Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

need help with split-tunnel

This thread has been viewed 1 times

  • 1.  need help with split-tunnel

    Posted Jul 12, 2012 05:55 AM

    Hi Aruba,

     

    I'm wondering if someone could help me. i'm setting up split tunnel in a RAP. I've managed to make the ssid to be up, a user can connect to the ssid and i can see in the monitoring that the user is in split-tunnel. The user is getting an IP address in their range at the remote site (10.84.3.0 /24), he has a default gateway as well (10.84.3.9). however they can't do anything, they can't go internet, they can't reach any IP at the HQ (10.27.0.0/24) and worse they can't even ping their local default gateway (10.84.3.9). My firewall policy is as follows....

     

    any   any        svc-dhcp  permit

    any   any          svc-dns   permit

    any   any          svc-gre   permit

    user    HQ      any       permit

    user    any          any       route src-nat

     

    The alias HQ contains the network IP address of our HQ. I don't know if i'm missing something here. I've played with the firewall policy but no success. The connection between our HQ and remote site is through Site-to-Site VPN. I hope someone can help me.

    Thanks in advance.

     

     

    Richard.



  • 2.  RE: need help with split-tunnel

    Posted Jul 12, 2012 05:59 AM

    I forgot to mention that the split-tunnel client is getting the correct role, meaning the role that the policy above is applied.

     



  • 3.  RE: need help with split-tunnel

    EMPLOYEE
    Posted Jul 12, 2012 06:09 AM

    In Split-tunnel, the user must get the ip address of the headend, NOT the remote site.  Is your Virtual AP configured a split-tunnel?  If it was, a client would NOT get an ip address from the remote site.  In addition, the Virtual AP vlan should be a VLAN that exists at the headend..

     



  • 4.  RE: need help with split-tunnel

    Posted Jul 12, 2012 12:28 PM

    when you say headend you mean my HQ right? i configured the vlan in vap as the vlan that exists in the remote site, that's probably why they are getting that ip address. my forwarding mode is split-tunnel. i realized that what's happening is like a bridge. I will try changing the vlan tomorrow and see how it goes. thank man.



  • 5.  RE: need help with split-tunnel

    Posted Jul 13, 2012 02:42 AM

    Hi cjoseph,

     

    I tried to change the vlan in vap to a vlan that is available in the HQ, but now the client can't get ip address. I tried to change the Session ACL in the AP System Profile to allowall first to see if it change something but still the same issue. i am not sure what i am missing here. please help. thanks.



  • 6.  RE: need help with split-tunnel

    EMPLOYEE
    Posted Jul 13, 2012 05:01 AM
    @imus_rl wrote:

    Hi cjoseph,

     

    I tried to change the vlan in vap to a vlan that is available in the HQ, but now the client can't get ip address. I tried to change the Session ACL in the AP System Profile to allowall first to see if it change something but still the same issue. i am not sure what i am missing here. please help. thanks.

    - That VLAN in the Virtual AP must be one that is on an access port on the controller

    - Do NOT touch the AP system profile

    - To test, first make the Virtual AP tunneled and the default 802.1x role something like "allow all" to make sure it is working.