Problem with GRE (cisco 887, wlan, bvi)

Discussion in 'Cisco' started by Mark Huizer, Nov 25, 2010.

  1. Mark Huizer

    Mark Huizer Guest

    I must be overseeing something really obvious, but I can't get VPN's
    working on machines connected to the wireless part of a Cisco 887 :-(
    Does anyone have a "You idiot, you did ${stupid}" or a troubleshooting
    hint for me?

    When I use a wired connection everything works fine. When I go wireless,
    GRE packets are coming out of my laptop, sent out to the Internet, reply
    packets arrive and I can see them as incoming traffic on the Gi0 of the
    wlan-ap. They just don't go out dotradio0.1. See the counting of the
    access-lists I put on gi0.1(accl 100) and dot0.1 (accl101):

    ap#show ip access-lists 100
    Extended IP access list 100
    10 permit gre 192.168.173.0 0.0.0.255 any (40 matches)
    20 permit gre any 192.168.173.0 0.0.0.255 (40 matches)
    30 permit ip any any (45347 matches)
    ap#show ip access-lists 101
    Extended IP access list 101
    10 permit gre 192.168.173.0 0.0.0.255 any (10 matches)
    20 permit gre any 192.168.173.0 0.0.0.255
    30 permit ip any any (26955 matches)

    A few relevant configs I hope: access-list 100 and 101 are just for
    troubleshooting.

    dot11 ssid Spaider
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    mbssid guest-mode

    bridge irb

    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    ip access-group 101 in
    ip access-group 101 out
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled

    interface GigabitEthernet0.1
    encapsulation dot1Q 1 native
    ip access-group 100 in
    ip access-group 100 out
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled

    interface BVI1
    ip address 192.168.173.2 255.255.255.0
    no ip route-cache

    access-list 100 permit gre 192.168.173.0 0.0.0.255 any
    access-list 100 permit gre any 192.168.173.0 0.0.0.255
    access-list 100 permit ip any any
    access-list 101 permit gre 192.168.173.0 0.0.0.255 any
    access-list 101 permit gre any 192.168.173.0 0.0.0.255
    access-list 101 permit ip any any
    bridge 1 protocol ieee
    bridge 1 route ip

    Greetings

    Mark
     
    Mark Huizer, Nov 25, 2010
    #1
    1. Advertisements

  2. Mark Huizer

    bod43 Guest

    Is your NAT OK?

    debug ip nat detailed
    I think it is, generates several entries for each packet
    showing the NAT process.

    If you are doing overload NAT GRE may not behave
    in a way that you are used to since there are no
    TCP/UDP ports. If the Ethernet port traffic has created
    a NAT entry for the GRE traffic it may take a while to timeout
    before a NAT for a different internal address can be used.

    Not quite sure what the
    weird (yes I know that cisco seem to 'recommend' them
    for wireless) bridge commands on the interface are doing.
    Why not try removing them?

    Might be worth a deb ip packet.

    You need to make sure you can see the debug output.

    Easiest is
    logging buffered 50000
    no log console

    then do the debug

    deb ip packet det (add ACL if you like to get rid of unwanted
    debug output)

    sh log to view
     
    bod43, Nov 25, 2010
    #2
    1. Advertisements

  3. Mark Huizer

    Mark Huizer Guest

    The wise bod43 enlightened me with:
    I'd say so. If I do the same wired it works. If I try wireless and do an
    'show ip nat translations | incl gre', my sessions are there.
    Well, I check that there is no NAT entry before I try.
    Well, I tried playing with a few and lost my wifi access. I'm trying to
    look around what they are doing, but they don't seem to be gre related.
    yeah, I looked at that as well, but somehow it only logs traffic to/from
    the wlan-ap address. This service-module stuff is making things way to
    complex :) I'd much more love to have my normal monitor commands etc.

    But thanks for thinking with me!

    Mark
     
    Mark Huizer, Nov 25, 2010
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.