Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
3
Helpful
3
Replies

APs Dot11radio state change up/down/reset - SSID disappears

Beacon Bits
Level 1
Level 1

‎02-28-2023 06:49 AM

Hi guys,

I'm seeing these logs on the APs. APs are connected to centralised WLC which has different APs from other sites as well. One particular site seeing below logs. Some logs are showing Dot11radio state change to up/down/reset. This makes SSID to disappear for shot period of time.

At the end also some WIDs attack logs. 

I found this chat but nothing saying much

https://community.cisco.com/t5/wireless/ap-radios-flapping-on-2-ghz/td-p/3086842

*Feb 28 11:09:47.955: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 56
*Feb 28 11:09:47.959: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 10
*Feb 28 11:09:47.963: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-5520.example.org
*Feb 28 11:09:47.971: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 28 11:09:48.231: %WIDS-6-ENABLED: IDS Signature is loaded and enabled%CRYPTO_PKI: Cert not yet valid or is expired -
*Feb 28 11:09:48.275: %DOT11-3-NA_SENSOR_CERT_ERROR: Certificate installation error: Error in saving WSA certificate.
*Feb 28 11:09:48.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Feb 28 11:09:48.379: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Feb 28 11:09:48.387: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Feb 28 11:09:48.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Feb 28 11:09:49.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Feb 28 11:09:49.419: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5280 MHz for 60 seconds.
*Feb 28 11:09:49.423: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb 28 11:09:49.431: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Feb 28 11:09:49.439: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Feb 28 11:09:50.423: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Feb 28 11:09:50.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Feb 28 11:09:50.471: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 28 11:09:51.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Feb 28 11:10:10.123: %CLEANAIR-6-STATE: Slot 0 enabled
*Feb 28 11:10:12.447: %CLEANAIR-6-STATE: Slot 1 enabled
*Feb 28 11:10:33.231: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 11:10:49.479: %DOT11-6-DFS_SCAN_COMPLETE: DFS scan complete on frequency 5280 MHz
*Feb 28 11:21:50.139: %DOT11-4-CCMP_REPLAY: Client MAC-Address had 8 AES-CCMP TSC replays
*Feb 28 11:23:55.159: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 11:40:39.111: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 11:56:46.791: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 11:59:07.351: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 12:15:35.823: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 12:24:49.763: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 12:25:32.935: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 12:33:46.923: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 12:34:49.179: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 12:40:32.547: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 12:43:47.331: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 12:51:41.219: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 13:01:41.627: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 13:12:36.243: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 13:20:34.167: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 13:22:36.691: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 13:52:02.779: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 13:53:47.195: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Addressv

I have upgraded the WLC 5520 to the latest version. APs are on the same version too.

BeaconBits_0-1677595226605.png

Can anyone help to figure out the cause ?? @rasika

Regards,

B

 

Labels:
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎02-28-2023 09:06 AM

 

 - You need to check the wireless environment , perhaps it is too busy , or there is  interference from other sources over the air, 

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Scott Fella
Hall of Fame
Hall of Fame

‎02-28-2023 09:11 AM

Like what @marce1000 mentioned, you need to physically go onsite and check.  This can be a device that has a bad wireless nic causing issue to your environment or something else.  If the mac address is the same throughout the log, then find that mac address.

-Scott
*** Please rate helpful posts ***

Rich R
VIP
VIP

‎03-01-2023 07:52 AM

And check for AP crash logs on the WLC: Management -> Tech Support -> AP Crash Log
Also check on the AP flash: for crash or event files which may reveal the cause.
If you have a crash log or event log then TAC will be able to decode the result and confirm the likely cause.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card