Wireless Access

Reply
Highlighted
Contributor II

CAP ----» GRE INSPECT ------» CTRL ???

Dear Folks,

 

Is it possible to send the user traffic on Layer3 from the AP to the controller? In this scenario I have a CAP (AP-318), FW (PA-220) and CTRL cluster (7005). I would like to inspect the tunnel between the AP and the controller on the Palo Alto 220 series firewall. I created a decrypt-tunnelled SSID on the Controller side, but I don't see any specific information on the PA from the AP. The GRE inspection rule doesn't match on any traffic. I created VLANs, and DHCP pools and inside NAT on controller side.
Any ideas?


Thanks,
Balazs

Accepted Solutions
Highlighted
Contributor II

Re: CAP ----» GRE INSPECT ------» CTRL ???

Yeah, I got an update from another side, so it is a Wireshark "bug", it doesn't know or decode correctly this packages. I used this filter on the capture: gre and !gre.proto == 0x9000 export this visible entries and the use the editcap to cut the GRE header:

 

editcap -C 38 xyz.pcap xyz_stripped.pcap

 

Open the xyz_stripped.pacp and I see the clear and unencrypted user traffic eg. TLS, DNS, ICMP, HTTP.

 

Thanks,
Balazs

View solution in original post


All Replies
Highlighted
Guru Elite

Re: CAP ----» GRE INSPECT ------» CTRL ???

I would take a packet capture between the controller and the AP and look at what GRE traffic is being sent back and forth.  It might not be what you want.  In my experience, any device used to "inspect" GRE traffic between APs and controllers ends up hurting client performance (tipping point).


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: CAP ----» GRE INSPECT ------» CTRL ???

I made it (attached). Wireshark don't recognise the traffic well, because it is a http get.

Thanks,
Balazs
Highlighted
Guru Elite

Re: CAP ----» GRE INSPECT ------» CTRL ???

Before we get into the weeds, are you trying to inspect user traffic?  If yes, that should be done at the controller VLAN, instead of inspecting the GRE traffic.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: CAP ----» GRE INSPECT ------» CTRL ???

It is a packet capture between the AP and controller. I have to inspect the traffic between them, because it is a customer requirement

Thanks,
Balazs
Highlighted
Guru Elite

Re: CAP ----» GRE INSPECT ------» CTRL ???

Based on that screenshot it looks like you do not have decrypt tunnel enabled on that Virtual AP, because I see 802.11 frames in the GRE tunnel.  

 

What does the customer want to obtain from an inspection of the traffic between an AP and the controller?  


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: CAP ----» GRE INSPECT ------» CTRL ???

Yeah, I got an update from another side, so it is a Wireshark "bug", it doesn't know or decode correctly this packages. I used this filter on the capture: gre and !gre.proto == 0x9000 export this visible entries and the use the editcap to cut the GRE header:

 

editcap -C 38 xyz.pcap xyz_stripped.pcap

 

Open the xyz_stripped.pacp and I see the clear and unencrypted user traffic eg. TLS, DNS, ICMP, HTTP.

 

Thanks,
Balazs

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: