Apple Devices Reconnecting Constantly (IOS 14.x)

jerrymatson1 · ‎05-04-2021

Anyone ran into an odd behavior where Apple (Android works fine) constantly reconnect to an enterprise (EAP-TTLS) network? The controller shows everything is normal and client make it to the "RUN" state and then the controller receives a management action frame to DISACC (disassociate) from the device whereupon the process starts anew. From the user perspective, it just shows the SSID with a "blue check" disappear and reappear fully connected over and over again.

As for the wireless, we have WLCL 5520 (ha pair) and use flexconnect.

jerrymatson1 · ‎05-04-2021

Here is some output of the repeating issue/log:

*apfOpenDtlSocket: Apr 21 08:38:34.639: [PA] 2e:3c:d2:9c:16:b7 Received management frame DISASSOC on BSSID 00:b7:71:77:59:4f destination addr 00:b7:71:77:59:4f
*apfMsConnTask_0: Apr 21 08:38:34.639: [PA] 2e:3c:d2:9c:16:b7 Got disassoc frame from 2E:3C:D2:9C:16:B7 BSSID= 00:B7:71:77:59:40 reasoncode = 8 dataLen = 13
*apfMsConnTask_0: Apr 21 08:38:34.639: [PA] 2e:3c:d2:9c:16:b7 Apple_IE: Subtype = 2 Version = 1 Reason = 9, Subreason = 0
*apfMsConnTask_0: Apr 21 08:38:34.639: [PA] 2e:3c:d2:9c:16:b7 Setting client ReasonCode from (0) to (121)
*apfMsConnTask_0: Apr 21 08:38:34.639: [PA] 2e:3c:d2:9c:16:b7 CL_EVENT_DISASSOC (17), reasonCode (121)
*apfMsConnTask_0: Apr 21 08:38:34.639: [PA] 2e:3c:d2:9c:16:b7 MS Associated AP 00:b7:71:77:59:40 slot 1 MFP Disabled , 11w Disabled
*apfMsConnTask_0: Apr 21 08:38:34.639: [PA] 2e:3c:d2:9c:16:b7 Ignoring received Dissoc frame on AP 00:b7:71:77:59:40 slot 1
*apfOpenDtlSocket: Apr 21 08:38:35.736: [PA] 2e:3c:d2:9c:16:b7 Received management frame ASSOCIATION REQUEST on BSSID 00:b7:71:77:59:4f destination addr 00:b7:71:77:59:4f
*apfMsConnTask_0: Apr 21 08:38:35.736: [PA] 2e:3c:d2:9c:16:b7 Updating 11r vendor IE

Leo Laohoo · ‎05-04-2021

@jerrymatson1 wrote:

*apfMsConnTask_0: Apr 21 08:38:35.736: [PA] 2e:3c:d2:9c:16:b7 Updating 11r vendor IE

Disable 802.11k, v and r.

jerrymatson1 · ‎05-05-2021

Already disabled: (FT disabled on security tab and 802.11 v (BSS Transition) not checked, and 802.11k (neighbor list) also not checked.)

saravlak · ‎05-04-2021

did the issue start to happen after any specific change in network.
first, isolate WLAN config and client IOS(try different ios).
//try from open wlan and keep adding features to isolate the impacted feature.

it appear, 4-way handshake may be failing based on immediate disassoc.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html
check this section - Fast-Secure Roaming with 802.11r

jerrymatson1 · ‎05-05-2021

No changes were made when this issue started and it seems to be happening in a single office (among hundreds all tied to the same controller).

jerrymatson1 · ‎05-05-2021

Odd thing is that the issue seems to go away while the phone is locked (stays connected and stable) but will start reassociating repeatedly as soon as the user unlocks and starts using the phone. Only happening with Apple, all other devices (android, laptops) work fine.

saravlak · ‎05-05-2021

1.Disable MAC randomization on the device and try.

2.Try on a device with a different ios version.

Rich R · ‎05-05-2021

I don't see any mention of what version of AireOS you're using?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

saravlak · ‎05-05-2021

yes no aireos code detail.

Scott Fella · ‎05-05-2021

Just to add and also ask. You are using EAP-TTLS not EAP-TLS? Also did the issue start happening after Apple released the latest update? Have you identified that it is all iPhones no matter what model and or software version? Do these devices work fine on other SSID’s like open or psk or even EAP-PEAP? Have you looked at your HA failover status? Has there been a failover? Have you tried to force a failover?

-Scott
*** Please rate helpful posts ***