Introduction

Wireless Client frequent disconnects when RLDP and or Rogue Containment activated on Local mode AP

Symptom

Wireless Client frequently disconnects.

Condition/Environment

RLDP and Rogue Containment were found to be enabled on WLC. This affects client disconnection, same is demonstrated using logs and debugs.

Fix/Workaround

Disable RLDP
Disable Rogue containment
Use Monitor mode for RLDP
Don't contain APs if they're not malicious

Note: can't use Monitor mode only for Rogue containment, nearby detecting AP will contain the Rogue, However preference is given to nearby Monitor mode AP.

issue: client frequent disconnectsFound RLDP and Rogue containment were enabled with a Rogue being contained by cisco AP(s). With these config enabled what we're seeing is an expected behavior.

5500 - 7.3.101.0
AP - 12 - 3602i - local mode

 http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml 
*During the RLDP process, the AP is unable to serve clients. This will negatively impact performance and connectivity for local mode APs.

*Because containment uses a portion of the managed AP's radio time to send the de-authentication frames, the performance to both data and voice clients is negatively impacted by up to 20%. For data clients, the impact is reduced throughput. For voice clients, containment can cause interruptions in conversations and reduced voice quality. Containment works by spoofing de-authentication packets with the spoofed source address of the rogue AP so that any clients associated are kicked off.

Effect of RLDP(AP log showing Radio Resets):-
We can see the Radio going up and down. At this time it can't talk to wireless client.
*Apr 30 09:41:03.847:  LINK-5-CHANGED  Interface Dot11Radio0, changed state to reset
*Apr 30 09:41:04.839:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 09:41:04.871:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to up
*Apr 30 09:41:04.875: d8c7.c8a4.ba30-no legacy rates; default to lowest CCK/OFDM rate
*Apr 30 09:41:05.871:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 09:41:20.119:  LWAPP-5-RLDP  RLDP stopped on slot 0.
*Apr 30 09:41:20.263:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to down
*Apr 30 09:41:20.271:  LINK-5-CHANGED  Interface Dot11Radio0, changed state to reset
*Apr 30 09:41:21.263:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 09:41:21.311:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to up
*Apr 30 09:41:22.311:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 20:35:59.683:  LWAPP-5-RLDP  RLDP started on slot 0.
*Apr 30 20:35:59.687:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to down
*Apr 30 20:35:59.695:  LINK-5-CHANGED  Interface Dot11Radio0, changed state to reset
*Apr 30 20:36:00.687:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 20:36:00.719:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to up
*Apr 30 20:36:00.723: c08a.de01.7698-no legacy rates; default to lowest CCK/OFDM rate
*Apr 30 20:36:01.719:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 20:36:16.279:  LWAPP-5-RLDP  RLDP stopped on slot 0.
*Apr 30 20:36:16.283:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to down
*Apr 30 20:36:16.291:  LINK-5-CHANGED  Interface Dot11Radio0, changed state to reset
*Apr 30 20:36:17.283:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 20:36:17.319:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to up
*Apr 30 20:36:18.319:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to up
*Apr 30 23:36:28.247:  LWAPP-5-RLDP  RLDP started on slot 0.
*Apr 30 23:36:28.255:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to down
*Apr 30 23:36:28.263:  LINK-5-CHANGED  Interface Dot11Radio0, changed state to reset
*Apr 30 23:36:29.255:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to down
*Apr 30 23:36:29.283:  LINK-6-UPDOWN  Interface Dot11Radio0, changed state to up
*Apr 30 23:36:29.287: 0026.3e8f.5802-no legacy rates; default to lowest CCK/OFDM rate
*Apr 30 23:36:30.283:  LINEPROTO-5-UPDOWN  Line protocol on Interface Dot11Radio0, changed state to up

Effect of containment(AP debug showing AP sending bcast deauth packets):-
we can see the containment sent by AP. At this time AP can't talk to client.
DOC-HQ-AP18.1#sh deb
DTLS:
  DTLS ERROR debugging is on
LWAPP:
  LWAPP Client ERROR display debugging is on
CAPWAP:
  CAPWAP Client ERROR display debugging is on
  CAPWAP IDS Rogue Containment debugging is on
  CAPWAP IDS Active Rogue Containment debugging is on
  CAPWAP console CLI allow/disallow debugging is on

*May  1 22:07:08.651: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:09.135: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:09.623: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:10.139: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:10.623: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:11.143: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:11.663: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:12.159: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:12.631: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:13.127: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:13.635: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:14.155: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:14.667: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:15.179: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:15.691: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May  1 22:07:16.191: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

Fix/Workaround

Disable RLDP
Disable Rogue containment
Use Monitor mode for RLDP
Don't contain APs if they're not malicious.

http://www.cisco.com/en/US/prod/collateral/modules/ps12859/ps12867/white_paper_c11-723471.html

the current deployment guideline is to use one monitor mode access point for every five local mode access points In order to get similar detection times, we recommend that two out of five local mode access points.

More Information

Cisco Aironet Access Point Module for Wireless Security and Spectrum Intelligence (WSSI)