Introduction
Wireless Client Recovery on Win 7 and XP from Symantec Network Protection and Firewall.
Symantec Mess with 802.1X 'timeoutEvt' Timer expired for station and for message = M3
Issue
EAP/Eapol process is not getting completed, irrespective of A/G radio is used on the intel/Broadcom card. no issue when using wep, wpa-psk.
WLC code - 7.0.240.0, WLC code doesn't matter.
APs - 3502is and 1142s - All on local mode.
wlan 3 - WPA2+802.1X PEAP + mshcapv2
ssid is broadcasted.
Radius server nps 2008
Symantec antivirus software is installed on all the PCs
using Asus, Braodcom, Intel - win7, win-xp
Affected Hardware/Software
- Affected OS - windows 7 and XP
- Affected Wireless adapter - Intel(6205) and Broadcom
- Affected Driver/Supplicant - 15.2.0.19, using Native Supplicant.
Fix/Workaround
Disable Symantec Network Protection and Firewall on win7 and xp. It is an Symantec issue with Win 7 and XP OS.
Wireless client debug output
*dot1xMsgTask: Apr 12 11:45:39.335: 84:3a:4b:7a:d5:ac Retransmit 1 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:44.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:44.336: 84:3a:4b:7a:d5:ac Retransmit 2 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:49.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:49.336: 84:3a:4b:7a:d5:ac Retransmit 3 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:54.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:54.337: 84:3a:4b:7a:d5:ac Retransmit 4 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:59.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:59.336: 84:3a:4b:7a:d5:ac Retransmit failure for EAPOL-Key M3 to mobile 84:3a:4b:7a:d5:ac, retransmit count 5, mscb deauth count 0
*dot1xMsgTask: Apr 12 11:45:59.338: 84:3a:4b:7a:d5:ac Sent Deauthenticate to mobile on BSSID c8:f9:f9:89:15:60 slot 1(caller
Symantec Ticket
Symantec Ticket/Case: 04192658
Subject: Multiple devices failing to negotiate EAPOL-key
Note:
There's a syndrome in 15.2 (also seen in earlier versions) that goes like this: client gets M1 from AP client sends M2 client gets M3 from AP client plumbs the new pairwise key before it sends out M4 client transmits the M4 encrypted with the new key AP drops the M4 message as a "decrypt error" WLC 'debug client' show that we are timing out on M3 retransmissions. Evidently, this is a problem between Microsoft and Symantec, not Intel specific. Workaround is to remove Symantec. This is really a bug that is probably in windows, triggered by Symantec. "Tweaking the EAP timer doesn't fix this issue"
Regards to this issue, Cisco TAC will forward the affected Customers to Symantec and Microsoft.