topic Re: Max EAPOL-key M5 retransmissions exceeded for client in Wireless

Max EAPOL-key M5 retransmissions exceeded for client

Brendan Marmont — Sun, 04 Jul 2021 04:38:31 GMT

I have had several complaints from around the firm where by mobile devices are being bumped off the PSK secured network (All other SSID networks are operating A-OK).

Both Android and iPhone devices are being affected, the device will just loop until it reconnects, sometimes up to 20 minutes of trying to establish a connection. It will eventually connect so the key is not the issue.

I've attached a debug of a device which fails to connect and then shortly after is successful.

Controller 5508 v7.0.116.0

AP 3502i IOS 12.4(23c)JA2

Any ideas would be appreciated!

Brendan

Max EAPOL-key M5 retransmissions exceeded for client

Scott Fella — Thu, 23 Feb 2012 12:44:33 GMT

Can you post your show wlan . If you noticed that these devices are being affected everywhere, then it might be something in your wireless configuration.

Max EAPOL-key M5 retransmissions exceeded for client

Brendan Marmont — Thu, 23 Feb 2012 20:11:37 GMT

As I am the only one making configuration changes I am a tad miffed as why it's all gone to custard last week with no MACs being made...

WLAN Identifier.................................. 3
Profile Name..................................... K_P
Network Name (SSID).............................. K_P
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 49
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ pda
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 10.150.4.200 1812
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Enabled

Mobility Anchor List

Max EAPOL-key M5 retransmissions exceeded for client

daviwatk — Thu, 23 Feb 2012 20:47:36 GMT

Make sure Fast SSID Change is enabled on your WLC (in the GUI at CONTROLLER > General)

If you are finding this is mostly smartphone devices (Droid, iOS, Blackberry) and they are being de-authenticated due to not acking the M5 broadcast key rotation; then the client was "most likely" sleeping. Generally this is not a problem as when the device awakens it will simply re-association/authenticate with little realized impact to the end user.

I've seen the FastSSID Change help smartphone devices overcome moving between WLANs or even conncting at all.

Re: Max EAPOL-key M5 retransmissions exceeded for client

daviwatk — Thu, 23 Feb 2012 20:50:54 GMT

Just actually looked at your debug and I show only a single deauthentication message which was due to non-response for an M1 key from AP to client, not an M5 broadcast key rotation. I would suspect a client/supplicant issue in this case (well M1 or M5 really) but anyhow. Are all these devices up to date? It sounded like it's not "all" of the smartphone uses. Here is the example in the debug you provided. Looks like this happens when the client roamed to another AP

*apfMsConnTask_6: Feb 23 14:13:00.451: 3c:d0:f8:a1:98:29 Reassociation received from mobile on AP b8:62:1f:b4:07:80

*dot1xMsgTask: Feb 23 14:13:01.933: 3c:d0:f8:a1:98:29 Starting key exchange to mobile 3c:d0:f8:a1:98:29, data packets will be dropped

*dot1xMsgTask: Feb 23 14:13:01.933: 3c:d0:f8:a1:98:29 Sending EAPOL-Key Message to mobile 3c:d0:f8:a1:98:29 state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00

*osapiBsnTimer: Feb 23 14:13:02.995: 3c:d0:f8:a1:98:29 802.1x 'timeoutEvt' Timer expired for station 3c:d0:f8:a1:98:29 and for message = M2

*dot1xMsgTask: Feb 23 14:13:02.995: 3c:d0:f8:a1:98:29 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 3c:d0:f8:a1:98:29

*osapiBsnTimer: Feb 23 14:13:03.994: 3c:d0:f8:a1:98:29 802.1x 'timeoutEvt' Timer expired for station 3c:d0:f8:a1:98:29 and for message = M2

*dot1xMsgTask: Feb 23 14:13:03.994: 3c:d0:f8:a1:98:29 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 3c:d0:f8:a1:98:29

*osapiBsnTimer: Feb 23 14:13:04.994: 3c:d0:f8:a1:98:29 802.1x 'timeoutEvt' Timer expired for station 3c:d0:f8:a1:98:29 and for message = M2

*dot1xMsgTask: Feb 23 14:13:04.994: 3c:d0:f8:a1:98:29 Retransmit failure for EAPOL-Key M1 to mobile 3c:d0:f8:a1:98:29, retransmit count 3, mscb deauth count 0

*dot1xMsgTask: Feb 23 14:13:04.996: 3c:d0:f8:a1:98:29 Sent Deauthenticate to mobile on BSSID b8:62:1f:b4:07:80 slot 0(caller 1x_ptsm.c:534)

It looks like the client re-associates within about 5 seconds and hits the RUN state properly. Does this issue seem situated in a particular area, ie particular APs; or is it happening anywhere this WLAN is serviced?