Gateway Client Testing
Connect a client to your Bridged or Tunneled WLAN. This ensures traffic egresses the Branch Gateway and can be redirected based on your PBR policy to the Secure Web Gateway tunnel. HPE Aruba Networking SSE Policy Rule Configuration is outside the scope of this document.
Connect your client and open a web browser. In the SSE rules policy, News and Media is allowed, while Gambling is to be blocked. Try to open a link to www.cnn.com. Next, try to open a webpage to www.bet365.com.
Aruba Central
In our scenario, we have an HA cluster of Branch Gateways. First check which cluster node member is the user Designated Gateway for the client. This can be found simply by selecting the user and looking at their data path. In the example shown, you can see that P6-HA-BGW1 is the user’s designated gateway.
Navigate to the users UDG and then go to WAN>Tunnels.
You can also verify if the traffic is correctly passing through the PBR policy. Navigate to your client and then Overview>Sessions>Branch Gateway.
Gateway CLI
Some advanced troubleshooting can be performed inside of Central under Tools. Navigate to Tools>Commands at the BGW device level, and run the following commands to verify traffic is flowing as expected on the gateway’s CLI.
· show crypto isakmp sa
· show crypto ipsec sa
· show ip nexthop-list
· show datapath session uplink
Inspect the output.
show crypto ipsec sa
show ip nexthop-list
show datapath session uplink
Even greater detail can be shown when you SSH directly to the Gateway’s CLI. Run the command show datapath session table and use your clients IP address as a qualifier. This will show you that the traffic is being redirected to your NextHop-List as desired.
VPNC Tunnel Verification and Testing
To view the status of the VPNC tunnels, navigate to the device and from the Context menu select WAN and then click on the Tunnels tab.
VPNC and Microbranch Tunnel Redirection Testing
To view the VPNC and Microbranch AP user sessions, first navigate to the Microbranch AP and select Clients. Click on your Microbranch client and then click on Sessions. Note the if the ‘R’ flag is present on the session. This indicates that the Microbranch AP is redirecting the session to the VPNC as desired.
Next, check the session from the VPNC. Navigate to the head end gateway and then go to Overview>Sessions. Here you can filter based on the client’s IP address and verify that the session is being redirected to the VPNC’s NextHop-List as desired. Note the ‘r’ flag indicating the redirect to the primary SSE tunnel.
SSE Management Portal
To view the branch gateway user sessions inside of the SSE Management portal, login and navigate to Insights>Exploration. Here you can see all recent sessions and you can also filter for certain session criteria and over a set time period.
Here is the view when the view is filtered by Status – Success.
And here the view is filtered by Status – Block.