1. Home
  2. Cisco Systems
  3. Problem with GRE (cisco 887, wlan, bvi)

Problem with GRE (cisco 887, wlan, bvi)

I must be overseeing something really obvious, but I can't get VPN's working on machines connected to the wireless part of a Cisco 887 :-( Does anyone have a "You idiot, you did ${stupid}" or a troubleshooting hint for me?

When I use a wired connection everything works fine. When I go wireless, GRE packets are coming out of my laptop, sent out to the Internet, reply packets arrive and I can see them as incoming traffic on the Gi0 of the wlan-ap. They just don't go out dotradio0.1. See the counting of the access-lists I put on gi0.1(accl 100) and dot0.1 (accl101):

ap#show ip access-lists 100 Extended IP access list 100 10 permit gre 192.168.173.0 0.0.0.255 any (40 matches) 20 permit gre any 192.168.173.0 0.0.0.255 (40 matches) 30 permit ip any any (45347 matches) ap#show ip access-lists 101 Extended IP access list 101 10 permit gre 192.168.173.0 0.0.0.255 any (10 matches) 20 permit gre any 192.168.173.0 0.0.0.255 30 permit ip any any (26955 matches)

A few relevant configs I hope: access-list 100 and 101 are just for troubleshooting.

dot11 ssid Spaider vlan 1 authentication open authentication key-management wpa guest-mode mbssid guest-mode

bridge irb

interface Dot11Radio0.1 encapsulation dot1Q 1 native ip access-group 101 in ip access-group 101 out no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled

interface GigabitEthernet0.1 encapsulation dot1Q 1 native ip access-group 100 in ip access-group 100 out no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled

interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache

access-list 100 permit gre 192.168.173.0 0.0.0.255 any access-list 100 permit gre any 192.168.173.0 0.0.0.255 access-list 100 permit ip any any access-list 101 permit gre 192.168.173.0 0.0.0.255 any access-list 101 permit gre any 192.168.173.0 0.0.0.255 access-list 101 permit ip any any bridge 1 protocol ieee bridge 1 route ip

Greetings

Mark

Reply to
Mark Huizer
Loading thread data ...

Is your NAT OK?

debug ip nat detailed I think it is, generates several entries for each packet showing the NAT process.

If you are doing overload NAT GRE may not behave in a way that you are used to since there are no TCP/UDP ports. If the Ethernet port traffic has created a NAT entry for the GRE traffic it may take a while to timeout before a NAT for a different internal address can be used.

Not quite sure what the weird (yes I know that cisco seem to 'recommend' them for wireless) bridge commands on the interface are doing. Why not try removing them?

Might be worth a deb ip packet.

You need to make sure you can see the debug output.

Easiest is logging buffered 50000 no log console

then do the debug

deb ip packet det (add ACL if you like to get rid of unwanted debug output)

sh log to view

Reply to
bod43

I'd say so. If I do the same wired it works. If I try wireless and do an 'show ip nat translations | incl gre', my sessions are there.

Well, I check that there is no NAT entry before I try.

Well, I tried playing with a few and lost my wifi access. I'm trying to look around what they are doing, but they don't seem to be gre related.

yeah, I looked at that as well, but somehow it only logs traffic to/from the wlan-ap address. This service-module stuff is making things way to complex :-) I'd much more love to have my normal monitor commands etc.

But thanks for thinking with me!

Mark

Reply to
Mark Huizer

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.