Re: Sending station has left the BSS or Sending station has lef channel dfs

Demandonio · ‎02-14-2020

Hi all,

I'm having a problem configuring a Cisco Air-SAP1602I-E-K9. I configured everything, I guess, but every time I try to authenticate it it says: Sending station has left the BSS.

How can I solve this issue?

This is the configuration I did:

AP#sh run
Building configuration...

Current configuration : 2869 bytes
!
! Last configuration change at 21:41:59 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP
!
!
logging rate-limit console 9
enable secret 5 $1$WyKF$wUlRyeJ1q85u.N2HQb3aK/
!
no aaa new-model
clock timezone UTC 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip routing
no ip cef
ip domain name client.local
!
!
!
dot11 syslog
dot11 vlan-name Test vlan 600
!
dot11 ssid XPRESS
vlan 600
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 1344301E183323382E232934321D4157445340
!
!
crypto pki token default removal timeout 0
!
!
username admin password 7 062F012743712E0B0010130C0B
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 600 mode ciphers aes-ccm tkip
!
encryption mode wep mandatory
!
ssid XPRESS
!
antenna gain 0
stbc
beamform ofdm
mbssid
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.600
encapsulation dot1Q 600
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 600 mode ciphers aes-ccm tkip
!
encryption mode wep mandatory
!
ssid XPRESS
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.600
encapsulation dot1Q 600
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.600
encapsulation dot1Q 600
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface BVI1
ip address 192.168.250.24 255.255.255.224
no ip route-cache
!
ip default-gateway 192.168.250.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input ssh
!
end

Do you have a solution for this issue?

Thank you!

Flavio Miranda · ‎02-14-2020

Hi

Have you tried more then one device? the message states that the sender has left the BSS and this can be a client problem and not an AP problem.

You also need to provide more info like are you trying to access the network closer enough? Can you run a client debug and share the output?

-If I helped you somehow, please, rate it as useful.-

Demandonio · ‎02-14-2020

Hi Flavio,

I tried 4 devices, with the same result.

The access point is in laboratory with me, I'm testing it before starting to use it. There are no interferences :/

I don't know how to run a client debug. Can you explain me?

Thank you

Flavio Miranda · ‎02-14-2020

Console into AP and run "debug dot11 ? "

This must show you debugs option. Try as much as possible.

-If I helped you somehow, please, rate it as useful.-

Demandonio · ‎02-14-2020

Ok, thanks. I found this:

*Mar 2 01:02:33.819: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 3ccd.5d3a.f837 Associated KEY_MGMT[WPAv2 PSK]
*Mar 2 01:03:09.862: dot11_auth_client_abort: Received abort request for client 3ccd.5d3a.f837
*Mar 2 01:03:09.862: dot11_auth_client_abort: No client entry to abort: 3ccd.5d3a.f837 for application 0x1
*Mar 2 01:03:09.862: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 3ccd.5d3a.f837 Reason: Sending station has left the BSS

There are two logs that may help. Maybe you alredy faced this before.

Thank you

Flavio Miranda · ‎02-14-2020

Looks like the problem is authentication

dot11 ssid XPRESS
vlan 600
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 1344301E183323382E232934321D4157445340

Try to remove the "mbssid guest-mode" line

-If I helped you somehow, please, rate it as useful.-

Demandonio · ‎02-17-2020

Hi,

when I removed the mbssid guest-mode command it stopped broadcasting SSID. Then I activated just the guest-ssid command., removing the mbssid also into the dot11 interface. Now it forwards again but the result is the same..

Jay Vivas · ‎02-20-2020

The client is trying to auth with WPAv2 but you are only using WPAv1 on the SSID. I would do two things here:

1. Remove the "encryption mode wep mandatory" from the radio.

2. On the SSID change "authentication key-management wpa" to "authentication key-management wpa version 2"