d9
[   84.541317] enc len 32 dest c5292340 src c5bc38b8
[   84.598016] memcpy done
[   98.695262] build_inb_sa keylen 20 auth dest c52929c0 src c52b21b9
[   98.769512] enc len 32 dest c5292d00 src c52b2198
[   98.826022] memcpy done
[   99.971595] asap_mod: asap_dpa.c:3683:dpaa_add_flow() dpaa_add_flow set allowclear flow for tunnel 2
[  100.083325] fsl_dpa_gre: setting Manip!
[  100.700310] asap_mod: asap_dpa.c:3775:dpaa_update_mtu() update flow mtu, 0->1200
[  100.790297] fsl_dpa_gre: setting Manip!
[  100.884759] ASAP_FIREWALL_REM_MCAST "500 0 1 1"
[  100.967055] wlan_mlme_app_ie_delete: appie is NULL. Do nothing.
[  102.076419] ASAP_FIREWALL_REM_MCAST "500 1 1 1"
[  102.163038] wlan_mlme_app_ie_delete: appie is NULL. Do nothing.
[  103.961534] asap_firewall_eth_type_trans: skb protocol/pkt_type 8100/0 expected 8100/2

~ #
~ #
~ #
~ #
~ #
~ #
~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

 

I start to tinking is this problem with split tunnel SSID or not.

When i configure SSID with tunnel forwarding mode I have no problem with end diveces and users

When i change the mode to split-tunnel users authentication is OK and get address from corporate DHCP but they dont have connection to internet and corporate resurce.

 

Occasional Contributor I

Re: Split tunnel Src NAT

in Mobility Controller I see the RAP access point like WIRED device connected to internet port of MD controller 7010 and this "wired client" is with defalt logon role for controller. Capture6.PNGCapture7.PNG

Occasional Contributor I

Re: Split tunnel Src NAT

Hi Colin,

I sucesfully deployed RAP-Split Tunnel on Wireless and LAN. My mistace is in role of remote users....

I asket you one last question We have second controller 7010. I dont know is best practise to deploy thease to controllers in L2-Classic controller cluster or not for RAPs. We have and fiew CAP access points in our corporate network. I posted current working deployment and deployment with cluster.Without Cluster.jpgWith Cluster.jpg

Please advaice.

Thank you.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: