Wireless Access

Reply
Occasional Contributor II

need help with split-tunnel

Hi Aruba,

 

I'm wondering if someone could help me. i'm setting up split tunnel in a RAP. I've managed to make the ssid to be up, a user can connect to the ssid and i can see in the monitoring that the user is in split-tunnel. The user is getting an IP address in their range at the remote site (10.84.3.0 /24), he has a default gateway as well (10.84.3.9). however they can't do anything, they can't go internet, they can't reach any IP at the HQ (10.27.0.0/24) and worse they can't even ping their local default gateway (10.84.3.9). My firewall policy is as follows....

 

any   any        svc-dhcp  permit

any   any          svc-dns   permit

any   any          svc-gre   permit

user    HQ      any       permit

user    any          any       route src-nat

 

The alias HQ contains the network IP address of our HQ. I don't know if i'm missing something here. I've played with the firewall policy but no success. The connection between our HQ and remote site is through Site-to-Site VPN. I hope someone can help me.

Thanks in advance.

 

 

Richard.

Occasional Contributor II

Re: need help with split-tunnel

I forgot to mention that the split-tunnel client is getting the correct role, meaning the role that the policy above is applied.

 

Guru Elite

Re: need help with split-tunnel

In Split-tunnel, the user must get the ip address of the headend, NOT the remote site.  Is your Virtual AP configured a split-tunnel?  If it was, a client would NOT get an ip address from the remote site.  In addition, the Virtual AP vlan should be a VLAN that exists at the headend..

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: need help with split-tunnel

when you say headend you mean my HQ right? i configured the vlan in vap as the vlan that exists in the remote site, that's probably why they are getting that ip address. my forwarding mode is split-tunnel. i realized that what's happening is like a bridge. I will try changing the vlan tomorrow and see how it goes. thank man.

Occasional Contributor II

Re: need help with split-tunnel

Hi cjoseph,

 

I tried to change the vlan in vap to a vlan that is available in the HQ, but now the client can't get ip address. I tried to change the Session ACL in the AP System Profile to allowall first to see if it change something but still the same issue. i am not sure what i am missing here. please help. thanks.

Guru Elite

Re: need help with split-tunnel


imus_rl wrote:

Hi cjoseph,

 

I tried to change the vlan in vap to a vlan that is available in the HQ, but now the client can't get ip address. I tried to change the Session ACL in the AP System Profile to allowall first to see if it change something but still the same issue. i am not sure what i am missing here. please help. thanks.


- That VLAN in the Virtual AP must be one that is on an access port on the controller

- Do NOT touch the AP system profile

- To test, first make the Virtual AP tunneled and the default 802.1x role something like "allow all" to make sure it is working.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: