01-15-2014 03:38 PM - edited 11-18-2020 03:05 AM
Wireless Client frequent disconnects when RLDP and or Rogue Containment activated on Local mode AP
Wireless Client frequently disconnects.
RLDP and Rogue Containment were found to be enabled on WLC. This affects client disconnection, same is demonstrated using logs and debugs.
Disable RLDP
Disable Rogue containment
Use Monitor mode for RLDP
Don't contain APs if they're not malicious
Note: can't use Monitor mode only for Rogue containment, nearby detecting AP will contain the Rogue, However preference is given to nearby Monitor mode AP.
issue: client frequent disconnectsFound RLDP and Rogue containment were enabled with a Rogue being contained by cisco AP(s). With these config enabled what we're seeing is an expected behavior.
5500 - 7.3.101.0
AP - 12 - 3602i - local mode
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
*During the RLDP process, the AP is unable to serve clients. This will negatively impact performance and connectivity for local mode APs.
*Because containment uses a portion of the managed AP's radio time to send the de-authentication frames, the performance to both data and voice clients is negatively impacted by up to 20%. For data clients, the impact is reduced throughput. For voice clients, containment can cause interruptions in conversations and reduced voice quality. Containment works by spoofing de-authentication packets with the spoofed source address of the rogue AP so that any clients associated are kicked off.
Effect of RLDP(AP log showing Radio Resets):-
We can see the Radio going up and down. At this time it can't talk to wireless client.
*Apr 30 09:41:03.847: LINK-5-CHANGED Interface Dot11Radio0, changed state to reset
*Apr 30 09:41:04.839: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 09:41:04.871: LINK-6-UPDOWN Interface Dot11Radio0, changed state to up
*Apr 30 09:41:04.875: d8c7.c8a4.ba30-no legacy rates; default to lowest CCK/OFDM rate
*Apr 30 09:41:05.871: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 09:41:20.119: LWAPP-5-RLDP RLDP stopped on slot 0.
*Apr 30 09:41:20.263: LINK-6-UPDOWN Interface Dot11Radio0, changed state to down
*Apr 30 09:41:20.271: LINK-5-CHANGED Interface Dot11Radio0, changed state to reset
*Apr 30 09:41:21.263: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 09:41:21.311: LINK-6-UPDOWN Interface Dot11Radio0, changed state to up
*Apr 30 09:41:22.311: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 20:35:59.683: LWAPP-5-RLDP RLDP started on slot 0.
*Apr 30 20:35:59.687: LINK-6-UPDOWN Interface Dot11Radio0, changed state to down
*Apr 30 20:35:59.695: LINK-5-CHANGED Interface Dot11Radio0, changed state to reset
*Apr 30 20:36:00.687: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 20:36:00.719: LINK-6-UPDOWN Interface Dot11Radio0, changed state to up
*Apr 30 20:36:00.723: c08a.de01.7698-no legacy rates; default to lowest CCK/OFDM rate
*Apr 30 20:36:01.719: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 20:36:16.279: LWAPP-5-RLDP RLDP stopped on slot 0.
*Apr 30 20:36:16.283: LINK-6-UPDOWN Interface Dot11Radio0, changed state to down
*Apr 30 20:36:16.291: LINK-5-CHANGED Interface Dot11Radio0, changed state to reset
*Apr 30 20:36:17.283: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 20:36:17.319: LINK-6-UPDOWN Interface Dot11Radio0, changed state to up
*Apr 30 20:36:18.319: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 23:36:28.247: LWAPP-5-RLDP RLDP started on slot 0.
*Apr 30 23:36:28.255: LINK-6-UPDOWN Interface Dot11Radio0, changed state to down
*Apr 30 23:36:28.263: LINK-5-CHANGED Interface Dot11Radio0, changed state to reset
*Apr 30 23:36:29.255: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 23:36:29.283: LINK-6-UPDOWN Interface Dot11Radio0, changed state to up
*Apr 30 23:36:29.287: 0026.3e8f.5802-no legacy rates; default to lowest CCK/OFDM rate
*Apr 30 23:36:30.283: LINEPROTO-5-UPDOWN Line protocol on Interface Dot11Radio0, changed state to up
Effect of containment(AP debug showing AP sending bcast deauth packets):-
we can see the containment sent by AP. At this time AP can't talk to client.
DOC-HQ-AP18.1#sh deb
DTLS:
DTLS ERROR debugging is on
LWAPP:
LWAPP Client ERROR display debugging is on
CAPWAP:
CAPWAP Client ERROR display debugging is on
CAPWAP IDS Rogue Containment debugging is on
CAPWAP IDS Active Rogue Containment debugging is on
CAPWAP console CLI allow/disallow debugging is on
*May 1 22:07:08.651: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:09.135: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:09.623: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:10.139: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:10.623: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:11.143: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:11.663: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:12.159: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:12.631: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:13.127: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:13.635: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:14.155: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:14.667: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:15.179: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:15.691: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:16.191: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
Disable RLDP
Disable Rogue containment
Use Monitor mode for RLDP
Don't contain APs if they're not malicious.
http://www.cisco.com/en/US/prod/collateral/modules/ps12859/ps12867/white_paper_c11-723471.html
the current deployment guideline is to use one monitor mode access point for every five local mode access points In order to get similar detection times, we recommend that two out of five local mode access points.
Cisco Aironet Access Point Module for Wireless Security and Spectrum Intelligence (WSSI)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: