Solved: ALARMS ON AP 3702I

alejandromx1 · ‎08-09-2016

Hi!:

I´ve installed some 3702i AP, that joins to 5508 WLC and I see taht almost all APs sent this type of alarms:

*Aug 6 02:30:57.431: %DOT11-4-BA_FLUSH: Client:a4ba.76b0.d13d ba flush with 40244 200
*Aug 6 13:46:46.459: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:5 Channel:1 Source MAC:905f.2ed3.d436
*Aug 6 14:06:47.295: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:5 Channel:1
*Aug 7 19:45:44.851: %DOT11-4-BA_FLUSH: Client:c0f2.fb2f.d6bd ba flush with 40264 200
*Aug 7 21:26:22.639: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 700b.c04a.d1e9
*Aug 8 13:52:15.183: %DOT11-4-BA_FLUSH: Client:0ce7.2526.d678 ba flush with C0104 200
*Aug 9 01:12:21.787: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth b047.bf6c.18ed
*Aug 9 12:20:17.399: %DOT11-4-BA_FLUSH: Client:08d4.2b6b.db7c ba flush with 40164 200

some one knows wthat it means?

yvesjvccnastudy · ‎09-01-2016

We have a similar issue with our clients and have an ongoing high priority case with TAC.

We are running the latest 8.0.140 firmware...

On one access point I'm monitoring, the logs towards an intel card has:

*Sep 1 08:12:15.039: %DOT11-4-CCMP_REPLAY: Client d07e.3562.56ce had 1 AES-CCMP TSC replays
*Sep 1 08:12:40.140: %DOT11-4-BA_FLUSH: Client:d07e.3562.56ce ba flush with 40240 200
*Sep 1 08:17:16.700: %DOT11-4-CCMP_REPLAY: Client 30b4.9e09.db7e had 1 AES-CCMP TSC replays

On another access point, the logs have:

*Sep 1 04:10:32.489: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth e88d.2896.af63
*Sep 1 04:32:40.343: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 84b1.536e.33f7

That's serious stuff as one of the identified bugs is impacting the clients who are connected to the access points which shows:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut26137/?reffering_site=dumpcr

Best to create a support case with TAC.

View solution in original post

d.friday · ‎08-09-2016

Hello,

I would start with upgrading your client's wireless drivers, to see if that helps

David

mohanak · ‎08-16-2016

Refer links : https://learningnetwork.cisco.com/thread/64321

https://supportforums.cisco.com/discussion/11589926/force-channel-change-lap

yvesjvccnastudy · ‎09-01-2016

We have a similar issue with our clients and have an ongoing high priority case with TAC.

We are running the latest 8.0.140 firmware...

On one access point I'm monitoring, the logs towards an intel card has:

*Sep 1 08:12:15.039: %DOT11-4-CCMP_REPLAY: Client d07e.3562.56ce had 1 AES-CCMP TSC replays
*Sep 1 08:12:40.140: %DOT11-4-BA_FLUSH: Client:d07e.3562.56ce ba flush with 40240 200
*Sep 1 08:17:16.700: %DOT11-4-CCMP_REPLAY: Client 30b4.9e09.db7e had 1 AES-CCMP TSC replays

On another access point, the logs have:

*Sep 1 04:10:32.489: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth e88d.2896.af63
*Sep 1 04:32:40.343: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 84b1.536e.33f7

That's serious stuff as one of the identified bugs is impacting the clients who are connected to the access points which shows:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut26137/?reffering_site=dumpcr

Best to create a support case with TAC.

alejandromx1 · ‎09-05-2016

Hi yvesjvccnastudy:

I think Next step will be with the TAC support.

Thanks everyone for your help

mlewis756494 · ‎10-26-2016

Hi,

Did you manage to get a fix for this? What did Cisco TAC suggest?

Thanks.