cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384035
Views
106
Helpful
26
Comments
Saravanan Lakshmanan
Cisco Employee
Cisco Employee

     

     

    Introduction

    802.11 Association Status, 802.11 Deauth Reason codes

    802.11 Association Status Codes

    Code

    802.11 definition

    Explanation

    0

    Successful

     

    1

    Unspecified failure

    For example : when there is no ssid specified in an association request

    10

    Cannot support all requested capabilities in the Capability Information field

    Example Test: Reject when privacy bit is set for WLAN not requiring security

    11

    Reassociation denied due to inability to confirm that association exists

    NOT SUPPORTED

    12

    Association denied due to reason outside the scope of this standard

    Example : When controller receives assoc from an unknown or disabled SSID

    13

    Responding station does not support the specified authentication algorithm

    For example, MFP is disabled but was requested by the client.

    14

    Received an Authentication frame with authentication transaction sequence number
    out of expected sequence

    If the authentication sequence number is not correct.

     

    15

    Authentication rejected because of challenge failure

     

    16

    Authentication rejected due to timeout waiting for next frame in sequence

     

    17

    Association denied because AP is unable to handle additional associated stations

    Will happen if you run out of AIDs on the AP; so try associating a large number of stations.

    18

    Association denied due to requesting station not supporting all of the data rates in the
    BSSBasicRateSet parameter

    Will happen if the rates in the assoc request are not in the BasicRateSet in the beacon.

    19

    Association denied due to requesting station not supporting the short preamble
    option

    NOT SUPPORTED

    20

    Association denied due to requesting station not supporting the PBCC modulation
    option

    NOT SUPPORTED

    21

    Association denied due to requesting station not supporting the Channel Agility
    option

    NOT SUPPORTED

    22

    Association request rejected because Spectrum Management capability is required

    NOT SUPPORTED

    23

    Association request rejected because the information in the Power Capability
    element is unacceptable

    NOT SUPPORTED

    24

    Association request rejected because the information in the Supported Channels
    element is unacceptable

    NOT SUPPORTED

    25

    Association denied due to requesting station not supporting the Short Slot Time
    option

    NOT SUPPORTED

    26

    Association denied due to requesting station not supporting the DSSS-OFDM option

    NOT SUPPORTED

    27-31

    Reserved

    NOT SUPPORTED

    32

    Unspecified, QoS-related failure

    NOT SUPPORTED

    33

    Association denied because QAP has insufficient bandwidth to handle another
    QSTA

    NOT SUPPORTED

    34

    Association denied due to excessive frame loss rates and/or poor conditions on current
    operating channel

    NOT SUPPORTED

    35

    Association (with QBSS) denied because the requesting STA does not support the
    QoS facility

    If the WMM is required by the WLAN and the client is not capable of it, the association will get rejected.

    36

    Reserved in 802.11

    This is used in our code ! There is no blackbox test for this status code.

    37

    The request has been declined

    This is not used in assoc response; ignore

    38

    The request has not been successful as one or more parameters have invalid values

    NOT SUPPORTED

    39

    The TS has not been created because the request cannot be honored; however, a suggested
    TSPEC is provided so that the initiating QSTA may attempt to set another TS
    with the suggested changes to the TSPEC

    NOT SUPPORTED

    40

    Invalid information element, i.e., an information element defined in this standard for
    which the content does not meet the specifications in Clause 7

    Sent when Aironet IE is not present for a CKIP WLAN

    41

    Invalid group cipher

    Used when received unsupported Multicast 802.11i OUI Code

    42

    Invalid pairwise cipher

     

    43

    Invalid AKMP

     

    44

    Unsupported RSN information element version

    If you put anything but version value of 1, you will see this code.

    45

    Invalid RSN information element capabilities

    If WPA/RSN IE is malformed, such as incorrect length etc, you will see this code.

    46

    Cipher suite rejected because of security policy

    NOT SUPPORTED

    47

    The TS has not been created; however, the HC may be capable of creating a TS, in
    response to a request, after the time indicated in the TS Delay element

    NOT SUPPORTED

    48

    Direct link is not allowed in the BSS by policy

    NOT SUPPORTED

    49

    Destination STA is not present within this QBSS

    NOT SUPPORTED

    50

    The Destination STA is not a QSTA

    NOT SUPPORTED

    51

    Association denied because the ListenInterval is too large

    NOT SUPPORTED

    200
    (0xC8)

     

    Unspecified, QoS-related failure.
    Not defined in IEEE, defined in CCXv4

    Unspecified QoS Failure. This will happen if the Assoc request contains more than one TSPEC for the same AC.

    201
    (0xC9)

    TSPEC request refused due to AP’s policy configuration (e.g., AP is configured to deny all TSPEC requests on this SSID). A TSPEC will not be suggested by the AP for this reason code.
    Not defined in IEEE, defined in CCXv4

    This will happen if a TSPEC comes to a WLAN which has lower priority than the WLAN priority settings. For example a Voice TSPEC coming to a Silver WLAN. Only applies to CCXv4 clients.

    202
    (0xCA)

    Association Denied due to AP having insufficient bandwidth to handle a new TS. This cause code will be useful while roaming only.
    Not defined in IEEE, defined in CCXv4

     

    203
    (0xCB)

    Invalid Parameters. The request has not been successful as one or more TSPEC parameters in the request have invalid values. A TSPEC SHALL be present in the response as a suggestion.

    Not defined in IEEE, defined in CCXv4

    This happens in cases such as PHY rate mismatch. If the TSRS IE contains a phy rate not supported by the controller, for example. Other examples include sending a TSPEC with bad parameters, such as sending a date rate of 85K for a narrowband TSPEC.

    802.11 Deauth Reason Codes

    When running a client debug, this code will match the ReasonCode from the output: "Scheduling mobile for deletion with delete Reason x, reasonCode y"

    Code802.11 definitionExplanation
    0ReservedNOT SUPPORTED
    1Unspecified reasonTBD
    2Previous authentication no longer validNOT SUPPORTED
    3station is leaving (or has left) IBSS or ESSNOT SUPPORTED
    4Disassociated due to inactivityDo not send any data after association;
    5Disassociated because AP is unable to handle all currently associated stationsTBD
    6Class 2 frame received from nonauthenticated station

     

    NOT SUPPORTED
    7Class 3 frame received from nonassociated stationNOT SUPPORTED
    8Disassociated because sending station is leaving (or has left) BSSTBD
    9Station requesting (re)association is not authenticated with responding stationNOT SUPPORTED
    10Disassociated because the information in the Power Capability element is unacceptableNOT SUPPORTED
    11Disassociated because the information in the Supported Channels element is unacceptableNOT SUPPORTED
    12ReservedNOT SUPPORTED
    13Invalid information element, i.e., an information element defined in this standard for
    which the content does not meet the specifications in Clause 7
    NOT SUPPORTED
    14Message integrity code (MIC) failureNOT SUPPORTED
    154-Way Handshake timeoutNOT SUPPORTED
    16Group Key Handshake timeoutNOT SUPPORTED
    17Information element in 4-Way Handshake different from (Re)Association Request/Probe
    Response/Beacon frame
    NOT SUPPORTED
    18Invalid group cipherNOT SUPPORTED
    19Invalid pairwise cipherNOT SUPPORTED
    20Invalid AKMPNOT SUPPORTED
    21Unsupported RSN information element versionNOT SUPPORTED
    22Invalid RSN information element capabilitiesNOT SUPPORTED
    23IEEE 802.1X authentication failedNOT SUPPORTED
    24Cipher suite rejected because of the security policyNOT SUPPORTED
    25-31ReservedNOT SUPPORTED
    32Disassociated for unspecified, QoS-related reasonNOT SUPPORTED
    33Disassociated because QAP lacks sufficient bandwidth for this QSTANOT SUPPORTED
    34Disassociated because excessive number of frames need to be acknowledged, but are not
    acknowledged due to AP transmissions and/or poor channel conditions
    NOT SUPPORTED
    35Disassociated because QSTA is transmitting outside the limits of its TXOPsNOT SUPPORTED
    36Requested from peer QSTA as the QSTA is leaving the QBSS (or resetting)NOT SUPPORTED
    37Requested from peer QSTA as it does not want to use the mechanismNOT SUPPORTED
    38Requested from peer QSTA as the QSTA received frames using the mechanism for which
    a setup is required
    NOT SUPPORTED
    39Requested from peer QSTA due to timeoutNOT SUPPORTED
    40Peer QSTA does not support the requested cipher suiteNOT SUPPORTED
    46-6553546--65 535 ReservedNOT SUPPORTED
    98Cisco definedTBD
    99Cisco defined
    Used when the reason code sent in a deassoc req or deauth by the client is invalid – invalid length, invalid value etc
    Example: Send a Deauth to the AP with the reason code to be invalid, say zero

     

    Comments
    ashankar80
    Community Member

    Hi Saravanan, What should be the error code, if STA does not send any rate in assoc request? Regards, amar

    nipunsupport
    Level 1
    Level 1

    Hi Saravanan,

    i found one errorcode which you mention is 34,could please let meknow the reason for this.

    34

    Association denied due to excessive frame loss rates and/or poor conditions on current
    operating channel

    NOT SUPPORTED

    vince.newell@vecna.com
    Community Member

    Thanks for the information.


    What is the explanation for the Assocation Status Code 204 (0xCC)?

    michaelblum
    Level 1
    Level 1

    ---- nice post --- very useful.

    dmotloch
    Level 1
    Level 1

    Hi Michael.

    The client should retry the authentication.

    Fabrizio Chessa
    Level 1
    Level 1

    Very Good!!!

    JPavonM
    VIP
    VIP
    Hi community, I am receiving many reason codes 102, after a reason code 108. All of them are between both reason codes 1. What is the meaning of these not covered reason codes?
    Armen V.
    Level 1
    Level 1

    Any chance this can get a refresh from someone at Cisco? I've recently had some logs report deauth number 108 and there's zero reference anywhere to any official documentation, with many pointing to this post.

     

    My correlating logs suggest 108 relates to deauth due to DHCP enforcement failure, but the ARP entries recorded in my logs before that suggest that it's either not recording DHCP activity or there's something else going on. in my case it's only for a limited subset of clients, not across the board.

     

     

    [mm-client] [21326]: (info): MAC: [MAC] Invalid transmitter ip in build client context
    [mm-client] [21326]: (debug): MAC: [MAC] Sending handoff_end of XID (0) to (MobilityD[0])
    [auth-mgr] [21326]: (info): [[MAC]:capwap_9000103c] Disconnect request from SANET-SHIM (14) for [MAC] / 0x7c00068b - term: none, abort: Unknown, disc: (default)
    [aaa-attr-inf] [21326]: (info): [ Applied attribute : username 0 "<MAC>" ]
    [aaa-attr-inf] [21326]: (info): [ Applied attribute : class 0 <hex>]
    [aaa-attr-inf] [21326]: (info): [ Applied attribute : bsn-acl-name 0 "<ACL>" ]
    [aaa-attr-inf] [21326]: (info): [ Applied attribute :bsn-vlan-interface-name 0 "<VLAN>" ]
    [aaa-attr-inf] [21326]: (info): [ Applied attribute : timeout 0 1800 (0x708) ]
    [client-auth] [21326]: (info): MAC: [MAC] Client auth-interface state transition: S_AUTHIF_MAB_AUTH_DONE -> S_SANET_DELETE_IN_PROGRESS
    [dot11] [21326]: (info): MAC: [MAC] Sent disassoc to client, disassoc reason: 108, CLIENT_DEAUTH_REASON_STA_NO_IP delete reason: 98, CO_CLIENT_DELETE_REASON_IP_DOWN_NO_IP.
    [dot11] [21326]: (info): MAC: [MAC] Sent deauth to client, deauth reason: 108, CLIENT_DEAUTH_REASON_STA_NO_IP delete reason: 98, CO_CLIENT_DELETE_REASON_IP_DOWN_NO_IP.

     

    Fulvio Ferreira
    Level 1
    Level 1

    Thanks

    MikeT67
    Level 1
    Level 1

    Lots of good information here, but I need additional details.

    I support a large environment ~12,000 WAPs.

    I'm examining the deauth reason codes but they don't appear to be in the table above.

     

    This resource directed me to this knowledge base thread, but it doesn't contain all of the ?up to date? deauth reason codes.

    https://www.cisco.com/c/en/us/support/docs/wireless/aironet-2800-series-access-points/214560-troubleshoot-wave-2-aps.html?dtid=osscdc000283#toc-hId-686864549

    Client Connectivity

    It is possible to list clients that have been deauthenticated by the access point with the last event timestamp:

    LabAP#show dot11 clients deauth
                   timestamp               mac vap reason_code
    Mon Aug 20 09:50:59 2018 AC:BC:32:A4:2C:D3   9           4
    Mon Aug 20 09:52:14 2018 00:AE:FA:78:36:89   9           4
    Mon Aug 20 10:31:54 2018 00:AE:FA:78:36:89   9           4

    In the previous output, the reason code is the deauthentication reason code as detailed in this link :

    https://community.cisco.com:443/t5/wireless-mobility-knowledge-base/802-11-association-status-802-11-deauth-reason-codes/ta-p/3148055

     

    Here are the deauth codes from (9130i and 2802i).

    XXXX-XXXX-9130i#show dot11 clients deauthenticated

    timestamp mac vap reason_code
    Wed Oct 2 18:06:02 2024 A8:7C:F8:65:AE:3F 1 15 #4-Way Handshake timeout
    Wed Oct 2 18:12:53 2024 86:3B:70:AD:F8:7F 1 252
    Tue Sep 24 17:12:51 2024 AC:5A:FC:EB:8A:52 0 2 #Previous authentication no longer valid
    Wed Oct 2 17:34:33 2024 6E:47:B0:38:04:A9 0 108
    Wed Oct 2 18:16:15 2024 B2:F3:BB:1C:E2:3C 0 174

    What are deauth reason codes; 252, 108, 174. -- if you have an updated resource/ knowledge base that would be greatly appreciated! 

    Thanks in advance,

    -Mike

     

    stayd
    Level 1
    Level 1

    Yes I agree with MikeT67,

    it seems to me also, there are much more new non-updated error reasons which are not in table.

    Catalyst 9162 with Meraki code gives me for Realtek RTL8822CE with driver 2024.10.229.0 this error for HP EliteBook

    auth_mode='wpa3-psk' 11k='1' 11v='1' reassoc='1' error_code='30'
    I could not associate at all to this ap.

    Then I saw ap was sitting on channel 149 in EU in indoor is valid channel, but with up to 25mW, I have minimal power set for auto TPC 8dBm, but I saw 7dBm on my ap.

    I do not know if it is explenation, but when I changed channel from 149 to 100 I was able to connect.

    Any explanation ?

    Here is my iPhone 15 Pro with iOS 17.7 with different reason which is not part of table.


    auth_mode='-psk' 11k='0' 11v='1' reason='reserved' radio='2' vap='2' channel='69' rssi='43'

     

    Would it be posible please to update us with new error codes ?

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: