Link Search Menu Expand Document
calendar_month 07-Mar-24

Gateway Client Testing

Connect a client to your Bridged or Tunneled WLAN. This ensures traffic egresses the Branch Gateway and can be redirected based on your PBR policy to the Secure Web Gateway tunnel. HPE Aruba Networking SSE Policy Rule Configuration is outside the scope of this document.


Connect your client and open a web browser. In the SSE rules policy, News and Media is allowed, while Gambling is to be blocked. Try to open a link to Next, try to open a webpage to


Aruba Central

In our scenario, we have an HA cluster of Branch Gateways. First check which cluster node member is the user Designated Gateway for the client. This can be found simply by selecting the user and looking at their data path. In the example shown, you can see that P6-HA-BGW1 is the user’s designated gateway.


Navigate to the users UDG and then go to WAN>Tunnels.


You can also verify if the traffic is correctly passing through the PBR policy. Navigate to your client and then Overview>Sessions>Branch Gateway.


Gateway CLI

Some advanced troubleshooting can be performed inside of Central under Tools. Navigate to Tools>Commands at the BGW device level, and run the following commands to verify traffic is flowing as expected on the gateway’s CLI.

· show crypto isakmp sa

· show crypto ipsec sa

· show ip nexthop-list

· show datapath session uplink

Inspect the output.


show crypto ipsec sa


show ip nexthop-list


show datapath session uplink


Even greater detail can be shown when you SSH directly to the Gateway’s CLI. Run the command show datapath session table and use your clients IP address as a qualifier. This will show you that the traffic is being redirected to your NextHop-List as desired.


VPNC Tunnel Verification and Testing

To view the status of the VPNC tunnels, navigate to the device and from the Context menu select WAN and then click on the Tunnels tab.

VPNC and Microbranch Tunnel Redirection Testing

To view the VPNC and Microbranch AP user sessions, first navigate to the Microbranch AP and select Clients. Click on your Microbranch client and then click on Sessions. Note the if the ‘R’ flag is present on the session. This indicates that the Microbranch AP is redirecting the session to the VPNC as desired.

Next, check the session from the VPNC. Navigate to the head end gateway and then go to Overview>Sessions. Here you can filter based on the client’s IP address and verify that the session is being redirected to the VPNC’s NextHop-List as desired. Note the ‘r’ flag indicating the redirect to the primary SSE tunnel.

SSE Management Portal

To view the branch gateway user sessions inside of the SSE Management portal, login and navigate to Insights>Exploration. Here you can see all recent sessions and you can also filter for certain session criteria and over a set time period.

Here is the view when the view is filtered by Status – Success.


And here the view is filtered by Status – Block.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.