I am setting up an SA4500 cluster running 7.0R6, which has a trunked interface on the inside. At the moment the trunked interface has two VLANs assigned:
There is one user realm, and this maps to a "Staff user" role. This role maps VLAN/Source IP to the STAFF Vlan above, however a tcpdump on the traffic shows that a user (who is mapped to the Staff role in the policy trace) does not end up using the STAFF VLAN for traffic source, but instead the native VLAN.
What have I missed?
Any help gratefully received.
I recall running into a similar issue a while back. I would check to make sure your vlan's are defined with the correct VLAN ID, IP and Mask in System, Network, VLAN. I would then double-check the VLAN assignment within the Role. Then test to make sure that VLAN can ping other resources on that subnet from the SA. If this test fails, you may have an issue with the trunk. Try Maintenance, Troubleshooting, Tools, Commands, Ping. Add an IP on that subnet and source it from VLAN 101. If this fails, please share your trunk config. I hope this helps.
Thanks for the feedback, but I believe I have already discounted this. I can confirm there is no issue with the trunk, and can ping to the VLAN interfaces on the SA from hosts on its inside, as well as ping the default gateway on the VLAN from the SAs, as per the attached.
I can also confirm that the Role mapping is working in two ways. First, the Troubleshooting logs confirm the assignment to the "Staff" role. Second, if I change the Role definition to assign traffic to a Virtual Port defined on the main inside interface, this works. In other words, client traffic gets sourced from the Virtual Port, not the main interface. However, when I change the role to use the VLAN interface, it reverts to the main untagged inside interface for sourcing client traffic. The two tcpdump captures demonstrate this - the main inside interface has IP addresses 10.240.6.250, .251 and .252, while the Virtual Port has .253.
Any other ideas, anyone?
When I open the tcpdump named "SA4500 capture on untagged inside interface with Staff role mapping to STAFF VLAN.cap" and use the filter tcp.port==80_ then I see packets with source IP 10.240.100.51 which according to the screenshot attached is the IP of your VLAN named STAFF. So it seems to be sourcing from the VLAN as configured in the role.
Or am I misreading the IP's used in your setup?
Thanks for the prompt reply.
You aer absolutely right, and I am mystified as to why this is now working. I had made numerous tests over the last few days, and every time the traffic was being sourced from the main internal interface. I created the trace that I posted for this topic in a hurry, and didn't actually check its contents before posting, and this is the first time I have seen traffic coming from the correct source address.
I now need to work out what I changed and why it is now working, when it wasn't previously!
Many thanks for your assistance.
just to confirm...you have enabled the option to enablethe role-based VLAN settings, right (many people miss this, sorry if you are not one of them and you have already confirmed this)?
Without the option being enabled at Users>User Roles>roleName>General>Overview,Options>VLAN/Source IP, the settings at Users>User Roles>roleName>General>VLAN/Source IP will just be changes that do nothing.
Thanks Zanyterp- that just caught me. Have to turn on the VLAN/Source IP, configuring doesn't turn it on... thats frustrating!