9300 eWLC and DTLS replay attack

trondaker · ‎12-21-2022

Hi,

Trying to get a C9300-24P acting as an eWLC to accept APs. The problem were having is that the APs contact the eWLC for software, upgrade their image, but when they boot they say:

[*12/20/2022 12:49:18.3219] Sending Join request to 192.168.100.1through port 5248

[*12/20/2022 12:49:18.3258] Join Response from 192.168.100.1

[*12/20/2022 12:49:18.3259] AC accepted join request with result code: 0

[*12/20/2022 12:49:18.3417] Received wlcType 0, timer 30

[*12/20/2022 12:49:18.4213]

[*12/20/2022 12:49:18.4213] CAPWAP State: Image Data

[*12/20/2022 12:49:18.4217] AP image version 17.6.4.56 backup 8.10.112.0, Controller 17.6.4.56

[*12/20/2022 12:49:18.4218] Version is the same, do not need update.

[*12/20/2022 12:49:18.4666] status 'upgrade.sh: Script called with args:[NO_UPGRADE]'

[*12/20/2022 12:49:18.5003] do NO_UPGRADE, part2 is active part

[*12/20/2022 12:49:18.5071]

[*12/20/2022 12:49:18.5071] CAPWAP State: Configure

[*12/20/2022 12:49:18.6882] DOT11_CFG[1]: Starting radio 1

[*12/20/2022 12:49:18.6888] DOT11_DRV[1]: Start Radio1 - Begin

[*12/20/2022 12:49:18.6902] DOT11_DRV[1]: Start Radio1 - End

[*12/20/2022 12:49:18.7123] DOT11_CFG[0]: Starting radio 0

[*12/20/2022 12:49:18.7128] DOT11_DRV[0]: Start Radio0 - Begin

[*12/20/2022 12:49:18.7140] DOT11_DRV[0]: Start Radio0 - End

[*12/20/2022 12:49:18.8264] dtls_log_replay: dtls_log_replay: DTLS Replay Attack detected for Source IP 192.168.100.1[5246] and Destination IP 192.168.200.3[5248]

Why is this a replay attack? The switch is running 17.6.4.

marce1000 · ‎12-21-2022

- What's in the eWLC logs during this process ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

trondaker · ‎12-21-2022

2022/12/20 11:12:36.894376 {wncd_x_R0-0}{1}: [apmgr-capwap-join] [3316]: (note): MAC: c064.e423.d7e0 Successfully processed Join request. AP name: APC4F7.D54D.1F7C, Model: C9120AXI-E, radio slots: 2, rlan slots: 0, site tag name: default-site-tag, policy tag name: default-policy-tag, rf tag name: default-rf-tag
2022/12/20 11:12:36.894584 {wncd_x_R0-0}{1}: [capwapac-smgr-srvr] [3316]: (info): MAC: c064.e423.d7e0 Join Response generated with MTU 1485. as per MTU payload, update flag: 0
2022/12/20 11:12:36.894618 {wncd_x_R0-0}{1}: [capwapac-smgr-srvr] [3316]: (note): MAC: c064.e423.d7e0 Join processing complete. AP in joined state
2022/12/20 11:12:36.894660 {wncd_x_R0-0}{1}: [capwapac-smgr-sess] [3316]: (note): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] AP Connect msg sent to loadbalancer
2022/12/20 11:12:36.894684 {wncmgrd_R0-0}{1}: [ewlc-infra-evq] [2759]: (debug): instance :0 port:39188MAC: c4f7.d54d.1f7c
2022/12/20 11:12:37.136331 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [3316]: (debug): DTLS record type: 23, application data
2022/12/20 11:12:37.136478 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [3316]: (debug): DTLS record type: 23, application data
2022/12/20 11:12:37.136552 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [3316]: (debug): DTLS record type: 23, application data
2022/12/20 11:12:37.136793 {wncd_x_R0-0}{1}: [capwapac-smgr-sess] [3316]: (info): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] Capwap message received, type: config_status_request
2022/12/20 11:12:37.136796 {wncd_x_R0-0}{1}: [capwapac-smgr-sess] [3316]: (note): MAC: c064.e423.d7e0 Received CAPWAP config status request
2022/12/20 11:12:37.136824 {wncd_x_R0-0}{1}: [capwapac-smgr-sess-fsm] [3316]: (info): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] process config status request
2022/12/20 11:12:37.136876 {wncd_x_R0-0}{1}: [capwapac-smgr-srvr] [3316]: (note): MAC: c064.e423.d7e0 Successfully handled Config status request.
2022/12/20 11:12:37.137028 {wncd_x_R0-0}{1}: [apmgr-msgelem] [3316]: (info): c064.e423.d7e0 Static-ip is not set on AP
2022/12/20 11:12:37.137029 {wncd_x_R0-0}{1}: [apmgr-msgelem] [3316]: (info): c064.e423.d7e0 AP IPv6 nameserver is not set in config status
2022/12/20 11:12:37.137052 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 The reboot reason received from AP is out of range - 67
2022/12/20 11:12:37.137062 {wncd_x_R0-0}{1}: [apmgr-msgelem] [3316]: (info): c064.e423.d7e0 DTLS Capable 1
2022/12/20 11:12:37.137064 {wncd_x_R0-0}{1}: [apmgr-msgelem] [3316]: (info): c064.e423.d7e0 DTLS Enabled 0
2022/12/20 11:12:37.137219 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to get valid slot count. country code GB is not configured on WLC
2022/12/20 11:12:37.137420 {wncd_x_R0-0}{1}: [apmgr-db] [3316]: (info): c064.e423.d7e0 Invalid country code GB recvd from AP(slot: 1). Changing it to default country code: NO
2022/12/20 11:12:37.137445 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to get valid slot count. country code GB is not configured on WLC
2022/12/20 11:12:37.137520 {wncd_x_R0-0}{1}: [apmgr-db] [3316]: (info): c064.e423.d7e0 Invalid country code GB recvd from AP(slot: 0). Changing it to default country code: NO
2022/12/20 11:12:37.137539 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to process mac oper cfg payload. Received invalid fragmentation threshold 0 for slot 1 band 1
2022/12/20 11:12:37.137551 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to process mac oper cfg payload. Received invalid fragmentation threshold 0 for slot 1 band 1
2022/12/20 11:12:37.137562 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to process mac oper cfg payload. Received invalid fragmentation threshold 0 for slot 0 band 1
2022/12/20 11:12:37.137571 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to process mac oper cfg payload. Received invalid fragmentation threshold 0 for slot 0 band 1
2022/12/20 11:12:37.137581 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to process mac oper cfg payload. Received invalid fragmentation threshold 0 for slot 0 band 0
2022/12/20 11:12:37.137587 {wncd_x_R0-0}{1}: [apmgr-capwap-config] [3316]: (ERR): c064.e423.d7e0 Failed to process mac oper cfg payload. Received invalid fragmentation threshold 0 for slot 0 band 0
2022/12/20 11:12:37.138866 {wncd_x_R0-0}{1}: [apmgr-db] [3316]: (ERR): TRAP rebootreason_set failed
2022/12/20 11:12:37.138867 {wncd_x_R0-0}{1}: [apmgr-db] [3316]: (ERR): TRAP dataencryptionstatus_set failed
2022/12/20 11:12:37.139097 {wncd_x_R0-0}{1}: [capwapac-smgr-srvr] [3316]: (info): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] Config status request was processed and Config status response was sent. AP in Configuration state.
2022/12/20 11:12:37.139131 {wncd_x_R0-0}{1}: [capwapac-smgr-sess-fsm] [3316]: (note): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] Last Control Packet received 0 seconds ago.
2022/12/20 11:12:37.139132 {wncd_x_R0-0}{1}: [capwapac-smgr-sess-fsm] [3316]: (note): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] Last Data Keep Alive Packet information not available. Data session was not established
2022/12/20 11:12:37.139132 {wncd_x_R0-0}{1}: [capwapac-smgr-sess-fsm] [3316]: (note): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] AP disconnect reason not updated
2022/12/20 11:12:37.139249 {wncd_x_R0-0}{1}: [ewlc-dtls-sessmgr] [3316]: (info): Remote Host: 192.168.200.2[5273] MAC: c064.e423.d7e0 Sending DTLS alert message, closing session..
2022/12/20 11:12:37.139251 {wncd_x_R0-0}{1}: [ewlc-dtls-sessmgr] [3316]: (info): Remote Host: 192.168.200.2[5273] MAC: c064.e423.d7e0 alert type:warning, description:close notify
2022/12/20 11:12:37.139384 {wncd_x_R0-0}{1}: [ewlc-dtls-sess] [3316]: (note): Remote Host: 192.168.200.2[5273] MAC: c064.e423.d7e0 DTLS session destroy
2022/12/20 11:12:37.139421 {wncd_x_R0-0}{1}: [capwapac-smgr-sess] [3316]: (note): MAC: c064.e423.d7e0 CAPWAP-IDB-Delete: IFID is 0. Returning
2022/12/20 11:12:37.139740 {wncd_x_R0-0}{1}: [apmgr-db] [3316]: (info): c064.e423.d7e0 CAPWAP session termination notified to APMGR
2022/12/20 11:12:37.139797 {wncd_x_R0-0}{1}: [capwapac-smgr-sess] [3316]: (note): Mac: c064.e423.d7e0 Session-IP: 192.168.200.2[5273] 192.168.100.1[5246] AP DISCONNECT msg sent to loadbalancer

marce1000 · ‎12-21-2022

>...Invalid country code GB recvd from AP(slot: 1). Changing it to default country code: NO ,
It looks like the country code(s) configured on the eWLC and the AP do not match ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

trondaker · ‎12-21-2022

The console on the AP seems to just set the country code and continue. The DTLS replay attack is the problem.

marce1000 · ‎12-21-2022

- What do you mean by that , the full product model of the AP also determines it's country code (?) ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

trondaker · ‎12-22-2022

Appears that the ones we have: C9120AXI-E, is for Europe, and you have to manually specify on the controller what actual country you are in. The controller has "NO", and seems like it tells the AP correctly to change. But the dtls-replay-attack stops the join-process after that.

marce1000 · ‎12-22-2022

- I don't understand this completely , as far as I know an ap can not
change its manufactured based country code,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jesus Barrios · ‎01-05-2023

Hello Trondaker

There is a solution?

trondaker · ‎01-05-2023

No, cant figure this one out. Only a lab-environment, not seen this in production yet, so havent involved TAC.