08-09-2016 10:05 AM - edited 07-05-2021 05:35 AM
Hi!:
I´ve installed some 3702i AP, that joins to 5508 WLC and I see taht almost all APs sent this type of alarms:
*Aug 6 02:30:57.431: %DOT11-4-BA_FLUSH: Client:a4ba.76b0.d13d ba flush with 40244 200
*Aug 6 13:46:46.459: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:5 Channel:1 Source MAC:905f.2ed3.d436
*Aug 6 14:06:47.295: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:5 Channel:1
*Aug 7 19:45:44.851: %DOT11-4-BA_FLUSH: Client:c0f2.fb2f.d6bd ba flush with 40264 200
*Aug 7 21:26:22.639: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 700b.c04a.d1e9
*Aug 8 13:52:15.183: %DOT11-4-BA_FLUSH: Client:0ce7.2526.d678 ba flush with C0104 200
*Aug 9 01:12:21.787: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth b047.bf6c.18ed
*Aug 9 12:20:17.399: %DOT11-4-BA_FLUSH: Client:08d4.2b6b.db7c ba flush with 40164 200
some one knows wthat it means?
Solved! Go to Solution.
09-01-2016 05:05 PM
We have a similar issue with our clients and have an ongoing high priority case with TAC.
We are running the latest 8.0.140 firmware...
On one access point I'm monitoring, the logs towards an intel card has:
*Sep 1 08:12:15.039: %DOT11-4-CCMP_REPLAY: Client d07e.3562.56ce had 1 AES-CCMP TSC replays
*Sep 1 08:12:40.140: %DOT11-4-BA_FLUSH: Client:d07e.3562.56ce ba flush with 40240 200
*Sep 1 08:17:16.700: %DOT11-4-CCMP_REPLAY: Client 30b4.9e09.db7e had 1 AES-CCMP TSC replays
On another access point, the logs have:
*Sep 1 04:10:32.489: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth e88d.2896.af63
*Sep 1 04:32:40.343: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 84b1.536e.33f7
That's serious stuff as one of the identified bugs is impacting the clients who are connected to the access points which shows:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut26137/?reffering_site=dumpcr
Best to create a support case with TAC.
08-09-2016 12:29 PM
Hello,
I would start with upgrading your client's wireless drivers, to see if that helps
David
08-16-2016 06:30 PM
09-01-2016 05:05 PM
We have a similar issue with our clients and have an ongoing high priority case with TAC.
We are running the latest 8.0.140 firmware...
On one access point I'm monitoring, the logs towards an intel card has:
*Sep 1 08:12:15.039: %DOT11-4-CCMP_REPLAY: Client d07e.3562.56ce had 1 AES-CCMP TSC replays
*Sep 1 08:12:40.140: %DOT11-4-BA_FLUSH: Client:d07e.3562.56ce ba flush with 40240 200
*Sep 1 08:17:16.700: %DOT11-4-CCMP_REPLAY: Client 30b4.9e09.db7e had 1 AES-CCMP TSC replays
On another access point, the logs have:
*Sep 1 04:10:32.489: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth e88d.2896.af63
*Sep 1 04:32:40.343: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 84b1.536e.33f7
That's serious stuff as one of the identified bugs is impacting the clients who are connected to the access points which shows:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut26137/?reffering_site=dumpcr
Best to create a support case with TAC.
09-05-2016 07:44 AM
10-26-2016 06:49 AM
Hi,
Did you manage to get a fix for this? What did Cisco TAC suggest?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide