Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

CAP ----» GRE INSPECT ------» CTRL ???

Jump to Best Answer
  • 1.  CAP ----» GRE INSPECT ------» CTRL ???

    Posted Apr 14, 2020 04:09 AM

    Dear Folks,

     

    Is it possible to send the user traffic on Layer3 from the AP to the controller? In this scenario I have a CAP (AP-318), FW (PA-220) and CTRL cluster (7005). I would like to inspect the tunnel between the AP and the controller on the Palo Alto 220 series firewall. I created a decrypt-tunnelled SSID on the Controller side, but I don't see any specific information on the PA from the AP. The GRE inspection rule doesn't match on any traffic. I created VLANs, and DHCP pools and inside NAT on controller side.
    Any ideas?




  • 2.  RE: CAP ----» GRE INSPECT ------» CTRL ???

    Posted Apr 15, 2020 08:03 AM

    I would take a packet capture between the controller and the AP and look at what GRE traffic is being sent back and forth.  It might not be what you want.  In my experience, any device used to "inspect" GRE traffic between APs and controllers ends up hurting client performance (tipping point).



  • 3.  RE: CAP ----» GRE INSPECT ------» CTRL ???

    Posted Apr 15, 2020 08:29 AM
      |   view attached

    I made it (attached). Wireshark don't recognise the traffic well, because it is a http get.



  • 4.  RE: CAP ----» GRE INSPECT ------» CTRL ???

    Posted Apr 15, 2020 08:50 AM

    Before we get into the weeds, are you trying to inspect user traffic?  If yes, that should be done at the controller VLAN, instead of inspecting the GRE traffic.



  • 5.  RE: CAP ----» GRE INSPECT ------» CTRL ???

    Posted Apr 15, 2020 08:55 AM

    It is a packet capture between the AP and controller. I have to inspect the traffic between them, because it is a customer requirement



  • 6.  RE: CAP ----» GRE INSPECT ------» CTRL ???

    Posted Apr 15, 2020 08:59 AM

    Based on that screenshot it looks like you do not have decrypt tunnel enabled on that Virtual AP, because I see 802.11 frames in the GRE tunnel.  

     

    What does the customer want to obtain from an inspection of the traffic between an AP and the controller?  



  • 7.  RE: CAP ----» GRE INSPECT ------» CTRL ???
    Best Answer

    Posted Apr 15, 2020 10:42 AM

    Yeah, I got an update from another side, so it is a Wireshark "bug", it doesn't know or decode correctly this packages. I used this filter on the capture: gre and !gre.proto == 0x9000 export this visible entries and the use the editcap to cut the GRE header:

     

    editcap -C 38 xyz.pcap xyz_stripped.pcap

     

    Open the xyz_stripped.pacp and I see the clear and unencrypted user traffic eg. TLS, DNS, ICMP, HTTP.