Jump to content

Recommended Posts

Posted

One of our customers is running Always On VPN and pretty happy with it, but one peculiar issue remains. As the machine tunnel IP pool addresses are configured to the vServer level and the user-tunnel IP pools in AAA groups, normally users have been configured with a proper group membership and everything works as expected. However, if the client is configured for the machine-tunnel, but the user is not a member of the AAA groups, they naturally get the machine-tunnel IP for their session also. This is fine, but if the user is later assigned with a group (defined in AAA Groups), they keep getting the machine-pool IP.

Apparently there is no way to release that specific IP and fix the situation other than restart the whole NetScaler HA pair (completely shut down the environment).

We tried to address the issue by creating an AAA group for the users that assigns the machine-pool for the users that we haven't assigned the IP pool AAA group yet. Likely this group would've been "Domain Users" to avoid additional configuration.

We tried using AAA Group weights to determine which IP Pool should assigned for the user-tunnel. According to CTX289931 the higher priority should take precedence so for example if we would configure the following:

AAA_Users, weight 100, user-pool
AAA_Unassigned, weight 1000, machine pool

I'd assume that the following should happen:

User is only a member of AAA_Unassigned -> machine pool IP for user session
User is only a member of AAA_Users -> user-pool IP
User is member of both AAA_Unassigned and AAA_Users  -> user should get user-pool IP (due to group weight settings)

Unfortunately, this doesn't seem to be the case and the user always gets the machine pool IP if their account is member of AAA_Unassigned regardless of the AAA group ( AAA_Users) assigning user pool. We even switched this the other way around and still had the same issue.

In this test case the NetScaler is running 13.1-53.24 and the SAC is 24.6.1.18 (Windows).

Posted

Interesting. Just a sidenode (which could be a possible solution for your issue / design) - I've never wanted to use the machine tunnel IP pool assigned to the gw vserver, so I’m creating a local AAA Group called AAA_local_device_tunnel and bind a separate intranet IP range. The AAA group is bound to the Machine Tunnel EPA Scan with the -default EPAGroup command. So you can filter for example different machine tunnel ranges based on EPA Scan / GW vServer / nFactor.

Posted
1 hour ago, Julian Jakob said:

Interesting. Just a sidenode (which could be a possible solution for your issue / design) - I've never wanted to use the machine tunnel IP pool assigned to the gw vserver, so I’m creating a local AAA Group called AAA_local_device_tunnel and bind a separate intranet IP range. The AAA group is bound to the Machine Tunnel EPA Scan with the -default EPAGroup command. So you can filter for example different machine tunnel ranges based on EPA Scan / GW vServer / nFactor.

Oh... We'll give that approach a whirl. There are definitely challenges with assigning IIPs to non-VPN sessions (i.e. behaviour with clientless portal + StoreFront integration, the traffic appears from the IIP rather than SNIP).

Is there a reason you've not bound the IP Pools to GW vServer? Is there anything about your approach in the docs?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...