cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8708
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

 

Introduction

The "MFP Anomaly Detected" error message appears on the WLC

Core Issue

In a Management Frame Protection (MFP) configuration, the wireless LAN controllers (WLCs) use the Network Time Protocol (NTP), and the mobility group is configured. If one controller reloads, after it returns and the access points (APs) join, the other controllers in the mobility group start to generate MFP anomaly traps every five minutes. The traps point to the 11a radios of the AP in the reloaded controller. This problem is only generated by these APs:

  • 12XX
  • 1130

The exact error message can read:

day month date time year MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio 00:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP 00:XX:XX:XX:XX in 300 seconds when observing Probe responses

Resolution

Description
AP12x0, 1130: corrupt IE 235 when broadcast SSID is disabled - CSCsg50343

Symptom:
LWAPP IOS Access points may send management frames with a bogus IE 235,
166 bytes in length.

Example:
Vendor Specific
Element ID: 221 Vendor Specific - Cisco
Length: 29
OUI: 0x00-0x40-0x96
Data:
.....~.......... 0C 01 00 F8 CB 7E 85 83 0E 01 00 00 00 00 00 00
.......... 00 00 00 00 00 00 00 00 00 00

Element ID: 235
Length: 166
Value: 
0x3C6080007C7AFBA67C0004AC4C00012C4E8000207C001F8C4C00012C7CE000A63C60FFFD60636DCF7CE318387C6001247D3AEAA6388000017D2420787C9AEBA600000000008CB630000D38F00D8A443900707E243D306100003B1F18D5F49BBA6532C492556C07A66BE7FC067CCBDD3
@C445A69726C8342D28D9A1FE940181FDB0FB29FAA4EF308A317FE79E88C9E5BAA002298F4C79649296F0000000000897479962DCFB270

This may generate MFP alerts on the other controllers for the mobility group

Conditions:
LWAPP IOS APs, controlled by a WLC running 4.0.179.*.

Workaround:
None.

This is fixed in 4.0.206.0.

Known Fixed Releases:

  • 12.3(11)JA1
  • 12.4(3g)JA
  • 12.3(8)JEB


MFP anomaly detected for 11a radios of reloaded controller in group - CSCse80121

Symptom:
In a MFP configuration: controllers have NTP working, mobility group is configured.

If one controller is reloaded, after it comes back and the APs join, the other controllers in the mobility group will start generating MFP anomaly traps each five minutes

The traps point to the 11a radios of the AP in the reloaded controller. It was observed in the lab, that only 12XX/1130 APs generated this problem

Example of messages:
3 Mon Jul 17 15:23:28 2006 MFP Anomaly Detected - 3023 Invalid MIC event(s) found as violated by the radio 00:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP 00:XX:XX:XX:XX in 300 seconds when observing Probe responses, Beacon Frames 

Conditions:
-MFP is enabled
-One controller in a mobility group is reloaded

Workaround:
-Disable MFP
-Reload all controllers

CSCse80121 has been superseded by CSCse56537 displayed below. 

Description
MFP errors when AP reverts to primary controller - CSCse56537

Symptom:
MFP errors when AP reverts to primary controller.

Workaround:
None but this appears cosmetic.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: