Cloud Managed Networks

Hi maybe someone had an issue with Aruba microbranch full tunnel configuration?

I can not reach switch mgmt IP over SSH which is behind aruba microbranch, but I am able to reach switch  from microbranch AP it self.

Microbranch is set up to  full tunnel mode, where all traffic from remote site is tunneled to VPNC cluster.

Remote site physical connection is ISP route  eth0(AP)eth2-Aruba switch port48. 

Central site physical connections is ISP router - 9004 VPNC GWs cluster

Between switch and AP I have configured trunk with untrusted port option, in order to apply specific role  to all switch clients and switch it self 

For AP eth2 port I apply role witch allows all traffic  and do PBR over AP next hop list which is my central site VPNC GWs.

Funny think, that I can ssh from switch IP to lets say VPNC GWs IPs.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

Hi maybe someone had an issue with Aruba microbranch full tunnel configuration?

I can not reach switch mgmt IP over SSH which is behind aruba microbranch, but I am able to reach switch  from microbranch AP it self.

Microbranch is set up to  full tunnel mode, where all traffic from remote site is tunneled to VPNC cluster.

Remote site physical connection is ISP route  eth0(AP)eth2-Aruba switch port48. 

Central site physical connections is ISP router - 9004 VPNC GWs cluster

Between switch and AP I have configured trunk with untrusted port option, in order to apply specific role  to all switch clients and switch it self 

For AP eth2 port I apply role witch allows all traffic  and do PBR over AP next hop list which is my central site VPNC GWs.

Funny think, that I can ssh from switch IP to lets say VPNC GWs IPs.

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

Hi maybe someone had an issue with Aruba microbranch full tunnel configuration?

I can not reach switch mgmt IP over SSH which is behind aruba microbranch, but I am able to reach switch  from microbranch AP it self.

Microbranch is set up to  full tunnel mode, where all traffic from remote site is tunneled to VPNC cluster.

Remote site physical connection is ISP route  eth0(AP)eth2-Aruba switch port48. 

Central site physical connections is ISP router - 9004 VPNC GWs cluster

Between switch and AP I have configured trunk with untrusted port option, in order to apply specific role  to all switch clients and switch it self 

For AP eth2 port I apply role witch allows all traffic  and do PBR over AP next hop list which is my central site VPNC GWs.

Funny think, that I can ssh from switch IP to lets say VPNC GWs IPs.

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

Hi maybe someone had an issue with Aruba microbranch full tunnel configuration?

I can not reach switch mgmt IP over SSH which is behind aruba microbranch, but I am able to reach switch  from microbranch AP it self.

Microbranch is set up to  full tunnel mode, where all traffic from remote site is tunneled to VPNC cluster.

Remote site physical connection is ISP route  eth0(AP)eth2-Aruba switch port48. 

Central site physical connections is ISP router - 9004 VPNC GWs cluster

Between switch and AP I have configured trunk with untrusted port option, in order to apply specific role  to all switch clients and switch it self 

For AP eth2 port I apply role witch allows all traffic  and do PBR over AP next hop list which is my central site VPNC GWs.

Funny think, that I can ssh from switch IP to lets say VPNC GWs IPs.

yes as Carson said, thats the key, so the both ends have a valid route to get to the dest IP network.  perhaps yu want to share the details of the routes/subnets

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

Hi maybe someone had an issue with Aruba microbranch full tunnel configuration?

I can not reach switch mgmt IP over SSH which is behind aruba microbranch, but I am able to reach switch  from microbranch AP it self.

Microbranch is set up to  full tunnel mode, where all traffic from remote site is tunneled to VPNC cluster.

Remote site physical connection is ISP route  eth0(AP)eth2-Aruba switch port48. 

Central site physical connections is ISP router - 9004 VPNC GWs cluster

Between switch and AP I have configured trunk with untrusted port option, in order to apply specific role  to all switch clients and switch it self 

For AP eth2 port I apply role witch allows all traffic  and do PBR over AP next hop list which is my central site VPNC GWs.

Funny think, that I can ssh from switch IP to lets say VPNC GWs IPs.

I can ping to my switch IP from remote locations or from GW cluster. I think it is not routing, but something with ACL. 

I am apply these  role rules to my switch IP and all clients which connects to this switch. 

My PBR configured to forward  local subnets locally, and PBR all other traffic to IPsec tunnel over Microbranch to VPNC cluster

yes as Carson said, thats the key, so the both ends have a valid route to get to the dest IP network.  perhaps yu want to share the details of the routes/subnets

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

Hi maybe someone had an issue with Aruba microbranch full tunnel configuration?

I can not reach switch mgmt IP over SSH which is behind aruba microbranch, but I am able to reach switch  from microbranch AP it self.

Microbranch is set up to  full tunnel mode, where all traffic from remote site is tunneled to VPNC cluster.

Remote site physical connection is ISP route  eth0(AP)eth2-Aruba switch port48. 

Central site physical connections is ISP router - 9004 VPNC GWs cluster

Between switch and AP I have configured trunk with untrusted port option, in order to apply specific role  to all switch clients and switch it self 

For AP eth2 port I apply role witch allows all traffic  and do PBR over AP next hop list which is my central site VPNC GWs.

Funny think, that I can ssh from switch IP to lets say VPNC GWs IPs.

Also on my VPNCs I apply Routed ACL, which routes all traffic to my central site firewall,

VPNCs are connected with G0/0 to internet directly and with G0/1  to the firewall., to which I am PBRing all traffic from  Microbanches.

Maybe I need to apply Session ACL to Overlay?

Also I see the my G0/0, has session ACL, but if I correctly understand it is applied only to traffic which tries dirrectlly to access my VPNC interface G0/0, 

 it is not applied to overlay traffic.

I can ping to my switch IP from remote locations or from GW cluster. I think it is not routing, but something with ACL. 

I am apply these  role rules to my switch IP and all clients which connects to this switch. 

My PBR configured to forward  local subnets locally, and PBR all other traffic to IPsec tunnel over Microbranch to VPNC cluster

yes as Carson said, thats the key, so the both ends have a valid route to get to the dest IP network.  perhaps yu want to share the details of the routes/subnets

And does the network behind the VPNC (your management network) have a route pointing back at the Microbranch network through the VPNC?

Yes, VPNC receives OAP Bc routes  from microbranch AP. AP sees routes from VPNS. 

Switch is connected over AP eth2 port and switch IP gets a role, which is allowing all traffic and doing PBR.

In the PBR policies list there is 1 policy which says "forward" traffic and 2 policy which says "forward to next-hop-list" which is my VPNC cluster.

it generally comes down to the routes. what are the routes that are advertised to the VPNC?

Hi maybe someone had an issue with Aruba microbranch full tunnel configuration?

I can not reach switch mgmt IP over SSH which is behind aruba microbranch, but I am able to reach switch  from microbranch AP it self.

Microbranch is set up to  full tunnel mode, where all traffic from remote site is tunneled to VPNC cluster.

Remote site physical connection is ISP route  eth0(AP)eth2-Aruba switch port48. 

Central site physical connections is ISP router - 9004 VPNC GWs cluster

Between switch and AP I have configured trunk with untrusted port option, in order to apply specific role  to all switch clients and switch it self 

For AP eth2 port I apply role witch allows all traffic  and do PBR over AP next hop list which is my central site VPNC GWs.

Funny think, that I can ssh from switch IP to lets say VPNC GWs IPs.