01-07-2013 11:41 AM - edited 07-03-2021 11:18 PM
A week ago we upgrade from the 7.0.116 software to 7.2.111.3. Since doing that we are seeing a lot more clients drop connections and be unable to re-join. The wireless network KEY (WPA & TKIP) is on the machines and stored. When the connection drops for whatever reason and the network is select, the user is then prompted to re-enter the key. They can enter in the key, however we do not want to give our wireless key.
Looking at the controller we see a lot of messages similar to these:
*dot1xMsgTask: Jan 07 15:45:12.339: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client Client4
*dot1xMsgTask: Jan 07 15:41:31.539: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M3 retransmissions exceeded for client Client3
*dot1xMsgTask: Jan 07 15:04:52.519: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client Client1
*dot1xMsgTask: Jan 07 15:04:45.719: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client Client1
*dot1xMsgTask: Jan 07 15:04:00.119: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M5 retransmissions exceeded for client Client2
*dot1xMsgTask: Jan 07 15:03:51.719: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M5 retransmissions exceeded for client Client2
The machines are Mid 2011 iMacs running 10.6.8. While running 7.0.116 code we did not have this issue. The only item that has since changed is migrating to the 7.2.111.3 code. Are there any ideas on items to check and try on this to have some greater stability?
We are running on a WLC5508 with 1142 APs.
01-07-2013 06:04 PM
Can I get the output of "show advanced eap" from the controller CLI?
Sent from Cisco Technical Support iPad App
01-07-2013 06:20 PM
Sure thing:
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600
Thank You!
Randy
01-11-2013 04:57 AM
You may want to tweak those settings a bit, which you can do via the controller CLI:
config advanced eap eapol-key-timeout 2000
save config
basically this will give the EAP key exchange a bit more time.
The key timeouts can also be due to client issues and poor RF in the area the client it located at.
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide