Wireless Access

Attempting to do a packet-capture via span-port on an Aruba AP's uplink, and I suspect that Wireshark doesn't have the right dissector available for "Decrypt-Tunnel" traffic. Is there one available or other means or properly viewing the captured traffic?

We're troubleshooting a recently discovered issue on our APs (tunneled mode) operating over an ASA VPN IPsec tunnel - 8.5.0.9 and 8.3.0.7 - Download Speeds are poor (500 Kbps to 3Mbps), but upload speeds appear to be normal 60 Mbps). Fragmentation was the first thing we checked as we hit the problem 6 years ago during initial deployment. We have our APs set at MTU 1200, which is about 200 below what is necessary while troubleshooting.

What we did learn was Open SSID (Guest Traffic) is unaffected by the degradation of throughput - which is naturally unencrypted over the tunnel which gave me the idea to test "Decrypt Tunnel" on our 802.1X network which did make the the problem go away. So suspect the VPN/firewall is possibly classifying the traffic in a degrading way - hence why wanted to get a view of the traffic via Decrypt-Tunnel mode.

Attempting to do a packet-capture via span-port on an Aruba AP's uplink, and I suspect that Wireshark doesn't have the right dissector available for "Decrypt-Tunnel" traffic. Is there one available or other means or properly viewing the captured traffic?

We're troubleshooting a recently discovered issue on our APs (tunneled mode) operating over an ASA VPN IPsec tunnel - 8.5.0.9 and 8.3.0.7 - Download Speeds are poor (500 Kbps to 3Mbps), but upload speeds appear to be normal 60 Mbps). Fragmentation was the first thing we checked as we hit the problem 6 years ago during initial deployment. We have our APs set at MTU 1200, which is about 200 below what is necessary while troubleshooting.

What we did learn was Open SSID (Guest Traffic) is unaffected by the degradation of throughput - which is naturally unencrypted over the tunnel which gave me the idea to test "Decrypt Tunnel" on our 802.1X network which did make the the problem go away. So suspect the VPN/firewall is possibly classifying the traffic in a degrading way - hence why wanted to get a view of the traffic via Decrypt-Tunnel mode.

Thanks jgoff,

Oddly it does show the GRE Headers correctly, but the payload inside the tunnel appears to be "misinterpreted" as strictly Association and Reassociation requests with non-nonsensical source, destination, transmitter addresses. Can even see some of the original "data" inside of it like when my cape sensor is reaching out the gateway or random "youtube.com" URLs showing up in an "SSID" - strange!

------------------------------
Christopher Johnson

Original Message:
Sent: Dec 09, 2020 11:28 PM
From: Jeffrey Goff
Subject: Packet-Capture on AP Uplink with "Decrypt-Tunnel"

decrypt tun traffic should be GRE from the perspective of the span port, Wireshark should show it without any problems - maybe a capture filter issue or a problem with the capturing device (maybe cannot capture vlan tagged traffic for example ?)
Original Message:
Sent: Dec 08, 2020 02:18 PM
From: Christopher Johnson
Subject: Packet-Capture on AP Uplink with "Decrypt-Tunnel"

Attempting to do a packet-capture via span-port on an Aruba AP's uplink, and I suspect that Wireshark doesn't have the right dissector available for "Decrypt-Tunnel" traffic. Is there one available or other means or properly viewing the captured traffic?

We're troubleshooting a recently discovered issue on our APs (tunneled mode) operating over an ASA VPN IPsec tunnel - 8.5.0.9 and 8.3.0.7 - Download Speeds are poor (500 Kbps to 3Mbps), but upload speeds appear to be normal 60 Mbps). Fragmentation was the first thing we checked as we hit the problem 6 years ago during initial deployment. We have our APs set at MTU 1200, which is about 200 below what is necessary while troubleshooting.

What we did learn was Open SSID (Guest Traffic) is unaffected by the degradation of throughput - which is naturally unencrypted over the tunnel which gave me the idea to test "Decrypt Tunnel" on our 802.1X network which did make the the problem go away. So suspect the VPN/firewall is possibly classifying the traffic in a degrading way - hence why wanted to get a view of the traffic via Decrypt-Tunnel mode.

Attempting to do a packet-capture via span-port on an Aruba AP's uplink, and I suspect that Wireshark doesn't have the right dissector available for "Decrypt-Tunnel" traffic. Is there one available or other means or properly viewing the captured traffic?

We're troubleshooting a recently discovered issue on our APs (tunneled mode) operating over an ASA VPN IPsec tunnel - 8.5.0.9 and 8.3.0.7 - Download Speeds are poor (500 Kbps to 3Mbps), but upload speeds appear to be normal 60 Mbps). Fragmentation was the first thing we checked as we hit the problem 6 years ago during initial deployment. We have our APs set at MTU 1200, which is about 200 below what is necessary while troubleshooting.

What we did learn was Open SSID (Guest Traffic) is unaffected by the degradation of throughput - which is naturally unencrypted over the tunnel which gave me the idea to test "Decrypt Tunnel" on our 802.1X network which did make the the problem go away. So suspect the VPN/firewall is possibly classifying the traffic in a degrading way - hence why wanted to get a view of the traffic via Decrypt-Tunnel mode.

Attempting to do a packet-capture via span-port on an Aruba AP's uplink, and I suspect that Wireshark doesn't have the right dissector available for "Decrypt-Tunnel" traffic. Is there one available or other means or properly viewing the captured traffic?

We're troubleshooting a recently discovered issue on our APs (tunneled mode) operating over an ASA VPN IPsec tunnel - 8.5.0.9 and 8.3.0.7 - Download Speeds are poor (500 Kbps to 3Mbps), but upload speeds appear to be normal 60 Mbps). Fragmentation was the first thing we checked as we hit the problem 6 years ago during initial deployment. We have our APs set at MTU 1200, which is about 200 below what is necessary while troubleshooting.

What we did learn was Open SSID (Guest Traffic) is unaffected by the degradation of throughput - which is naturally unencrypted over the tunnel which gave me the idea to test "Decrypt Tunnel" on our 802.1X network which did make the the problem go away. So suspect the VPN/firewall is possibly classifying the traffic in a degrading way - hence why wanted to get a view of the traffic via Decrypt-Tunnel mode.