Advanced EAP

Ilya Semenov · ‎03-06-2019

Hi everyone,

what most likely could be a reason for WLC's syslog message like this:

"Unable to send EAPOL-key msg - invalid WPA state (0) error"

I have a SSID with radius (NPS) auth which has been working for about 2-3 years and accidentally stopped working on Monday. All clients are affected. When users try to connect to the SSID the just rejected. All certificates are OK.

Could you please share any your ideas? I can provide any additional info if needed.

Many thanks in advance, Ilya

Update:

Before 1 day SSID stopped working this message in WLC's syslog appeared:

: %ACL-3-ENTRY_DONOT_EXIST: acl.c:376 Unable to find an ACL by name "��"

patoberli · ‎03-07-2019

What is logged in the security tab on the NPS Event Viewer when a user tries to authenticate?
Do you, by any chance, have upgraded the domain controllers to Server 2019 in the last few days?

EvgenyG · ‎05-14-2019

wlc5520 - 8.2.170.0

same issue....2 client authenticated....the rest is not....
*Dot1x_NW_MsgTask_5: May 15 00:05:09.687: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:6d
*Dot1x_NW_MsgTask_0: May 15 00:05:09.483: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:5b:f0
*Dot1x_NW_MsgTask_1: May 15 00:05:09.279: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:f9
*Dot1x_NW_MsgTask_6: May 15 00:05:09.075: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:6b:0e
*Dot1x_NW_MsgTask_7: May 15 00:05:08.871: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d7:67
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 40:a3:cc:b8:86:e8
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0b:d0:79
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0a:66:f3
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client d4:25:8b:c7:b6:db
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:e5:f9:07:d6:3b

just have migrate from win2008 NPS to win2016 NPS

Advanced EAP

Identity Request Timeout (in secs) 60
Identity request Max Retries 12
Dynamic WEP Key Index 0
Request Timeout (in secs) 60
Request Max Retries 15
Max-Login Ignore Identity Response	enable

EAPOL-Key Timeout (in milliSeconds) 5000
EAPOL-Key Max Retries 4
EAP-Broadcast Key Interval(in secs)	120

patoberli · ‎05-15-2019

What is logged on the NPS server in the security logfile?

EvgenyG · ‎05-16-2019

There were no logs on NPS (win2016) about errors...only 3 succesful access.

on wlc5520 dashboard on client page i see assosiated but not authenticated..."event log" tab shows

"possible invalid PSK" and nothing more....

after reboot PC....all PCs that couldn't connect...all client connected succesfully.

I am still do not understand why....may be PMK key database overload on client or just somekind of windows bug...

patoberli · ‎05-16-2019

Then some group policy might have disabled the logging feature or you must check on the domain controller(s). There should always be logged something, for every single authentication attempt.
That is, if the WLC really sends the attempt to the NPS. Which WLC version are you using?

EvgenyG · ‎05-16-2019

wlc5520 - 8.2.170.0

previous was 8.3.143.0.....extremely buggy....--> spontaneously...randomly....chaos...client drops. Mostly drops were on flexconnect users. After downgrade, this terror stops. ^)
btw, also I saw very interesting thing....if client disconnects from AP (1040N) client still persists on AP on dashboard for hours....but not on controller after removed. Only AP reboot helps...

Is there any command if I ssh on AP to force drop client or clear some data about certain client without reload AP?

I couldn't find any even with special commands

debug capwap console cli
debug lwapp console cli

patoberli · ‎05-16-2019

Sounds like you found a bug, I suggest you inform TAC about it.

EvgenyG · ‎05-16-2019

bug(s) were found before me)

https://www.reddit.com/r/Cisco/comments/agpp3p/wlc_5520_v83143_clients_disconnecting_or_losing/

Some_Guy · ‎05-16-2019

@EvgenyG wrote:

wlc5520 - 8.2.170.0
same issue....2 client authenticated....the rest is not....
*Dot1x_NW_MsgTask_5: May 15 00:05:09.687: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:6d
*Dot1x_NW_MsgTask_0: May 15 00:05:09.483: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:5b:f0
*Dot1x_NW_MsgTask_1: May 15 00:05:09.279: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d6:f9
*Dot1x_NW_MsgTask_6: May 15 00:05:09.075: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client d4:25:8b:c7:6b:0e
*Dot1x_NW_MsgTask_7: May 15 00:05:08.871: %DOT1X-4-MAX_EAP_RETRANS: 1x_ptsm.c:531 Max EAP retransmissions exceeded for client 74:e5:f9:07:d7:67
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 40:a3:cc:b8:86:e8
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0b:d0:79
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:70:fd:0a:66:f3
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client d4:25:8b:c7:b6:db
*dot1xMsgTask: May 15 00:05:03.812: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1526 Unable to send EAPOL-key msg - invalid WPA state (0) - client 74:e5:f9:07:d6:3b

What kind of APs? Did you try rebooting AP? I see the same thing when my 2800 APs are in low-memory dumpster fire state. That's on ME 8.8 though, wouldn't normally expect the same issue on a 8.2 WLC. Maybe not impossible though.

About the low memory thing:WARNING: System memory is running low. Client device doesn't get an IP address.

EvgenyG · ‎05-16-2019

we have 50% of 1040N and 50% 1832i
slownly, but replacing 1040Ns

lalitkumar88551 · ‎04-15-2022

Not able to access Internet When connected with Guest SSID, Multiple users of multiple locations issue observed.

WLC5520

Product Version. 8.10.162.0

error log...

---------------Show msglog---------------

Message Log Severity Level ...................... ERROR
*dot1xMsgTask: Apr 07 04:44:44.963: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (0) - client 2e:14:de:7c:61:15
Previous message occurred 2 times.
Apr 07 04:23:22.873: [ERROR] ewmain.c 2969: EmWeb: select() failed for bad file descriptor : Bad file descriptor
Apr 07 04:02:40.927: [ERROR] ew_code.c 50522: current EMWEB_STRING/INCLUDE code did not return
Apr 07 04:02:40.927: Previous message occurred 11 times.
Apr 06 18:28:29.664: [ERROR] ewmain.c 2969: EmWeb: select() failed for bad file descriptor : Bad file descriptor
Apr 06 18:27:37.609: [ERROR] ew_code.c 50522: current EMWEB_STRING/INCLUDE code did not return
Apr 06 18:27:37.609: Previous message occurred 3 times.
Apr 06 14:27:25.489: [ERROR] ewmain.c 2969: EmWeb: select() failed for bad file descriptor : Bad file descriptor
*apfReceiveTask: Apr 06 13:57:28.649: %LOG-3-Q_IND: 1x_eapkey.c:3062 Received EAPOL-key message while in invalid state (4) - version 2, type 3, descriptor 2, client 66:3d:d3:c3:ec:35
*Dot1x_NW_MsgTask_5: Apr 06 13:53:42.541: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:3062 Received EAPOL-key message while in invalid state (4) - version 2, type 3, descriptor 2, client 66:3d:d3:c3:ec:35
*Dot1x_NW_MsgTask_6: Apr 06 13:44:05.040: %LOG-3-Q_IND: 1x_eapkey.c:458 Invalid replay counter from client 00:42:38:dc:87:af - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01[...It occurred 2 times.!]
*Dot1x_NW_MsgTask_7: Apr 06 13:38:39.106: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:458 Invalid replay counter from client 00:42:38:dc:87:af - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_4: Apr 06 13:07:38.983: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:458 Invalid replay counter from client c4:23:60:f8:29:4c - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*dot1xMsgTask: Apr 06 13:04:14.925: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (0) - client da:7a:11:ef:70:5d
*dot1xMsgTask: Apr 06 12:55:09.885: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (0) - client 6c:94:66:11:29:c0
*dot1xMsgTask: Apr 06 12:54:03.169: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (0) - client ec:5c:68:97:83:fb
*dot1xMsgTask: Apr 06 12:51:11.625: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (0) - client 66:20:fa:51:03:66
*dot1xMsgTask: Apr 06 12:41:23.529: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (0) - client ec:5c:68:97:4c:7b
*dot1xMsgTask: Apr 06 12:35:08.721: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (0) - client 00:42:38:dc:7c:6f