Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5071
Views
0
Helpful
15
Replies

802.11r Handoffs Failing: 802.11r Key Cache look up failed in (re)-assoc req

Not applicable

‎08-12-2017 06:16 PM - last edited on ‎07-05-2021 07:31 AM by Community Manager

I am trying to set up a wireless LAN using two Cisco 3602i APs on a Virtual WLC running software version 8.2.160.0. My goal is to have an iPhone 6s client using Voice-over-WiFi be able to fast-roam between these two APs using 802.11r/802.11k/802.11v without dropping the voice call.

As far as I can tell, I have set everything up for this according to Cisco and Apple recommendations, but the handoffs continually fail. Running 'debug client <iphone-mac-address>' on the controller produces the following message when the handoff attempts fail:

Association Failed on REAP AP BSSID 44:ad:d9:8e:8b:fe (slot 1), status 11 0 802.11r Key Cache look up failed in (re)-assoc req

Unfortunately, a Google search for "key cache look up failed" returns only one result - an un-annotated pastebin dump.

Here is the vWLC configuration for the WLAN in question, id '2', SSID 'phone-test-5g':

https://pastebin.com/DaSqp5cT

And here is the complete output of a 'debug client ' capturing a failed roam/handoff event:

https://pastebin.com/sENSsnpA

I have tried a fairly wide variety of configurations but have not been able to get this to work using any combination of settings. If anyone has any suggestions, I will greatly appreciate hearing them.

Labels:
0 Helpful
15 Replies 15

Not applicable

‎08-15-2017 06:41 AM

It seems the cause of this problem is that the vWLC is not distributing the 802.11r key cache info to the APs: 

ypsi-wifi-1#show capwap reap dot11r

Total number of dot11r cache entries = 0

DOT11R Cache Entries:

HW Address       Life Time(in sec)   BSSID            R0KhId       R1KhId           vlanOverride      client Acl

ypsi-wifi-1#

But I don't know why it isn't. Do any of you have any ideas why it isn't distributing the key cache info, or what else I might check to investigate further? 

0 Helpful

sremk
Cisco Employee
Cisco Employee

‎08-15-2017 06:54 AM

Hi Mate,

Can you make sure all the aps in that location belongs to same flex connect group if not configure flexconnect group and map all these aps under the same group.

Thanks

Sreejith

0 Helpful

Not applicable
In response to sremk

‎08-15-2017 07:30 AM

When I first set this up, I had neglected to configure a flexconnect group and add the APs to it, but creating the group and adding the APs did not change the behavior. I even rebooted the APs and controller after making the change in case that was necessary.

(Cisco Controller) >show flexconnect group detail fc_def_grp

Number of AP's in Group: 2

7c:ad:74:85:09:8e ypsi-wifi-1 Joined Flexconnect
fc:5b:39:9b:b4:98 ypsi-wifi-2 Joined Flexconnect

0 Helpful

sremk
Cisco Employee
Cisco Employee
In response to

‎08-15-2017 07:50 AM

Hi Mate,

Are we roaming between only these two aps?

Also what is the dot11r config, is it over the ds or over the air?

Thanks

Sreejith

0 Helpful

Not applicable
In response to sremk

‎08-15-2017 08:44 AM

Greetings,

For now, those are the only two APs in the system. I currently have dot11r configured for over-the-air, but I have also tried it in over-the-ds mode and run into the same problem. 

Cheers,

Rusty

0 Helpful

sremk
Cisco Employee
Cisco Employee
In response to

‎08-15-2017 10:15 AM

Thanks for the clarification. Need to check two things to rule out the things here.

1. Can we test this in open ssid and see seamless roaming is happening between these aps?

2. Do we have 15- 20 percent overlap between the aps which is recommended for seamless roaming?

Thanks

Sreejith

0 Helpful

Not applicable
In response to sremk

‎08-16-2017 04:20 PM

Greetings, and thanks for your help,

I set the WLAN to open mode (no authentication whatsoever) and the client was able to roam seamlessly between the two APs. 

I think there is pretty good overlap between the two APs. As you walk back and forth between the two APs, the RSSI from each (as displayed on the client) is -65 dBm at the midpoint.

Thanks again,

Rusty

0 Helpful

sremk
Cisco Employee
Cisco Employee
In response to

‎08-16-2017 05:26 PM

Thank you for the test. 

What is the authentication type we are using on the non working one?

Thanks

Sreejith

0 Helpful

Not applicable
In response to sremk

‎08-16-2017 05:36 PM

When it's not working, we are using WPA2-AES PSK. I have tried having both 'PSK' and 'FT-PSK' enabled, in an effort to allow FT and non-FT clients to use the same SSID, and I have also tried having only 'FT-PSK' enabled. In the pastebins in the original post, I had only 'FT-PSK' enabled, as follows: 

Security
 
   802.11 Authentication:........................ Open System
   FT Support.................................... Enabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      OSEN IE.................................... Disabled
      Auth Key Management
 
--More-- or (q)uit
         802.1x.................................. Disabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Enabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
         OSEN-1X................................. Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Disabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
0 Helpful

sremk
Cisco Employee
Cisco Employee
In response to

‎08-17-2017 09:32 AM

Hi Mate,

Any possibility of testing this in 8.3 latest as the release notes of 8.3.122.0 says apple devices are tested.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn83mr2.html

Also, can we make sure we are following attached doc on dot11r, k and v.

Thanks

Sreejith

Preview file
3980 KB
0 Helpful

Eduardo Cruz
Level 1
Level 1
In response to

‎04-26-2018 01:00 PM

Hello

 

I'm having same problem with vWLC 8.0.152 and iOS 11. Did you find some solution?

0 Helpful

happy.nidjo
Level 1
Level 1

‎11-02-2017 06:43 AM

Hello,

 

i have exactly the same issue, did you know how to fix it? 

 

thanks in advance

Mohammed,

0 Helpful

robvreedepvh
Level 4
Level 4
In response to happy.nidjo

‎01-22-2018 03:11 AM

I'm seeing this behaviour on v8.2.151 too. Doesn't seem to be fixed in v8.2.166

Will upgrade to v8.3.122 or v8.3.133; should be fixed in thoses releases

 

Association Failed on REAP AP BSSID
0 Helpful

Eduardo Cruz
Level 1
Level 1
In response to happy.nidjo

‎04-27-2018 11:51 AM

Hi Mohammed,

Did you find a solution for this problem?

Thank you
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card