Wireless Access

Valued Contributor I


Just hit an interesting issue on using VIA. Anybody else seen this?


A user connects as normal...


    IP               MAC            Name      Role               Age(d:h:m)  Auth     VPN link        AP name        Roaming   Essid/Bssid/Phy                    Profile                 Forward mode  Type     Host Name
----------      ------------       ------     ----               ----------  ----     --------        -------        -------   ---------------                    -------                 ------------  ----     ---------        00:00:00:00:00:00  jcornford  default-via-role   00:00:24    VIA-VPN  N/A                                                                                 tunnel        Windows  00:00:00:00:00:00             logon              00:00:24                             N/A                                                                                 tunnel


User Entries: 4/4


Here's some info about the role...


user-role default-via-role
 via "demo-via"
 access-list session src-nat-private-dest-to-inside
 access-list session src-nat-to-outside
 access-list session v6-allowall
 access-list session allowall


ip access-list session src-nat-private-dest-to-inside
  user   alias private-nets any  src-nat pool aruba-vlan-1920-ip


ip access-list session src-nat-to-outside
  user any any  src-nat pool aruba-vlan-82-ip


The VLAN 82 ip pool is public. The VLAN 1920 ip is private obviously.


I initiate a connection to a public IP, destination port 34032. I have sensible reasons for this, and it used to work on I'm sure. The session doesn't connect (and note that yes, this session normally connects from anywhere else).


So here's the weird thing. Bearing in mind I have a deny and log rule at the end of my logon role, when this session doesn't connect, I get this in the log...


Feb  6 09:33:15  authmgr[2269]: <124006> <WARN> |authmgr|  {546} TCP srcip= srcport=49297 dstip=X.X.X.X(PUBLIC) dstport=34032, action=deny, role=logon, policy=deny-and-log


And this in the table...        X.X.X.X(PUBLIC)  6    49297 34032  0/0     0 0   0   tunnel 9    2    0         0          FSDYC


What's really weird about this, is that the log suggests it's matching the "logon" role, rather than the "default-via-role". Especially as the source IP is matching a user table entry which is in the "default-via-role" role!?!?


Am I missing something here?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite


Question:  Did it ever work?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Valued Contributor I


Yeah, like I say, I'm pretty sure it worked on I'm tempted to boot back into it to prove. Still in the other partition.


Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: