cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1065
Views
5
Helpful
10
Replies
Highlighted
Beginner

Unable to send EAPOL-key msg - invalid WPA state (0) error

Hi everyone,

 

what most likely could be a reason for WLC's syslog message like this:

 

"Unable to send EAPOL-key msg - invalid WPA state (0) error"

 

I have a SSID with radius (NPS) auth which has been working for about 2-3 years and accidentally stopped working on Monday. All clients are affected. When users try to connect to the SSID the just rejected. All certificates are OK.

 

Could you please share any your ideas? I can provide any additional info if needed.

 

Many thanks in advance, Ilya

 

Update:

 

Before 1 day SSID stopped working this message in WLC's syslog appeared:

 

: %ACL-3-ENTRY_DONOT_EXIST: acl.c:376 Unable to find an ACL by name "���"

10 REPLIES 10
VIP Advocate

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

What is logged in the security tab on the NPS Event Viewer when a user tries to authenticate?
Do you, by any chance, have upgraded the domain controllers to Server 2019 in the last few days?
Beginner

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

wlc5520 - 8.2.170.0

same issue....2 client authenticated....the rest is not....
*Dot1x_NW_MsgTask_5: May 15 00:05:09.687: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:6d
*Dot1x_NW_MsgTask_0: May 15 00:05:09.483: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:5b:f0
*Dot1x_NW_MsgTask_1: May 15 00:05:09.279: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:f9
*Dot1x_NW_MsgTask_6: May 15 00:05:09.075: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:6b:0e
*Dot1x_NW_MsgTask_7: May 15 00:05:08.871: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d7:67
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 40:a3:cc:b8:86:e8
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0b:d0:79
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0a:66:f3
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client d4:25:8b:c7:b6:db
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:e5:f9:07:d6:3b


just have migrate from win2008 NPS to win2016 NPS

 

Advanced EAP

 
Identity Request Timeout (in secs) 60
Identity request Max Retries 12
Dynamic WEP Key Index 0
Request Timeout (in secs) 60
Request Max Retries  15
Max-Login Ignore Identity Responseenable
EAPOL-Key Timeout (in milliSeconds) 5000
EAPOL-Key Max Retries    4
EAP-Broadcast Key Interval(in secs)120
VIP Advocate

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

What is logged on the NPS server in the security logfile?

Beginner

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

There were no logs on NPS (win2016) about errors...only 3 succesful access.

on wlc5520 dashboard on client page i see assosiated but not authenticated..."event log" tab shows

"possible invalid PSK" and nothing more....

after reboot PC....all PCs that couldn't connect...all client connected succesfully.

I am still do not understand why....may be PMK key database overload on client or just somekind of windows bug...

VIP Advocate

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

Then some group policy might have disabled the logging feature or you must check on the domain controller(s). There should always be logged something, for every single authentication attempt.
That is, if the WLC really sends the attempt to the NPS. Which WLC version are you using?
Beginner

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

wlc5520 - 8.2.170.0

previous was 8.3.143.0.....extremely buggy....--> spontaneously...randomly....chaos...client drops. Mostly drops were on flexconnect users. After downgrade, this terror stops. ^)
btw, also I saw very interesting thing....if client disconnects from AP (1040N) client still persists on AP on dashboard for hours....but not on controller after removed. Only AP reboot helps...

Is there any command if I ssh on AP to force drop client or clear some data about certain client  without reload AP?

I couldn't find any even with special commands

debug capwap console cli
debug lwapp console cli

VIP Advocate

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

Sounds like you found a bug, I suggest you inform TAC about it.
Beginner

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

Beginner

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

@EvgenyG wrote:

wlc5520 - 8.2.170.0

same issue....2 client authenticated....the rest is not....
*Dot1x_NW_MsgTask_5: May 15 00:05:09.687: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:6d
*Dot1x_NW_MsgTask_0: May 15 00:05:09.483: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:5b:f0
*Dot1x_NW_MsgTask_1: May 15 00:05:09.279: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:f9
*Dot1x_NW_MsgTask_6: May 15 00:05:09.075: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:6b:0e
*Dot1x_NW_MsgTask_7: May 15 00:05:08.871: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d7:67
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 40:a3:cc:b8:86:e8
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0b:d0:79
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0a:66:f3
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client d4:25:8b:c7:b6:db
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:e5:f9:07:d6:3b

What kind of APs? Did you try rebooting AP? I see the same thing when my 2800 APs are in low-memory dumpster fire state. That's on ME 8.8 though, wouldn't normally expect the same issue on a 8.2 WLC. Maybe not impossible though.

About the low memory thing:WARNING: System memory is running low. Client device doesn't get an IP address.

Beginner

Re: Unable to send EAPOL-key msg - invalid WPA state (0) error

we have 50% of 1040N and 50% 1832i
slownly, but replacing 1040Ns
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards