cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6870
Views
0
Helpful
4
Replies

Virtual WLC, dropping clients.

Daniel Jensen
Level 1
Level 1

Hello.

I have some clients who are getting dropped på an AP. I have used the debug client command, can anyone tell what to change on the WLC to make the erros stop.

The vWLC is running the newest version, and AP's are 1602i.

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e suppRates  statusCode is 0 and gotSuppRatesElement is 1

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e Processing WPA IE type 221, length 22 for mobile 68:b5:99:45:44:8e

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e 0.0.0.0 START (0) Initializing policy

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e 0.0.0.0 8021X_REQD (3) DHCP required on AP 68:86:a7:ca:bd:40 vapId 5 apVapId 5for this client

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e Not Using WMM Compliance code qosCap 00

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 68:86:a7:ca:bd:40 vapId 5 apVapId 5 flex-acl-name:

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e apfMsAssoStateInc

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 68:b5:99:45:44:8e on AP 68:86:a7:ca:bd:40 from Idle to Associated

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e apfPemAddUser2:session timeout forstation 68:b5:99:45:44:8e - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e Sending Assoc Response to station on BSSID 68:86:a7:ca:bd:44 (status 0) ApVapId 5 Slot 0

*apfMsConnTask_6: Oct 07 16:01:16.954: 68:b5:99:45:44:8e apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 68:b5:99:45:44:8e on AP 68:86:a7:ca:bd:40 from Associated to Associated

*apfMsConnTask_6: Oct 07 16:01:16.961: 68:b5:99:45:44:8e Updating AID for REAP AP Client 68:86:a7:ca:bd:40 - AID ===> 3

*dot1xMsgTask: Oct 07 16:01:16.963: 68:b5:99:45:44:8e Creating a PKC PMKID Cache entry for station 68:b5:99:45:44:8e (RSN 0)

*dot1xMsgTask: Oct 07 16:01:16.963: 68:b5:99:45:44:8e Setting active key cache index 8 ---> 8

*dot1xMsgTask: Oct 07 16:01:16.963: 68:b5:99:45:44:8e Setting active key cache index 8 ---> 0

*dot1xMsgTask: Oct 07 16:01:16.963: 68:b5:99:45:44:8e Initiating WPA PSK to mobile 68:b5:99:45:44:8e

*dot1xMsgTask: Oct 07 16:01:16.963: 68:b5:99:45:44:8e dot1x - moving mobile 68:b5:99:45:44:8e into Force Auth state

*dot1xMsgTask: Oct 07 16:01:16.963: 68:b5:99:45:44:8e Starting key exchange to mobile 68:b5:99:45:44:8e, data packets will be dropped

*dot1xMsgTask: Oct 07 16:01:16.963: 68:b5:99:45:44:8e Sending EAPOL-Key Message to mobile 68:b5:99:45:44:8e

                                                                                                              state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.972: 68:b5:99:45:44:8e Received EAPOL-Key from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.972: 68:b5:99:45:44:8e Received EAPOL-key in PTK_START state (message 2) from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.972: 68:b5:99:45:44:8e Stopping retransmission timer for mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.972: 68:b5:99:45:44:8e Sending EAPOL-Key Message to mobile 68:b5:99:45:44:8e

                                                                                                                    state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e Received EAPOL-Key from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e Stopping retransmission timer for mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e apfMs1xStateInc

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 68:86:a7:ca:bd:40 vapId 5 apVapId 5for this client

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e Not Using WMM Compliance code qosCap 00

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 68:86:a7:ca:bd:40 vapId 5 apVapId 5 flex-acl-name:

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.981: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5952, Adding TMP rule

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 68:86:a7:ca:bd:40, slot 0, interface = 1, QOS = 0

  IPv4 ACL ID = 255, IPv

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206  Local Bridging Vlan = 1, Local Bridging intf id = 6

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.982: 68:b5:99:45:44:8e Key exchange done, data packets from mobile 68:b5:99:45:44:8e should be forwarded shortly

*Dot1x_NW_MsgTask_6: Oct 07 16:01:16.982: 68:b5:99:45:44:8e Sending EAPOL-Key Message to mobile 68:b5:99:45:44:8e

                                                                                                                    state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02

*apfReceiveTask: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED

*apfReceiveTask: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5576, Adding TMP rule

*apfReceiveTask: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 68:86:a7:ca:bd:40, slot 0, interface = 1, QOS = 0

  IPv4 ACL ID = 255,

*apfReceiveTask: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206  Local Bridging Vlan = 1, Local Bridging intf id = 6

*apfReceiveTask: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)

*pemReceiveTask: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

*pemReceiveTask: Oct 07 16:01:16.982: 68:b5:99:45:44:8e 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

*spamApTask1: Oct 07 16:01:16.990: 68:b5:99:45:44:8e Sent EAPOL-Key M5 for mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:17.001: 68:b5:99:45:44:8e Received EAPOL-Key from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:17.001: 68:b5:99:45:44:8e Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:17.001: 68:b5:99:45:44:8e Stopping retransmission timer for mobile 68:b5:99:45:44:8e

*DHCP Socket Task: Oct 07 16:01:28.373: 68:b5:99:45:44:8e DHCP received op BOOTREPLY (2) (len 333,vlan 0, port 1, encap 0xec03)

*DHCP Socket Task: Oct 07 16:01:28.373: 68:b5:99:45:44:8e DHCP setting server from OFFER (server 10.21.1.254, yiaddr 10.21.1.96)

*DHCP Socket Task: Oct 07 16:01:28.376: 68:b5:99:45:44:8e DHCP received op BOOTREPLY (2) (len 333,vlan 0, port 1, encap 0xec03)

*DHCP Socket Task: Oct 07 16:01:28.376: 68:b5:99:45:44:8e apfMsRunStateInc

*DHCP Socket Task: Oct 07 16:01:28.376: 68:b5:99:45:44:8e 10.21.1.96 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)

*DHCP Socket Task: Oct 07 16:01:28.376: 68:b5:99:45:44:8e Assigning Address 10.21.1.96 to mobile

*DHCP Socket Task: Oct 07 16:01:28.376: 68:b5:99:45:44:8e DHCP success event for client. Clearing dhcp failure count for interface data.

*DHCP Socket Task: Oct 07 16:01:28.376: 68:b5:99:45:44:8e DHCP success event for client. Clearing dhcp failure count for interface data.

*pemReceiveTask: Oct 07 16:01:28.376: 68:b5:99:45:44:8e 10.21.1.96 Removed NPU entry.

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.017: 68:b5:99:45:44:8e Received EAPOL-Key from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.017: 68:b5:99:45:44:8e Received EAPOL-key to initiate new key exchange from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.017: 68:b5:99:45:44:8e Initializing EAPOL-Key Request replay counter to 00 00 00 00 00 00 00 a0 for client 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.017: 68:b5:99:45:44:8e Starting key exchange to mobile 68:b5:99:45:44:8e, data packets will be dropped

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.017: 68:b5:99:45:44:8e Sending EAPOL-Key Message to mobile 68:b5:99:45:44:8e

                                                                                                                    state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.03

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.017: 68:b5:99:45:44:8e Received EAPOL-key MIC err message from  mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.018: 68:b5:99:45:44:8e Received EAPOL-Key from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.018: 68:b5:99:45:44:8e Received EAPOL-key to initiate new key exchange from mobile 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.018: 68:b5:99:45:44:8e Starting key exchange to mobile 68:b5:99:45:44:8e, data packets will be dropped

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.018: 68:b5:99:45:44:8e Sending EAPOL-Key Message to mobile 68:b5:99:45:44:8e

                                                                                                                    state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.03

*Dot1x_NW_MsgTask_6: Oct 07 16:01:34.018: 68:b5:99:45:44:8e Received EAPOL-key MIC err message from  mobile 68:b5:99:45:44:8e

*dot1xMsgTask: Oct 07 16:01:34.997: 68:b5:99:45:44:8e Failure sending WPA EAPOL-Key due to invalid state 2 to mobile 68:b5:99:45:44:8e

*dot1xMsgTask: Oct 07 16:01:34.997: 68:b5:99:45:44:8e Unable to send WPA key to mobile 68:b5:99:45:44:8e

*dot1xMsgTask: Oct 07 16:01:34.997: 68:b5:99:45:44:8e Unable to update broadcast key to mobile 68:B5:99:45:44:8E

*osapiBsnTimer: Oct 07 16:01:35.201: 68:b5:99:45:44:8e 802.1x 'timeoutEvt' Timer expired for station 68:b5:99:45:44:8e and for message = M2

*dot1xMsgTask: Oct 07 16:01:35.201: 68:b5:99:45:44:8e Retransmit 1 of EAPOL-Key M1 (length 99) for mobile 68:b5:99:45:44:8e

*osapiBsnTimer: Oct 07 16:01:36.221: 68:b5:99:45:44:8e 802.1x 'timeoutEvt' Timer expired for station 68:b5:99:45:44:8e and for message = M2

*dot1xMsgTask: Oct 07 16:01:36.221: 68:b5:99:45:44:8e Retransmit 2 of EAPOL-Key M1 (length 99) for mobile 68:b5:99:45:44:8e

*osapiBsnTimer: Oct 07 16:01:37.241: 68:b5:99:45:44:8e 802.1x 'timeoutEvt' Timer expired for station 68:b5:99:45:44:8e and for message = M2

*dot1xMsgTask: Oct 07 16:01:37.241: 68:b5:99:45:44:8e Retransmit failure for EAPOL-Key M1 to mobile 68:b5:99:45:44:8e, retransmit count 3, mscb deauth count 0

*dot1xMsgTask: Oct 07 16:01:37.241: 68:b5:99:45:44:8e Resetting MSCB PMK Cache Entry 0 for station 68:b5:99:45:44:8e

*dot1xMsgTask: Oct 07 16:01:37.241: 68:b5:99:45:44:8e Setting active key cache index 0 ---> 8

*dot1xMsgTask: Oct 07 16:01:37.241: 68:b5:99:45:44:8e Sent Deauthenticate to mobile on BSSID 68:86:a7:ca:bd:40 slot 0(caller 1x_ptsm.c:546)

*dot1xMsgTask: Oct 07 16:01:37.241: 68:b5:99:45:44:8e Scheduling deletion of Mobile Station:  (callerId: 57) in 10 seconds

(Cisco Controller) >*osapiBsnTimer: Oct 07 16:01:47.442: 68:b5:99:45:44:8e apfMsExpireCallback (apf_ms.c:615) Expiring Mobile!

*apfReceiveTask: Oct 07 16:01:47.442: 68:b5:99:45:44:8e apfMsExpireMobileStation (apf_ms.c:5827) Changing state for mobile 68:b5:99:45:44:8e on AP 68:86:a7:ca:bd:40 from Associated to Disassociated

1 Accepted Solution

Accepted Solutions

tony.sangha
Level 1
Level 1

The error:

Received EAPOL-key MIC err message from  mobile

suggests that the STA (computer) is sending a invalid nonce value. The MIC stands for message integrity check

I  have generally seen this when clients are using TKIP, try changing your  WLAN to use only AES. Also if you can send the output of: show wlan ID,  this will help clarify how your WLAN is setup.

**Please rate if this post was helpful, thank you**

View solution in original post

4 Replies 4

tony.sangha
Level 1
Level 1

The error:

Received EAPOL-key MIC err message from  mobile

suggests that the STA (computer) is sending a invalid nonce value. The MIC stands for message integrity check

I  have generally seen this when clients are using TKIP, try changing your  WLAN to use only AES. Also if you can send the output of: show wlan ID,  this will help clarify how your WLAN is setup.

**Please rate if this post was helpful, thank you**

Thanks for the answer.

I will try to set it to WPAv2-AES.

Sandeep Choudhary
VIP Alumni
VIP Alumni

HI Daniel,

I would suggest to check :

1. Update the Driver of the device.

2. Make sure that the WLAN is only set to wpa-tkip or  wpa2-aes.(One at a time)

Hope it helps.

Regards

Hello!

Thanks for all you help. It worked for me setting the SSID to WPA2-AES.

I also got a nice answer from Cisco TAC:

I went through the data you kindly provided and can see that the printer has connected to wireless, the debugs you attached to the case shows that the AP is in RUN state:

*DHCP Socket Task: Oct 07 15:16:05.090: 68:b5:99:45:44:8e 10.21.1.96 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)

But, after a short while, the printer started replying with invalid EAPOL messages, the debug you attached to the case showing the following g message:

*Dot1x_NW_MsgTask_6: Oct 07 15:16:12.993: 68:b5:99:45:44:8e Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 68:b5:99:45:44:8e

Looking to the msglog on controller, we can see the following message:

*spamApTask1: Oct 07 19:02:37.430: #LOG-3-Q_IND: 1x_eapkey.c:618 TKIP MIC errors reported in EAPOL key msg from client 68:b5:99:45:44:8e

*Dot1x_NW_MsgTask_6: Oct 07 19:02:37.415: #DOT1X-3-WPA_KEY_MIC_ERR: 1x_eapkey.c:618 TKIP MIC errors reported in EAPOL key msg from client 68:b5:99:45:44:8e

*dot1xMsgTask: Oct 07 19:01:18.360: #DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1404 Unable to send EAPOL-key msg  - invalid WPA state (2) - client 68:b5:99:45:44:8e

*spamApTask1: Oct 07 19:01:17.439: #LWAPP-3-MIC_COUNTER: spam_lrad.c:33547 The system has received MIC countermeasure, WLAN 5, slot 0 AP Lunderskov-Salg client 68:b5:99:45:44:8e

Looks like the printer is replying with invalid EAPOL message since it’s not compatible with TKIP encryption method, I can see on TTW-Printer SSID that WPA/TKIP is enabled on this SSID.

The Action Plan:

I would suggest to change the encryption method to WPA2/AES instead of WPA/TKIP, then test again, if you still have the same issue, please provide the new ‘debug client ’ output.

Let me know if you have any questions or comments,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: