I'm working with an SA-2500 with an internal port address 192.168.52.5/24. The customer is interested in sharing the device between multiple environments so I was looking at the VLAN options.
The VLAN interfaces work as expected; after the VLAN and VLAN interface has been added to the device I can ping and https:// from that particular environment with no problem.
The issue comes in when I try to add an auth server in one of those VLANs. I found the following forum describing a similar issue (https://forums.pulsesecure.net/topic/pulse-connect-secure/21090-sa-vlan-configuration/highlight/true...), but after looking at pcaps from both IVE and the DC I'm seeing the packets are received at the auth server (172.16.5.100/24), but instead of having the source IP of the VLAN interface they have that 192.168.52.5 address.
I opened a JTAC case, but they are telling me without a 'IVS' license this is expected behavior and I have to be able to route to the internal interface of the IVE in order use an authentication server in another VLAN.
The tech actually shared his desktop up to show me the demo unit with the license applied. It looks like this is what is needed, but is actually correct? It also seems like the license is only an option on the larger chassis.
zanyterp; that's what i figured. I'm guessing that the post referenced didn't have ACLs or something between the two networks so the routing solution worked. Can't change the packet with this chassis so that definitely explains it.
stine; i was thinking along those lines. I'll probably just propose a plan with an utility-type subnet that doesn't contain anything other than the IVE internal interface and would be routable to the different Auth. Servers. They have a pretty substantial (simple AND under utilized) layer 3 setup.
Thanks for the input guys!