Cisco WLC 2504: Macbook client connectivity loss during re-key or re-auth for session timeout

Sam Brynes · ‎08-07-2019

I have a mid-2015 Macbook pro and a late 2013 Macbook both connecting to an AP managed by a Cisco 2504 WLC.

The WLAN uses EAP / 802.1x and has adaptive 802.11r, 802.11v, and 802.11k enabled, no CCKM. We are running 8.5.140 on the WLC.

I have noticed that these mac clients lose connectivity at an interval of the sesstion timeout where a re-key is done.

Both Macs are running OS X High Sierra, 10.13.6. Does anyone have any suggestions on how to trouble shoot this? I did a debug client <MAC ADDRESS> and didn't see anything different in the debugs when there was a connectivity drop, and when there was not one.

Rasika Nayanajith · ‎08-07-2019

Try disable session timeout & see if that problem go away.

HTH

Rasika

Sam Brynes · ‎08-10-2019

Looks like disabling the session timeout fixes it (I left 802.11k, v, and r enabled), but I'd rather continue troubleshooting since if there are issues with authentication / re-authentication, it could cause issues with roaming. Something still doesn't feel right.

I have attached a debug of the client when we had the session timeout disabled. The debug also as the "show wlan" settings. Let me know if you'd like me to capture more debugs. I'm more than happy to provide them for some help :)

Also, I have an Android phone, and it looks like the connectivity drop is happening there too.

Leo Laohoo · ‎08-07-2019

Disable k, r & v.

Sam Brynes · ‎08-10-2019

Hi Leo,

Thanks for your response. I disabled the session timeout as suggested by Rasika and it stops the connectivity drops even though I left 802.11r, 802.11k, and 802.11v enabled.

I then tried enabling session timeout and turned off 802.11r, k, and v. I still got the connectivity drops. I then compared the logs of the re-auth / EAP re-key immediately before a connectivity drop and the logs of a re-auth / EAP re-key that resulted in continued network connectivity. I ran a diff between them and didn't see anything different.

Are there any other logs that I can enable that might help me track down where this is breaking? I've worked probably close to 30 hours of debugging this without any luck. If you want to see the debugs yourself, I'm happy to run more debugs and attach them here.

Rasika Nayanajith · ‎08-10-2019

"I disabled the session timeout as suggested by Rasika and it stops the connectivity drops even though I left 802.11r, 802.11k, and 802.11v enabled".

Once disabling session out fix your issue, go with that.

HTH
Rasika

*** Pls rate all useful responses ***

Sam Brynes · ‎08-11-2019

Hi Rasika,

Just want to understand what you're saying - are you suggesting that since disabling the session-timeout fixes the problem, that I have worked around the issue and that there is no need to continue troubleshooting? I'd like to make use of the session-timeout to rotate the PTK to increase security, if possible.

Do you think that the root cause of the session-timeout could also cause issues with with 802.11r roaming because a session-timeout forces re-authorization in the same way that an 802.11r roam might force re-authorization?

Thanks,
Sam