09-24-2012 12:28 PM - edited 07-03-2021 10:42 PM
Hi, we have setup a wireless network available for our customers with Web-Passthrough security. We have no issues with any customers' laptop and certain Blackberry devices but we do have issues with customers' ipad2 and some of newer Blackberry models (like Bold 9900). These units can see the wireless network, attempting to connect but with no success. Ipad3 have no issues. Majority of our customers are having ipad2 so wondering what could be done to solve this issue.
Appreciate your help and input.
############################################
BAD Connection:
*DHCP Socket Task: Sep 24 11:01:40.683: 0c:74:c2:bd:2a:15 10.65.56.18 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*DHCP Socket Task: Sep 24 11:01:40.683: 0c:74:c2:bd:2a:15 Plumbing web-auth redirect rule due to user logout
*DHCP Socket Task: Sep 24 11:01:40.683: 0c:74:c2:bd:2a:15 Assigning Address 10.65.56.18 to mobile
*DHCP Socket Task: Sep 24 11:01:40.683: 0c:74:c2:bd:2a:15 DHCP success event for client. Clearing dhcp failure count for interface management.
*pemReceiveTask: Sep 24 11:01:40.684: 0c:74:c2:bd:2a:15 10.65.56.18 tokenID = 5
*pemReceiveTask: Sep 24 11:01:40.684: 0c:74:c2:bd:2a:15 10.65.56.18 Added NPU entry of type 2, dtlFlags 0x0
*apfReceiveTask: Sep 24 11:06:40.587: 0c:74:c2:bd:2a:15 10.65.56.18 WEBAUTH_REQD (8) Web-Auth Policy timeout <------------------------------
*apfReceiveTask: Sep 24 11:06:40.587: 0c:74:c2:bd:2a:15 10.65.56.18 WEBAUTH_REQD (8) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Sep 24 11:06:40.587: 0c:74:c2:bd:2a:15 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: Sep 24 11:06:50.587: 0c:74:c2:bd:2a:15 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 24 11:06:50.587: 0c:74:c2:bd:2a:15 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 0c:74:c2:bd:2a:15 on AP 08:17:35:83:96:90 from Associated to Disassociated
##############################################
GOOD Connection:
*DHCP Socket Task: Sep 24 10:48:27.543: 04:54:53:4f:88:96 Assigning Address 192.168.9.5 to mobile
*DHCP Socket Task: Sep 24 10:48:27.544: 04:54:53:4f:88:96 DHCP success event for client. Clearing dhcp failure count for interface management.
*pemReceiveTask: Sep 24 10:48:27.544: 04:54:53:4f:88:96 192.168.9.5 tokenID = 8
*pemReceiveTask: Sep 24 10:48:27.544: 04:54:53:4f:88:96 192.168.9.5 Added NPU entry of type 2, dtlFlags 0x0
*emWeb: Sep 24 10:48:35.069: 04:54:53:4f:88:96 192.168.9.5 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_NOL3SEC (14)
*emWeb: Sep 24 10:48:35.069: 04:54:53:4f:88:96 apfMsRunStateInc
*emWeb: Sep 24 10:48:35.069: 04:54:53:4f:88:96 192.168.9.5 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state RUN (20)
*emWeb: Sep 24 10:48:35.075: 04:54:53:4f:88:96 Session Timeout is 28800 - starting session timer for the mobile
*emWeb: Sep 24 10:48:35.075: 04:54:53:4f:88:96 192.168.9.5 RUN (20) Reached PLUMBFASTPATH: from line 5063
*emWeb: Sep 24 10:48:35.075: 04:54:53:4f:88:96 192.168.9.5 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 00:27:0d:08:30:10, slot 0, interface = 13, QOS = 3
ACL Id = 255, Jumbo Frames = NO
*emWeb: Sep 24 10:48:35.075: 04:54:53:4f:88:96 192.168.9.5 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 8 IPv6 Vlan = 0, IPv6 intf id = 0
*emWeb: Sep 24 10:48:35.075: 04:54:53:4f:88:96 192.168.9.5 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: Sep 24 10:48:35.075: 04:54:53:4f:88:96 192.168.9.5 tokenID = 8
*pemReceiveTask: Sep 24 10:48:35.075: 04:54:53:4f:88:96 192.168.9.5 Added NPU entry of type 1, dtlFlags 0x0
*apfMsConnTask_0: Sep 24 10:50:08.672: Ignoring 802.11 assoc request from mobileradio is NOT enabled
*spamApTask1: Sep 24 11:00:21.970: 04:54:53:4f:88:96 Cleaning up state for STA 04:54:53:4f:88:96 due to event for AP 00:27:0d:08:30:10(0)
*apfReceiveTask: Sep 24 11:00:21.975: 04:54:53:4f:88:96 apfSendDisAssocMsgDebug (apf_80211.c:1855) Changing state for mobile 04:54:53:4f:88:96 on AP 00:27:0d:08:30:10 from Associated to Disassociated
#################################################
09-24-2012 01:57 PM
Based on your capture this is what it looks like:
*pemReceiveTask: Sep 24 11:01:40.684: 0c:74:c2:bd:2a:15 10.65.56.18 Added NPU entry of type 2, dtlFlags 0x0
*apfReceiveTask: Sep 24 11:06:40.587: 0c:74:c2:bd:2a:15 10.65.56.18 WEBAUTH_REQD (8) Web-Auth Policy timeout
You see the start time 11:01:40 and then exactly 5 minutes later 11:06:40 your web auth policy expires. This is the user idle timeout value. On your controlle press CONTROLLER. Look at the very bottom for the user idle timeout. Its set to 300 seconds <5 minutes>. This settings means if the controller doesnt see traffic from this device to knock it off the network.
So the question is, are these devices sitting idle and not hitting the web page ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-24-2012 02:06 PM
THis is my original post (https://supportforums.cisco.com/message/3741712#3741712)
I have no access to devices on site; i tested in my lab with ipad2 and works OK (GOOD conenction). The BAD connection is reported on site with ipad3.
Both ipads are talking to the saem controller.
I dont think devices are sitting idle..
09-24-2012 02:14 PM
Here is latest debug from client that has no webauth page and no internet access. he can get dhcp ip address OK.
(Cisco Controller) >debug client 74:e1:b6:90:ac:61
(Cisco Controller) >*pemReceiveTask: Sep 24 11:07:00.590: 0c:74:c2:bd:2a:15 10.65.56.18 Removed NPU entry.
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 Adding mobile on LWAPP AP 08:17:35:c6:d4:60(0)
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 Association received from mobile on AP 08:17:35:c6:d4:60
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 Applying site-specific IPv6 override for station 74:e1:b6:90:ac:61 - vapId 10, site 'default-group', interface 'management'
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 Applying IPv6 Interface Policy for station 74:e1:b6:90:ac:61 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 STA - rates (8): 4 139 150 36 48 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 STA - rates (11): 4 139 150 36 48 72 96 108 12 18 24 0 0 0 0 0
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:c6:d4:60 vapId 10 apVapId 10for this client
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:c6:d4:60 vapId 10 apVapId 10
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 apfMsAssoStateInc
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 74:e1:b6:90:ac:61 on AP 08:17:35:c6:d4:60 from Idle to Associated
*apfMsConnTask_0: Sep 24 13:54:16.709: 74:e1:b6:90:ac:61 Scheduling deletion of Mobile Station: (callerId: 49) in 28800 seconds
*apfMsConnTask_0: Sep 24 13:54:16.710: 74:e1:b6:90:ac:61 Sending Assoc Response to station on BSSID 08:17:35:c6:d4:60 (status 0) ApVapId 10 Slot 0
*apfMsConnTask_0: Sep 24 13:54:16.710: 74:e1:b6:90:ac:61 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 74:e1:b6:90:ac:61 on AP 08:17:35:c6:d4:60 from Associated to Associated
*apfMsConnTask_0: Sep 24 13:54:16.710: 74:e1:b6:90:ac:61 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfMsConnTask_0: Sep 24 13:54:16.710: 74:e1:b6:90:ac:61 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule
*apfMsConnTask_0: Sep 23 23:40:56.710: 74:e1:b6:90:ac:61 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 08:17:35:c6:d4:60, slot 0, interface = 13, QOS = 3
ACL Id = 255, Jumbo F
*apfMsConnTask_0: Sep 24 13:54:16.710: 74:e1:b6:90:ac:61 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 IPv6 Vlan = 0, IPv6 intf id = 0
*apfMsConnTask_0: Sep 24 13:54:16.710: 74:e1:b6:90:ac:61 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: Sep 24 13:54:16.711: 74:e1:b6:90:ac:61 0.0.0.0 tokenID = 5
*pemReceiveTask: Sep 24 13:54:16.712: 74:e1:b6:90:ac:61 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*apfMsConnTask_0: Sep 24 13:54:16.903: 74:e1:b6:90:ac:61 Updating AID for REAP AP Client 08:17:35:c6:d4:60 - AID ===> 1
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP received op BOOTREPLY (2) (len 313,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP xid: 0x75781542 (1970804034), secs: 0, flags: 0
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP chaddr: 74:e1:b6:90:ac:61
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP ciaddr: 0.0.0.0, yiaddr: 10.65.56.12
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 DHCP server id: 10.65.56.2 rcvd server id: 10.65.56.2
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 Adding Web RuleID 1234882 for mobile 74:e1:b6:90:ac:61
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 10.65.56.12 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8)
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) pemAdvanceState2 5170, Adding TMP rule
*DHCP So: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 08:17:35:c6:d4:60, slot 0, interface = 13, QOS = 3
ACL Id =
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5 IPv6 Vlan = 0, IPv6 intf id = 0
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*DHCP Socket Task: Sep 24 13:54:18.193: 74:e1:b6:90:ac:61 Plumbing web-auth redirect rule due to user logout
*DHCP Socket Task: Sep 24 13:54:18.194: 74:e1:b6:90:ac:61 Assigning Address 10.65.56.12 to mobile
*DHCP Socket Task: Sep 24 13:54:18.194: 74:e1:b6:90:ac:61 DHCP success event for client. Clearing dhcp failure count for interface management.
*pemReceiveTask: Sep 24 13:54:18.194: 74:e1:b6:90:ac:61 10.65.56.12 tokenID = 5
*pemReceiveTask: Sep 24 13:54:18.194: 74:e1:b6:90:ac:61 10.65.56.12 Added NPU entry of type 2, dtlFlags 0x0
*apfReceiveTask: Sep 24 13:59:18.108: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Web-Auth Policy timeout
*apfReceiveTask: Sep 24 13:59:18.108: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Sep 24 13:59:18.108: 74:e1:b6:90:ac:61 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: Sep 24 13:59:28.108: 74:e1:b6:90:ac:61 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 24 13:59:28.108: 74:e1:b6:90:ac:61 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 74:e1:b6:90:ac:61 on AP 08:17:35:c6:d4:60 from Associated to Disassociated
*apfReceiveTask: Sep 24 13:59:28.108: 74:e1:b6:90:ac:61 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*spamApTask4: Sep 24 13:59:31.012: 74:e1:b6:90:ac:61 Received Idle-Timeout from AP 08:17:35:c6:d4:60, slot 0 for STA 74:e1:b6:90:ac:61
*spamApTask4: Sep 24 13:59:31.012: 74:e1:b6:90:ac:61 apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 4, reasonCode 4
*spamApTask4: Sep 24 13:59:31.012: 74:e1:b6:90:ac:61 Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Sep 24 13:59:31.908: 74:e1:b6:90:ac:61 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 24 13:59:31.910: 74:e1:b6:90:ac:61 Sent Deauthenticate to mobile on BSSID 08:17:35:c6:d4:60 slot 0(caller apf_ms.c:5094)
*apfReceiveTask: Sep 24 13:59:31.910: 74:e1:b6:90:ac:61 apfMsAssoStateDec
*apfReceiveTask: Sep 24 13:59:31.910: 74:e1:b6:90:ac:61 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 74:e1:b6:90:ac:61 on AP 08:17:35:c6:d4:60 from Disassociated to Idle
*apfReceiveTask: Sep 24 13:59:31.910: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Deleted mobile LWAPP rule on AP [08:17:35:c6:d4:60]
*apfReceiveTask: Sep 24 13:59:31.910: 74:e1:b6:90:ac:61 Deleting mobile on AP 08:17:35:c6:d4:60(0)
*pemReceiveTask: Sep 24 13:59:31.911: 74:e1:b6:90:ac:61 10.65.56.12 Unable to delete token entry
*pemReceiveTask: Sep 24 13:59:31.911: 74:e1:b6:90:ac:61 10.65.56.12 Removed NPU entry.
Any ideas?
Appreciated.
09-24-2012 02:17 PM
Here again, the controller is hitting the user idle timeout. Apple iPads are very clean .. they dont chatter much.
Do this, i bet if you ping one of these iPads she doesnt fall off the network. You need to expand the user idle timeout. Users are connecting and then they arent doing anything to genrate traffic on the iPad ..
pemReceiveTask: Sep 24 13:54:18.194: 74:e1:b6:90:ac:61 10.65.56.12 Added NPU entry of type 2, dtlFlags 0x0
*apfReceiveTask: Sep 24 13:59:18.108: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Web-Auth Policy timeout
*apfReceiveTask: Sep 24 13:59:18.108: 74:e1:b6:90:ac:61 10.65.56.12 WEBAUTH_REQD (8) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Sep 24 13:59:18.108: 74:e1:b6:90:ac:61 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-24-2012 02:14 PM
I understand, I'm just reading what the controller is showing. The controller is saying the device is not sending any data and it should be deleted are the 300 seconds
Wireless is one of those technologies that you need to see the issue for yourself, it sounds like you haven't tested the iPad3 yourself, yet. If I were you, get your hands on a iPad3 and test it.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-24-2012 02:20 PM
Agree to expand timeout but how come at one location with the same distance to the WLC, i can connect using ipad2 and from the other i cannot using ipad3? Everythig goes thru same controller...
09-24-2012 02:25 PM
well it shows that the ipad3 is connecting and then it deletes it after user idle timeout. Its really hard to say, i would suggest getting your hands on the device and seeing what is happening with your own eyes.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-24-2012 02:27 PM
Well, will try to convince my manager to fly my over there :-))
Thanks
09-24-2012 02:29 PM
Oh, its that far .. Perhaps get a iPad 3 and test with it. Join an AP from that controller to your shop. Just as good ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-24-2012 02:35 PM
Yes, that is my plan for tommorrow but was not sure what to look for since ipad2 works like a charm and customer with ipad3 with issus had no problems using same ipad3 on our other sites.
09-24-2012 02:46 PM
Stop back after you test it ...Are the WLANs identical across all the controllers?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-24-2012 02:48 PM
yes, all identical.
09-24-2012 03:29 PM
Looks like it was a matter of fat fingers from one of our router admin... incorrect subnet mask. Once proper subnet mask entered everything magically started to work. Will keep monitoring for any issue...
Thanks for yor help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide