802.11 Association Status, 802.11 Deauth Reason codes - Page 2

Saravanan Lakshmanan · ‎05-17-2013

Introduction

802.11 Association Status, 802.11 Deauth Reason codes

802.11 Association Status Codes

Code	802.11 definition	Explanation
0	Successful
1	Unspecified failure	For example : when there is no ssid specified in an association request
10	Cannot support all requested capabilities in the Capability Information field	Example Test: Reject when privacy bit is set for WLAN not requiring security
11	Reassociation denied due to inability to confirm that association exists	NOT SUPPORTED
12	Association denied due to reason outside the scope of this standard	Example : When controller receives assoc from an unknown or disabled SSID
13	Responding station does not support the specified authentication algorithm	For example, MFP is disabled but was requested by the client.
14	Received an Authentication frame with authentication transaction sequence number out of expected sequence	If the authentication sequence number is not correct.
15	Authentication rejected because of challenge failure
16	Authentication rejected due to timeout waiting for next frame in sequence
17	Association denied because AP is unable to handle additional associated stations	Will happen if you run out of AIDs on the AP; so try associating a large number of stations.
18	Association denied due to requesting station not supporting all of the data rates in the BSSBasicRateSet parameter	Will happen if the rates in the assoc request are not in the BasicRateSet in the beacon.
19	Association denied due to requesting station not supporting the short preamble option	NOT SUPPORTED
20	Association denied due to requesting station not supporting the PBCC modulation option	NOT SUPPORTED
21	Association denied due to requesting station not supporting the Channel Agility option	NOT SUPPORTED
22	Association request rejected because Spectrum Management capability is required	NOT SUPPORTED
23	Association request rejected because the information in the Power Capability element is unacceptable	NOT SUPPORTED
24	Association request rejected because the information in the Supported Channels element is unacceptable	NOT SUPPORTED
25	Association denied due to requesting station not supporting the Short Slot Time option	NOT SUPPORTED
26	Association denied due to requesting station not supporting the DSSS-OFDM option	NOT SUPPORTED
27-31	Reserved	NOT SUPPORTED
32	Unspecified, QoS-related failure	NOT SUPPORTED
33	Association denied because QAP has insufficient bandwidth to handle another QSTA	NOT SUPPORTED
34	Association denied due to excessive frame loss rates and/or poor conditions on current operating channel	NOT SUPPORTED
35	Association (with QBSS) denied because the requesting STA does not support the QoS facility	If the WMM is required by the WLAN and the client is not capable of it, the association will get rejected.
36	Reserved in 802.11	This is used in our code ! There is no blackbox test for this status code.
37	The request has been declined	This is not used in assoc response; ignore
38	The request has not been successful as one or more parameters have invalid values	NOT SUPPORTED
39	The TS has not been created because the request cannot be honored; however, a suggested TSPEC is provided so that the initiating QSTA may attempt to set another TS with the suggested changes to the TSPEC	NOT SUPPORTED
40	Invalid information element, i.e., an information element defined in this standard for which the content does not meet the specifications in Clause 7	Sent when Aironet IE is not present for a CKIP WLAN
41	Invalid group cipher	Used when received unsupported Multicast 802.11i OUI Code
42	Invalid pairwise cipher
43	Invalid AKMP
44	Unsupported RSN information element version	If you put anything but version value of 1, you will see this code.
45	Invalid RSN information element capabilities	If WPA/RSN IE is malformed, such as incorrect length etc, you will see this code.
46	Cipher suite rejected because of security policy	NOT SUPPORTED
47	The TS has not been created; however, the HC may be capable of creating a TS, in response to a request, after the time indicated in the TS Delay element	NOT SUPPORTED
48	Direct link is not allowed in the BSS by policy	NOT SUPPORTED
49	Destination STA is not present within this QBSS	NOT SUPPORTED
50	The Destination STA is not a QSTA	NOT SUPPORTED
51	Association denied because the ListenInterval is too large	NOT SUPPORTED
200 (0xC8)	Unspecified, QoS-related failure. Not defined in IEEE, defined in CCXv4	Unspecified QoS Failure. This will happen if the Assoc request contains more than one TSPEC for the same AC.
201 (0xC9)	TSPEC request refused due to AP’s policy configuration (e.g., AP is configured to deny all TSPEC requests on this SSID). A TSPEC will not be suggested by the AP for this reason code. Not defined in IEEE, defined in CCXv4	This will happen if a TSPEC comes to a WLAN which has lower priority than the WLAN priority settings. For example a Voice TSPEC coming to a Silver WLAN. Only applies to CCXv4 clients.
202 (0xCA)	Association Denied due to AP having insufficient bandwidth to handle a new TS. This cause code will be useful while roaming only. Not defined in IEEE, defined in CCXv4
203 (0xCB)	Invalid Parameters. The request has not been successful as one or more TSPEC parameters in the request have invalid values. A TSPEC SHALL be present in the response as a suggestion. Not defined in IEEE, defined in CCXv4	This happens in cases such as PHY rate mismatch. If the TSRS IE contains a phy rate not supported by the controller, for example. Other examples include sending a TSPEC with bad parameters, such as sending a date rate of 85K for a narrowband TSPEC.

802.11 Deauth Reason Codes

When running a client debug, this code will match the ReasonCode from the output: "Scheduling mobile for deletion with delete Reason x, reasonCode y"

Code	802.11 definition	Explanation
0	Reserved	NOT SUPPORTED
1	Unspecified reason	TBD
2	Previous authentication no longer valid	NOT SUPPORTED
3	station is leaving (or has left) IBSS or ESS	NOT SUPPORTED
4	Disassociated due to inactivity	Do not send any data after association;
5	Disassociated because AP is unable to handle all currently associated stations	TBD
6	Class 2 frame received from nonauthenticated station	NOT SUPPORTED
7	Class 3 frame received from nonassociated station	NOT SUPPORTED
8	Disassociated because sending station is leaving (or has left) BSS	TBD
9	Station requesting (re)association is not authenticated with responding station	NOT SUPPORTED
10	Disassociated because the information in the Power Capability element is unacceptable	NOT SUPPORTED
11	Disassociated because the information in the Supported Channels element is unacceptable	NOT SUPPORTED
12	Reserved	NOT SUPPORTED
13	Invalid information element, i.e., an information element defined in this standard for which the content does not meet the specifications in Clause 7	NOT SUPPORTED
14	Message integrity code (MIC) failure	NOT SUPPORTED
15	4-Way Handshake timeout	NOT SUPPORTED
16	Group Key Handshake timeout	NOT SUPPORTED
17	Information element in 4-Way Handshake different from (Re)Association Request/Probe Response/Beacon frame	NOT SUPPORTED
18	Invalid group cipher	NOT SUPPORTED
19	Invalid pairwise cipher	NOT SUPPORTED
20	Invalid AKMP	NOT SUPPORTED
21	Unsupported RSN information element version	NOT SUPPORTED
22	Invalid RSN information element capabilities	NOT SUPPORTED
23	IEEE 802.1X authentication failed	NOT SUPPORTED
24	Cipher suite rejected because of the security policy	NOT SUPPORTED
25-31	Reserved	NOT SUPPORTED
32	Disassociated for unspecified, QoS-related reason	NOT SUPPORTED
33	Disassociated because QAP lacks sufficient bandwidth for this QSTA	NOT SUPPORTED
34	Disassociated because excessive number of frames need to be acknowledged, but are not acknowledged due to AP transmissions and/or poor channel conditions	NOT SUPPORTED
35	Disassociated because QSTA is transmitting outside the limits of its TXOPs	NOT SUPPORTED
36	Requested from peer QSTA as the QSTA is leaving the QBSS (or resetting)	NOT SUPPORTED
37	Requested from peer QSTA as it does not want to use the mechanism	NOT SUPPORTED
38	Requested from peer QSTA as the QSTA received frames using the mechanism for which a setup is required	NOT SUPPORTED
39	Requested from peer QSTA due to timeout	NOT SUPPORTED
40	Peer QSTA does not support the requested cipher suite	NOT SUPPORTED
46-65535	46--65 535 Reserved	NOT SUPPORTED
98	Cisco defined	TBD
99	Cisco defined Used when the reason code sent in a deassoc req or deauth by the client is invalid – invalid length, invalid value etc	Example: Send a Deauth to the AP with the reason code to be invalid, say zero

ashankar80 · ‎11-02-2016

Hi Saravanan, What should be the error code, if STA does not send any rate in assoc request? Regards, amar

nipunsupport · ‎02-01-2017

Hi Saravanan,

i found one errorcode which you mention is 34,could please let meknow the reason for this.

34

Association denied due to excessive frame loss rates and/or poor conditions on current
operating channel

NOT SUPPORTED

vince.newell@vecna.com · ‎03-23-2017

Thanks for the information.

What is the explanation for the Assocation Status Code 204 (0xCC)?

michaelblum · ‎05-12-2017

---- nice post --- very useful.

dmotloch · ‎05-12-2017

Hi Michael.

The client should retry the authentication.

Fabrizio Chessa · ‎06-15-2017

Very Good!!!

JPavonM · ‎06-27-2019

Hi community, I am receiving many reason codes 102, after a reason code 108. All of them are between both reason codes 1. What is the meaning of these not covered reason codes?

Armen V. · ‎09-06-2020

Any chance this can get a refresh from someone at Cisco? I've recently had some logs report deauth number 108 and there's zero reference anywhere to any official documentation, with many pointing to this post.

My correlating logs suggest 108 relates to deauth due to DHCP enforcement failure, but the ARP entries recorded in my logs before that suggest that it's either not recording DHCP activity or there's something else going on. in my case it's only for a limited subset of clients, not across the board.

[mm-client] [21326]: (info): MAC: [MAC] Invalid transmitter ip in build client context
[mm-client] [21326]: (debug): MAC: [MAC] Sending handoff_end of XID (0) to (MobilityD[0])
[auth-mgr] [21326]: (info): [[MAC]:capwap_9000103c] Disconnect request from SANET-SHIM (14) for [MAC] / 0x7c00068b - term: none, abort: Unknown, disc: (default)
[aaa-attr-inf] [21326]: (info): [ Applied attribute : username 0 "<MAC>" ]
[aaa-attr-inf] [21326]: (info): [ Applied attribute : class 0 <hex>]
[aaa-attr-inf] [21326]: (info): [ Applied attribute : bsn-acl-name 0 "<ACL>" ]
[aaa-attr-inf] [21326]: (info): [ Applied attribute :bsn-vlan-interface-name 0 "<VLAN>" ]
[aaa-attr-inf] [21326]: (info): [ Applied attribute : timeout 0 1800 (0x708) ]
[client-auth] [21326]: (info): MAC: [MAC] Client auth-interface state transition: S_AUTHIF_MAB_AUTH_DONE -> S_SANET_DELETE_IN_PROGRESS
[dot11] [21326]: (info): MAC: [MAC] Sent disassoc to client, disassoc reason: 108, CLIENT_DEAUTH_REASON_STA_NO_IP delete reason: 98, CO_CLIENT_DELETE_REASON_IP_DOWN_NO_IP.
[dot11] [21326]: (info): MAC: [MAC] Sent deauth to client, deauth reason: 108, CLIENT_DEAUTH_REASON_STA_NO_IP delete reason: 98, CO_CLIENT_DELETE_REASON_IP_DOWN_NO_IP.

Fulvio Ferreira · ‎11-28-2022

Thanks

MikeT67 · ‎10-02-2024

Lots of good information here, but I need additional details.

I support a large environment ~12,000 WAPs.

I'm examining the deauth reason codes but they don't appear to be in the table above.

This resource directed me to this knowledge base thread, but it doesn't contain all of the ?up to date? deauth reason codes.

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-2800-series-access-points/214560-troubleshoot-wave-2-aps.html?dtid=osscdc000283#toc-hId-686864549

Client Connectivity

It is possible to list clients that have been deauthenticated by the access point with the last event timestamp:

LabAP#show dot11 clients deauth
               timestamp               mac vap reason_code
Mon Aug 20 09:50:59 2018 AC:BC:32:A4:2C:D3   9           4
Mon Aug 20 09:52:14 2018 00:AE:FA:78:36:89   9           4
Mon Aug 20 10:31:54 2018 00:AE:FA:78:36:89   9           4

In the previous output, the reason code is the deauthentication reason code as detailed in this link :

https://community.cisco.com:443/t5/wireless-mobility-knowledge-base/802-11-association-status-802-11-deauth-reason-codes/ta-p/3148055

Here are the deauth codes from (9130i and 2802i).

XXXX-XXXX-9130i#show dot11 clients deauthenticated

timestamp mac vap reason_code
Wed Oct 2 18:06:02 2024 A8:7C:F8:65:AE:3F 1 15 #4-Way Handshake timeout
Wed Oct 2 18:12:53 2024 86:3B:70:AD:F8:7F 1 252
Tue Sep 24 17:12:51 2024 AC:5A:FC:EB:8A:52 0 2 #Previous authentication no longer valid
Wed Oct 2 17:34:33 2024 6E:47:B0:38:04:A9 0 108
Wed Oct 2 18:16:15 2024 B2:F3:BB:1C:E2:3C 0 174

What are deauth reason codes; 252, 108, 174. -- if you have an updated resource/ knowledge base that would be greatly appreciated!

Thanks in advance,

-Mike

stayd · ‎10-16-2024

Yes I agree with MikeT67,

it seems to me also, there are much more new non-updated error reasons which are not in table.

Catalyst 9162 with Meraki code gives me for Realtek RTL8822CE with driver 2024.10.229.0 this error for HP EliteBook

auth_mode='wpa3-psk' 11k='1' 11v='1' reassoc='1' error_code='30'
I could not associate at all to this ap.

Then I saw ap was sitting on channel 149 in EU in indoor is valid channel, but with up to 25mW, I have minimal power set for auto TPC 8dBm, but I saw 7dBm on my ap.

I do not know if it is explenation, but when I changed channel from 149 to 100 I was able to connect.

Any explanation ?

Here is my iPhone 15 Pro with iOS 17.7 with different reason which is not part of table.

auth_mode='-psk' 11k='0' 11v='1' reason='reserved' radio='2' vap='2' channel='69' rssi='43'

Would it be posible please to update us with new error codes ?