Some VPN's will not pass traffic over bridged at controller VNS but will pass traffic over Bridged at AP VNS

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
We have a C4110 on release 10.11.03.0004 with 210 APs. A mix of 3935s, 3825s, and 3710s. We have clients that can not user their Cisco VPN software on our main VNS that is bridged at the controller. The tunnel is established but they can not pass traffic over it. When switched over to a VNS that is bridged at the AP the VPN will pass traffic. Both VNSs have "access control" set to allow and allow all (allow 0.0.0.0/0 dest and src) in the policy rules. This problem is only with some VPN software. We use Pulse Secure and it works fine through bridged at controller VNS. Is there something in the way the packets are handled when bridged at controller that would cause this? Would enabling Jumbo Frames help?
Photo of Chris Taylor

Chris Taylor

  • 796 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,486 Points 20k badge 2x thumb
Hi Chris,

I've just tried it with my V2110 running also 10.11.03.0004 and a AP3825 with Cisco AnyConnect Secure Mobile Client version 4.3.01095 and don't have any issues.

You'd remove the allow all "Policy Rule" - you don't need it if the "Access Control" is set to allow.

Just to be sure... the bridge@EWC and bridge@AP VNS bridge into the same VLAN/LAN.

If you go into > VNS > WLAN Services > "bridge@EWC VNS" > Default Topology
Is the correct bridge@EWC topology selected ?

Does the Clients by VNS report show the correct role/default action/PVID for the bridge@EWC SSID ?

-Ron
Photo of Chris Taylor

Chris Taylor

  • 796 Points 500 badge 2x thumb
Hello Ron, the bridge@EWC and bridge@AP VNS do not bridge into the same VLAN. I have several bridge@EWC VNS that go to different VLANs with different routers and several bridge@AP VNS that go to different VLANs with different routers. We have experienced the problem on all the bridge@EWC VNSs and it goes away once we move them to one of the bridge@AP VNS. We are a convention centre and we use the bridge@EWC networks for out clients that come in to the building on a short term basis because they are easier to move around. I prefer not to use bridge@AP VNS for this purpose but we do have some in place for staff. The VNS report does show the correct role/default action/PVID. Is there an MTU size issue when using bridge@EWC?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,486 Points 20k badge 2x thumb
I don't think that there is an issue with the MTU on the controller.

To make sure that it's related to the controller I'd connect the client wired to the VLAN that is used for the bridge@EWC VNS and run the test - just to proof that the problem is not on the VLAN/LAN.