Re: Cisco Secure Client NAM - Incorrect PSK

Chris Terry · ‎07-01-2024

We have a user that keeps receiving the error stating an Invalid PSK when connecting to their home network. They are 100% sure they are typing it correctly. The user can connect the first time after adding The network via NAM. If the reboot or connect to the network again (leaving their house and coming back) NAM will throw the Incorrect PSK. They can only connect once and only if they remove the network and add it back. I did notice messages about "Missing PMK" right before the message is thrown about an Incorrect PSK.

The user started to see this issue after AnyConnect was upgraded from 4.10.0471 to Secure Client 5.1.2

Cisco Secure Client 5.1.2

TP-Link Deco Mesh Router

MHM Cisco World · ‎07-01-2024

are you try anyconnect with client use wifi
PMK is for wifi not for anyconnect as I know

MHM

Chris Terry · ‎07-02-2024

In a WPA2 Personal network the PMK is the PSK. The user did state just using the native windows supplicant he does not experience the issue.

MHM Cisco World · ‎07-02-2024

NO friend PMK is different and it mostly use for roaming
you face I think something wrong in wifi

MHM

Chris Terry · ‎07-03-2024

There was another user that is having the same issue. Different home router and different ISP.

I noticed they both have the same error logs

2057: <HOST>: Jun 21 2024 07:58:25.901 -0500: %csc_nam-3-ERROR_MSG: %[tid=4840][comp=SAE]: RSN (3) RSN_EAPOL_KEY_FAILURE: Missing PMK (dot11i_sta.c 1028)
2253: <HOST>: Jun 21 2024 07:58:29.195 -0500: %csc_nam-3-ERROR_MSG: %[tid=4840][comp=SAE]: RSN (3) RSN_EAPOL_KEY_FAILURE: Missing PMK (dot11i_sta.c 1028)
2396: <HOST>: Jun 21 2024 07:58:32.328 -0500: %csc_nam-3-ERROR_MSG: %[tid=4840][comp=SAE]: RSN (3) RSN_EAPOL_KEY_FAILURE: Missing PMK (dot11i_sta.c 1028)
2539: <HOST>: Jun 21 2024 07:58:35.531 -0500: %csc_nam-3-ERROR_MSG: %[tid=4840][comp=SAE]: RSN (3) RSN_EAPOL_KEY_FAILURE: Missing PMK (dot11i_sta.c 1028)

stsargen · ‎07-03-2024

These message are not related to incorrect PSK. Is the PSK used something that might have abnormal characters in it? Do you have a DART bundle with extended logging enabled?

Also, have they tested the latest version of Cisco Secure Client. Several fixes regarding WPA2/WPA3 compatibility mode went in those releases.

Chris Terry · ‎07-08-2024

I did have them grab a DART bundle with extended logging. I uploaded that to the TAC case.

No abnormal characters in the PSK and it's under 16 characters. They haven't tested the new version yet.

kidainva · ‎09-20-2024

Hi Chris. Having a user with the same issue. Were you ever able to find out what might be causing it?

Chris Terry · ‎09-20-2024

I have an open TAC. So far it looks like an unconfirmed bug, possibly just an existing bug from previous versions that carried to this version. There was a previous reported bug for this exact issue, but stated it was fix in a future version. The bug(s) involved having invalid characters in the SSID, specifically in this case an apostrophe.

It's definitely not the best solution, but I had another user with the same issue and they just changed their home SSID to exclude apostrophes and it worked. I still have one user affected (SSID includes an apostrophe) that would not like to change their home SSID as it would be inconvenient. I just had them disable Secure Client (We're just using NAM) until I can get some kind of fix from Cisco.