Wireless Client Recovery on Win 7 and XP from Symantec Network Protection and Firewall

Saravanan Lakshmanan · ‎05-06-2013

Introduction

Wireless Client Recovery on Win 7 and XP from Symantec Network Protection and Firewall.

Symantec Mess with 802.1X 'timeoutEvt' Timer expired for station and for message = M3

Issue

EAP/Eapol process is not getting completed, irrespective of A/G radio is used on the intel/Broadcom card. no issue when using wep, wpa-psk.

WLC code - 7.0.240.0, WLC code doesn't matter.

APs - 3502is and 1142s - All on local mode.
wlan 3 - WPA2+802.1X PEAP + mshcapv2
ssid is broadcasted.
Radius server nps 2008
Symantec antivirus software is installed on all the PCs

using Asus, Braodcom, Intel - win7, win-xp

Affected Hardware/Software

Affected OS - windows 7 and XP
Affected Wireless adapter - Intel(6205) and Broadcom
Affected Driver/Supplicant - 15.2.0.19, using Native Supplicant.

Fix/Workaround

Disable Symantec Network Protection and Firewall on win7 and xp. It is an Symantec issue with Win 7 and XP OS.

Wireless client debug output

*dot1xMsgTask: Apr 12 11:45:39.335: 84:3a:4b:7a:d5:ac Retransmit 1 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:44.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:44.336: 84:3a:4b:7a:d5:ac Retransmit 2 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:49.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:49.336: 84:3a:4b:7a:d5:ac Retransmit 3 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:54.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:54.337: 84:3a:4b:7a:d5:ac Retransmit 4 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
*osapiBsnTimer: Apr 12 11:45:59.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
*dot1xMsgTask: Apr 12 11:45:59.336: 84:3a:4b:7a:d5:ac Retransmit failure for EAPOL-Key M3 to mobile 84:3a:4b:7a:d5:ac, retransmit count 5, mscb deauth count 0
*dot1xMsgTask: Apr 12 11:45:59.338: 84:3a:4b:7a:d5:ac Sent Deauthenticate to mobile on BSSID c8:f9:f9:89:15:60 slot 1(caller

Symantec Ticket

Symantec Ticket/Case: 04192658
Subject: Multiple devices failing to negotiate EAPOL-key

Note:
There's a syndrome in 15.2 (also seen in earlier versions) that goes like this: client gets M1 from AP client sends M2 client gets M3 from AP client plumbs the new pairwise key before it sends out M4 client transmits the M4 encrypted with the new key AP drops the M4 message as a "decrypt error" WLC 'debug client' show that we are timing out on M3 retransmissions. Evidently, this is a problem between Microsoft and Symantec, not Intel specific. Workaround is to remove Symantec. This is really a bug that is probably in windows, triggered by Symantec. "Tweaking the EAP timer doesn't fix this issue"

Regards to this issue, Cisco TAC will forward the affected Customers to Symantec and Microsoft.

sin · ‎05-29-2013

I seem to have run into this problem with 8510+2602 running 7.4.100.0 and the client using Intel driver 15.2.0.19.

Any one knows if it can be fixed with a Intel driver upgrade?

Saravanan Lakshmanan · ‎05-29-2013

Please work with Symantec - Ticket/Case: 04192658