Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
48209
Views
20
Helpful
25
Replies

%DOT1X-3-MAX_EAPOL_KEY_RETRANS messages

Go to solution
Rosa Ladeira
Level 1
Level 1

‎03-25-2014 01:07 PM - edited ‎07-05-2021 12:32 AM

I habe been seeing lots of this message on WLC log.

All of them refer to mobile phones.

*dot1xMsgTask: Mar 25 16:57:27.787: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 8c:00:6d:5c:4e:35

Is it necessary a specific configuration for mobile phones ?

 

9 people had this problem
Labels:
0 Helpful
25 Replies 25

Go to solution
Rosa Ladeira
Level 1
Level 1
In response to Ali Aqrabawi

‎03-26-2014 02:25 PM

Yes, on all controllers's logs I can find these msgs  a lot of times

0 Helpful

Go to solution
Ali Aqrabawi
Cisco Employee
Cisco Employee
In response to Rosa Ladeira

‎03-26-2014 02:33 PM

i searched if this could be due to a SW bug, but i did not find any thing,

 

i would suggest to  extend the rotation interval to reduce the number of key exchanges:

config advanced eap bcast-key-interval 86400 (no impact to associated clients)

 

is there any impact on the client ?

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Rosa Ladeira

‎03-26-2014 02:42 PM

Hi,

ap per output: EAP-Broadcast Key Interval....................... 3600

In some case, you might want to configure the idle timeout with a large number, for example 7200 seconds, which is 2 hours). You might think your client will remain in the client table without sending out packets for 2 hours. That is NOT necessarily the case. If the EAP-Broadcast Key Interval(by default 3600 seconds) kicks in, your client might be removed from the WLC.

When the EAP-Broadcast Key Interval kicks in, WLC will ask ALL clients to update their Broadcast Key. If your client happens to be out of the coverage area, it will not update its Broadcast Key of course.

 

To change the EAP-Broadcast Key Interval you will need to run the following command:

(Cisco Controller)> config advanced eap bcast-key-interval seconds 43200

then clear the log message from WLC by this command:

(Cisco Controller)>clear msg

then press yes.

 

Then if these messages comes then then check the timeperiod beteen these errors.

Regards

Dont forget to rate helpful posts

Go to solution
DMAC1000
Level 1
Level 1
In response to Sandeep Choudhary

‎03-21-2024 01:01 PM

Does this cause a capwap reset or impact to the clients?

0 Helpful

Go to solution
Rosa Ladeira
Level 1
Level 1

‎03-26-2014 09:27 AM

Is there any difference between M1 and M5 on the msg above?

 

*dot1xMsgTask: Mar 26 13:19:31.123: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M5 retransmissions exceeded for client 3c:43:8e:0b:ee:f1

0 Helpful

Go to solution
Ali Aqrabawi
Cisco Employee
Cisco Employee
In response to Rosa Ladeira

‎03-26-2014 12:39 PM

the M1 and M5 are exchange messages of the handshake messages , 

 

the perpuse of these messages is to generate the PMK of the client, the clinet and the WLC exchange some messages to generate this key , M1 and M5 are one of these messages,

 

in a technical perspective there is no difference as we can't do or change in these messages , as these messages are a standard 

 

 

Go to solution
DanielV
Level 1
Level 1
In response to Ali Aqrabawi

‎06-27-2019 01:13 PM

Hello i have the same problem , For example in one location we have 9 access points 2600 series and 8 are working and 1 not . I need to mentioned that all the clients have HP with windows 10 . I made a test and update the drivers for 1 2 clients . and was working for 30 min than not anymore . They can see the ssid but tha`s all cannot connect to it , The problem is not the ap because we have the same issue in more locations The wlc is 5508 with version 8.2.166 , The problem started 2 weeks ago . Any ideea ?
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to aeccles

‎12-10-2019 07:43 PM

If you have other devices connecting fine and only have issues with a specific device type, if you update or downgraded the driver or had a patch installed, that can be the issue. Try to upgrade and or downgrade the nic driver of the device.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
d.friday
Level 4
Level 4
In response to Ali Aqrabawi

‎06-27-2019 02:22 PM

I'm going to take a wild guess here, The 2600 APS are B radios only,  I'm going to guess you have a ton of interference and its causing your issues. Do you have any APs with A radios that you can test with ?

 

 

 

 

0 Helpful

Go to solution
mefimov
Level 1
Level 1
In response to d.friday

‎08-26-2020 12:46 PM

Hi all! A week ago we started to observe the same problem in our infrastructure.

No configuration changes were made on the WLC side.

wlc 8.8.125.0

APs: AIR-AP2802E-R-K9 and AIR-AP2802I-R-K9 (the issue detected for both types)

Clients are different (mostly MacOS, but Win10 also). All of them report disconnects from the AP and then temporary inability to connect to the AP again.

All clients use 5GHz frequency.

The WLAN uses WPA2Personal security policy

Logs (debug client on wlc):

*Dot1x_NW_MsgTask_0: Aug 26 17:43:42.567: XX:XX:XX:XX:XX:XX Starting key exchange to mobile XX:XX:XX:XX:XX:XX, data packets will be dropped
*Dot1x_NW_MsgTask_0: Aug 26 17:43:42.567: XX:XX:XX:XX:XX:XX Sending EAPOL-Key Message to mobile XX:XX:XX:XX:XX:XX
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Aug 26 17:43:42.567: XX:XX:XX:XX:XX:XX Allocating EAP Pkt for retransmission to mobile XX:XX:XX:XX:XX:XX
*apfReceiveTask: Aug 26 17:43:42.567: XX:XX:XX:XX:XX:XX plumbed kck, kek. sent msg to multi thread dot1x for plumbing replay counter. rc:0
*Dot1x_NW_MsgTask_0: Aug 26 17:43:42.567: XX:XX:XX:XX:XX:XX Received 4WAY completed message from AP
*Dot1x_NW_MsgTask_0: Aug 26 17:43:42.567: XX:XX:XX:XX:XX:XX wpaState is 2; not processing DOT1X_4WAY_COMPLETED_AT_AP
*osapiBsnTimer: Aug 26 17:43:44.716: XX:XX:XX:XX:XX:XX 802.1x 'timeoutEvt' Timer expired for station XX:XX:XX:XX:XX:XX and for message = M2
*Dot1x_NW_MsgTask_0: Aug 26 17:43:44.716: XX:XX:XX:XX:XX:XX Retransmit 1 of EAPOL-Key M1 (length 121) for mobile XX:XX:XX:XX:XX:XX
*osapiBsnTimer: Aug 26 17:43:47.054: XX:XX:XX:XX:XX:XX 802.1x 'timeoutEvt' Timer expired for station XX:XX:XX:XX:XX:XX and for message = M2
*Dot1x_NW_MsgTask_0: Aug 26 17:43:47.055: XX:XX:XX:XX:XX:XX Retransmit 2 of EAPOL-Key M1 (length 121) for mobile XX:XX:XX:XX:XX:XX
*osapiBsnTimer: Aug 26 17:43:49.038: XX:XX:XX:XX:XX:XX 802.1x 'timeoutEvt' Timer expired for station XX:XX:XX:XX:XX:XX and for message = M2
*Dot1x_NW_MsgTask_0: Aug 26 17:43:49.038: XX:XX:XX:XX:XX:XX Retransmit 3 of EAPOL-Key M1 (length 121) for mobile XX:XX:XX:XX:XX:XX
*osapiBsnTimer: Aug 26 17:43:51.022: XX:XX:XX:XX:XX:XX 802.1x 'timeoutEvt' Timer expired for station XX:XX:XX:XX:XX:XX and for message = M2
*Dot1x_NW_MsgTask_0: Aug 26 17:43:51.022: XX:XX:XX:XX:XX:XX Retransmit failure for EAPOL-Key M1 to mobile XX:XX:XX:XX:XX:XX, retransmit count 4, mscb deauth count 4
*Dot1x_NW_MsgTask_0: Aug 26 17:43:51.022: XX:XX:XX:XX:XX:XX Blacklisting (if enabled) the mobile XX:XX:XX:XX:XX:XX
*Dot1x_NW_MsgTask_0: Aug 26 17:43:51.022: XX:XX:XX:XX:XX:XX apfBlacklistMobileStationEntry2 (apf_ms.c:7047) Changing state for mobile XX:XX:XX:XX:XX:XX on AP YY:YY:YY:YY:YY:YY from Associated to Exclusion-list (1)

wlc syslog:

”Aug 26 17:43:00 1.1.1.1 local0 wlc: *nmspTxServerTask: Aug 26 17:43:00.120: %NMSP-6-NMSP_CLOUD_CONN_UPDATE: locp_https_conn.c:2040 NMSP cloud service update. Received CMX service Link Check
”Aug 26 17:43:10 1.1.1.1 local0 wlc: *Dot1x_NW_MsgTask_0: Aug 26 17:43:10.599: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:558 Max EAPOL-key M1 retransmissions exceeded for client XX:XX:XX:XX:XX:XX
”Aug 26 17:43:20 1.1.1.1 local0 wlc: *Dot1x_NW_MsgTask_0: Aug 26 17:43:20.914: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:558 Max EAPOL-key M1 retransmissions exceeded for client XX:XX:XX:XX:XX:XX
”Aug 26 17:43:30 1.1.1.1 local0 wlc: *nmspTxServerTask: Aug 26 17:43:29.940: %NMSP-6-NMSP_CLOUD_CONN_UPDATE: locp_https_conn.c:2040 NMSP cloud service update. Received CMX service Link Check
”Aug 26 17:43:30 1.1.1.1 local0 wlc: *Dot1x_NW_MsgTask_0: Aug 26 17:43:30.831: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:558 Max EAPOL-key M1 retransmissions exceeded for client XX:XX:XX:XX:XX:XX
”Aug 26 17:43:40 1.1.1.1 local0 wlc: *Dot1x_NW_MsgTask_0: Aug 26 17:43:40.749: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:558 Max EAPOL-key M1 retransmissions exceeded for client XX:XX:XX:XX:XX:XX
”Aug 26 17:43:45 1.1.1.1 local0 wlc: *osapiBsnTimer: Aug 26 17:43:45.466: %OSAPI-4-TIME_SHIFT_DETECTED: timerlib.c:571 Detected forward time shift. Last: 1598453025.113445. --> Now:1598453025.466253.
”Aug 26 17:43:51 1.1.1.1 local0 wlc: *Dot1x_NW_MsgTask_0: Aug 26 17:43:51.022: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:558 Max EAPOL-key M1 retransmissions exceeded for client XX:XX:XX:XX:XX:XX
”Aug 26 17:43:51 1.1.1.1 local0 wlc: *Dot1x_NW_MsgTask_0: Aug 26 17:43:51.022: %APF-6-MOBILE_EXCLUDED: apf_ms.c:7124 Excluded the mobile XX:XX:XX:XX:XX:XX Reason: "802.1X Failure"
”Aug 26 17:43:51 1.1.1.1 local0 wlc: *Dot1x_NW_MsgTask_0: Aug 26 17:43:51.022: %DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:756 Client XX:XX:XX:XX:XX:XX may be using an incorrect PSK

show wlan 1:

WLAN Identifier.................................. 1
Profile Name..................................... TEST
Network Name (SSID).............................. TEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Enabled
DHCP ....................................... Enabled
HTTP ....................................... Enabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 18
Exclusionlist Timeout............................ 180 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Sleep Client Auto Auth Feature................... Enabled
Web Auth Captive Bypass Mode..................... Enabled
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... 192.168.1.1
DHCP Scope Name.................................. none
Central NAT...................................... Disabled
Central NAT Peer-Peer Blocking................... Disabled
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
EoGRE Override VLAN state........................ disable
EoGRE Override VLAN ID........................... 0
Quality of Service............................... Gold
Per-BSSID Rate Limits............................ Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-WLAN Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=4)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Forward-Upstream
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Authorization ACA............................. Disabled
Accounting ACA................................ Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Radius Authentication caching.................... Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Adaptive
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Fleconnect Post-Auth IPv4 ACL................. Unconfigured
Fleconnect Post-Auth IPv6 ACL................. Unconfigured
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
Flex Avc Profile Name............................ TEST
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
OpenDns Wlan Dhcp Option 6....................... disable
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled
Fast Receive..................................... Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable
Lobby Admin Access............................... Disabled

Fabric Status
--------------

Fabric status.................................... Disable
Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex IPv6 Acl Name...............................
Flex Avc Policy Name.............................

U3-Interface................................... Disable

U3-Reporting Interval.......................... 30

0 Helpful

Go to solution
mefimov
Level 1
Level 1

‎08-29-2020 07:27 AM

I am not sure that community members can see my previous post because I and my colleagues constantly get this error in any browser when trying to navigate the topic and I cannot see my last message myself. The only way I can see it is to revert the order of posts (from Newest to Oldest).

 

Screenshot 2020-08-29 at 16.57.14.png

So please anybody confirm that you saw my previous post https://community.cisco.com/t5/other-wireless-mobility-subjects/dot1x-3-max-eapol-key-retrans-messages/m-p/4141964#M103902 .

Recently, we disabled Client Exclusion policies to check how it will affect our network.

The overall issue is still in place, except that clients are not blocked now by these policies

%APF-6-MOBILE_NOT_EXCLUDED: apf_ms.c:7136 Could not exclude the mobile XX:XX:XX:XX:XX:XX
(Cisco Controller) show>wps summary

Auto-Immune
  Auto-Immune.................................... Disabled
  Auto-Immune by aWIPS Prevention................ Disabled

Client Exclusion Policy
  Excessive 802.11-association failures.......... Disabled
  Excessive 802.11-authentication failures....... Disabled
  Excessive 802.1x-authentication................ Disabled
  IP-theft....................................... Enabled
  Excessive Web authentication failure........... Enabled
  Maximum 802.1x-AAA failure attempts............ 3

Signature Policy
  Signature Processing........................... Enabled


Management Frame Protection
  Global Infrastructure MFP state................ DISABLED (*all infrastructure settings are overridden)
  AP Impersonation detection..................... Disabled
  Controller Time Source Valid................... True
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card