The "MFP Anomaly Detected" error message appears on the WLC
In a Management Frame Protection (MFP) configuration, the wireless LAN controllers (WLCs) use the Network Time Protocol (NTP), and the mobility group is configured. If one controller reloads, after it returns and the access points (APs) join, the other controllers in the mobility group start to generate MFP anomaly traps every five minutes. The traps point to the 11a radios of the AP in the reloaded controller. This problem is only generated by these APs:
The exact error message can read:
day month date time year MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio 00:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP 00:XX:XX:XX:XX in 300 seconds when observing Probe responses
Description AP12x0, 1130: corrupt IE 235 when broadcast SSID is disabled - CSCsg50343
Symptom: LWAPP IOS Access points may send management frames with a bogus IE 235, 166 bytes in length.
This may generate MFP alerts on the other controllers for the mobility group
Conditions: LWAPP IOS APs, controlled by a WLC running 4.0.179.*.
This is fixed in 220.127.116.11.
Known Fixed Releases:
MFP anomaly detected for 11a radios of reloaded controller in group - CSCse80121
In a MFP configuration: controllers have NTP working, mobility group is configured.
If one controller is reloaded, after it comes back and the APs join, the other controllers in the mobility group will start generating MFP anomaly traps each five minutes
The traps point to the 11a radios of the AP in the reloaded controller. It was observed in the lab, that only 12XX/1130 APs generated this problem
Example of messages:
3 Mon Jul 17 15:23:28 2006 MFP Anomaly Detected - 3023 Invalid MIC event(s) found as violated by the radio 00:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP 00:XX:XX:XX:XX in 300 seconds when observing Probe responses, Beacon Frames
-MFP is enabled
-One controller in a mobility group is reloaded
-Reload all controllers
CSCse80121 has been superseded by CSCse56537 displayed below.
MFP errors when AP reverts to primary controller - CSCse56537
MFP errors when AP reverts to primary controller.
None but this appears cosmetic.
Hello together, I´ve got in Cisco Prime some Security Messages I can´t explain. Someone know something about that?1:IDS 'Deauth flood' Signature attack clearedon AP 'XXX-APXX' protocol '802.11a' onController '"Controller IP". The Signaturedescr...
Hi Mobility Community,let me share one AP connection issue I´m struggeling with, hoping someone has a good idea.We have one site with couple of different Cisco AP models connecting to a WLC 5508 v18.104.22.168 working fine. Everytime I activate a new redundan...
I am using Cisco Wireless Controller 3504 running 22.214.171.124. I use this WLC for two site, both of them running flexconnect mode. On 1 site, I have a SSID using PSK as security. Recently, some endpoint (android smartphone) cannot connect to that SSID.Can ...
To participate in this event, please use the button to ask your questions
This topic is a chance to clarify your questions about the ease with which an end user, that has no network expertise, can ...
This topic is a chance to clarify your questions about the ease with which an end user, that has no network expertise, can connect a WAN router to the network headquarters of their company from any remote location. The session provides a deep-dive into th...