Wireless Access

Dear Folks,

Is it possible to send the user traffic on Layer3 from the AP to the controller? In this scenario I have a CAP (AP-318), FW (PA-220) and CTRL cluster (7005). I would like to inspect the tunnel between the AP and the controller on the Palo Alto 220 series firewall. I created a decrypt-tunnelled SSID on the Controller side, but I don't see any specific information on the PA from the AP. The GRE inspection rule doesn't match on any traffic. I created VLANs, and DHCP pools and inside NAT on controller side.
Any ideas?

I would take a packet capture between the controller and the AP and look at what GRE traffic is being sent back and forth.  It might not be what you want.  In my experience, any device used to "inspect" GRE traffic between APs and controllers ends up hurting client performance (tipping point).

I made it (attached). Wireshark don't recognise the traffic well, because it is a http get.

Before we get into the weeds, are you trying to inspect user traffic?  If yes, that should be done at the controller VLAN, instead of inspecting the GRE traffic.

It is a packet capture between the AP and controller. I have to inspect the traffic between them, because it is a customer requirement

Based on that screenshot it looks like you do not have decrypt tunnel enabled on that Virtual AP, because I see 802.11 frames in the GRE tunnel.  

What does the customer want to obtain from an inspection of the traffic between an AP and the controller?  

Yeah, I got an update from another side, so it is a Wireshark "bug", it doesn't know or decode correctly this packages. I used this filter on the capture: gre and !gre.proto == 0x9000 export this visible entries and the use the editcap to cut the GRE header:

editcap -C 38 xyz.pcap xyz_stripped.pcap

Open the xyz_stripped.pacp and I see the clear and unencrypted user traffic eg. TLS, DNS, ICMP, HTTP.