Introduction
The "MFP Anomaly Detected" error message appears on the WLC
Core Issue
In a Management Frame Protection (MFP) configuration, the wireless LAN controllers (WLCs) use the Network Time Protocol (NTP), and the mobility group is configured. If one controller reloads, after it returns and the access points (APs) join, the other controllers in the mobility group start to generate MFP anomaly traps every five minutes. The traps point to the 11a radios of the AP in the reloaded controller. This problem is only generated by these APs:
The exact error message can read:
day month date time year MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio 00:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP 00:XX:XX:XX:XX in 300 seconds when observing Probe responses
Resolution
Description
AP12x0, 1130: corrupt IE 235 when broadcast SSID is disabled - CSCsg50343
Symptom:
LWAPP IOS Access points may send management frames with a bogus IE 235,
166 bytes in length.
Example:
Vendor Specific
Element ID: 221 Vendor Specific - Cisco
Length: 29
OUI: 0x00-0x40-0x96
Data:
.....~.......... 0C 01 00 F8 CB 7E 85 83 0E 01 00 00 00 00 00 00
.......... 00 00 00 00 00 00 00 00 00 00
Element ID: 235
Length: 166
Value:
0x3C6080007C7AFBA67C0004AC4C00012C4E8000207C001F8C4C00012C7CE000A63C60FFFD60636DCF7CE318387C6001247D3AEAA6388000017D2420787C9AEBA600000000008CB630000D38F00D8A443900707E243D306100003B1F18D5F49BBA6532C492556C07A66BE7FC067CCBDD3
@C445A69726C8342D28D9A1FE940181FDB0FB29FAA4EF308A317FE79E88C9E5BAA002298F4C79649296F0000000000897479962DCFB270
This may generate MFP alerts on the other controllers for the mobility group
Conditions:
LWAPP IOS APs, controlled by a WLC running 4.0.179.*.
Workaround:
None.
This is fixed in 4.0.206.0.
Known Fixed Releases:
- 12.3(11)JA1
- 12.4(3g)JA
- 12.3(8)JEB
MFP anomaly detected for 11a radios of reloaded controller in group - CSCse80121
Symptom:
In a MFP configuration: controllers have NTP working, mobility group is configured.
If one controller is reloaded, after it comes back and the APs join, the other controllers in the mobility group will start generating MFP anomaly traps each five minutes
The traps point to the 11a radios of the AP in the reloaded controller. It was observed in the lab, that only 12XX/1130 APs generated this problem
Example of messages:
3 Mon Jul 17 15:23:28 2006 MFP Anomaly Detected - 3023 Invalid MIC event(s) found as violated by the radio 00:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP 00:XX:XX:XX:XX in 300 seconds when observing Probe responses, Beacon Frames
Conditions:
-MFP is enabled
-One controller in a mobility group is reloaded
Workaround:
-Disable MFP
-Reload all controllers
CSCse80121 has been superseded by CSCse56537 displayed below.
Description
MFP errors when AP reverts to primary controller - CSCse56537
Symptom:
MFP errors when AP reverts to primary controller.
Workaround:
None but this appears cosmetic.