I upgraded our WCS over the weekend to the new 18.104.22.168 release. Daily now I am getting one or two "ap impersonation" alerts which I wasn't before. These are coming from existing clients that have been on the network for quite some time.
Has anyone else seen this?
Hi, the alerts on the WCS come from the WLCs so check and confirm you are seeing the same messages on the WLC traplogs. If you are then very likely the clients are spoofing the ap mac addresses
Sent from Cisco Technical Support iPhone App
Yes I'm seeing the same alert on the controller but these are from clients who are not impersonating any mac address.
Tue May 10 09:58:15 2011 Impersonation of AP with Base Radio MAC 00:1f:ca:82:db:00 using source address of 00:25:d3:be:ec:13 has been detected by the AP with MAC Address: 00:1f:ca:82:db:00 on its 802.11b/g radio whose slot ID is 0
It's completely random across all 12 of my sites.
We are having the exact same problem here, and I cannot figure out what the deal is. I opened a TAC case on it a while back and received a cut and paste explaining what Assign/unassign/delete/clear/acknowledging the alarms does.
Did you ever find an answer to this? We are running WCS 22.214.171.124 with WLC's at 126.96.36.199. I too looked up the "impersonating" mac address, and so far everyone is just a normal client on the network. Everything from a Blackberry to a laptop.
No answer yet. I'm not sure what changed or if the environment I'm in just got more crowded (public schools in residential areas) but I'm see a lot more null and zero-length SSID errors as well as the occaisional jammer.
Everything so far appears to be false positives. It's more of an annoyance than anything else at this point.
Same here - it would be awesome if somebody ran across this that had a definitive answer. There has to be more people with the issue. Right now I have 200 "Critical Alarms" - mostly the AP Impersonation alarms.
It really is an annoyance, especially since with that many, it's easy to overlook the important ones. I don't remember when this started happening, but every upgrade I install I keep hoping it will get fixed.
I guess if I ever get to a point where I feel like wasting more time on it, I'll log another case and see what happens with it.
For what it's worth, we're having the same issue, false Impersonation alerts, after upgrading to 188.8.131.52. I'm beginning to think this isn't a coincidence...
I know it's an old thread, but I'm putting it here just in case Google has brought you here:
This is a bug - see bugID CSCsb90622