02-28-2023 06:49 AM
Hi guys,
I'm seeing these logs on the APs. APs are connected to centralised WLC which has different APs from other sites as well. One particular site seeing below logs. Some logs are showing Dot11radio state change to up/down/reset. This makes SSID to disappear for shot period of time.
At the end also some WIDs attack logs.
I found this chat but nothing saying much
https://community.cisco.com/t5/wireless/ap-radios-flapping-on-2-ghz/td-p/3086842
*Feb 28 11:09:47.955: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 56
*Feb 28 11:09:47.959: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 10
*Feb 28 11:09:47.963: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-5520.example.org
*Feb 28 11:09:47.971: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 28 11:09:48.231: %WIDS-6-ENABLED: IDS Signature is loaded and enabled%CRYPTO_PKI: Cert not yet valid or is expired -
*Feb 28 11:09:48.275: %DOT11-3-NA_SENSOR_CERT_ERROR: Certificate installation error: Error in saving WSA certificate.
*Feb 28 11:09:48.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Feb 28 11:09:48.379: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Feb 28 11:09:48.387: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Feb 28 11:09:48.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Feb 28 11:09:49.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Feb 28 11:09:49.419: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5280 MHz for 60 seconds.
*Feb 28 11:09:49.423: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb 28 11:09:49.431: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Feb 28 11:09:49.439: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Feb 28 11:09:50.423: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Feb 28 11:09:50.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Feb 28 11:09:50.471: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 28 11:09:51.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Feb 28 11:10:10.123: %CLEANAIR-6-STATE: Slot 0 enabled
*Feb 28 11:10:12.447: %CLEANAIR-6-STATE: Slot 1 enabled
*Feb 28 11:10:33.231: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 11:10:49.479: %DOT11-6-DFS_SCAN_COMPLETE: DFS scan complete on frequency 5280 MHz
*Feb 28 11:21:50.139: %DOT11-4-CCMP_REPLAY: Client MAC-Address had 8 AES-CCMP TSC replays
*Feb 28 11:23:55.159: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 11:40:39.111: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 11:56:46.791: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 11:59:07.351: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 12:15:35.823: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 12:24:49.763: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 12:25:32.935: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 12:33:46.923: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 12:34:49.179: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 12:40:32.547: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 12:43:47.331: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 12:51:41.219: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 13:01:41.627: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 13:12:36.243: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:36 Source MAC:MAC-Address
*Feb 28 13:20:34.167: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Address
*Feb 28 13:22:36.691: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:36
*Feb 28 13:52:02.779: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:6
*Feb 28 13:53:47.195: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:MAC-Addressv
I have upgraded the WLC 5520 to the latest version. APs are on the same version too.
Can anyone help to figure out the cause ?? @rasika
Regards,
B
02-28-2023 09:06 AM
- You need to check the wireless environment , perhaps it is too busy , or there is interference from other sources over the air,
M.
02-28-2023 09:11 AM
Like what @marce1000 mentioned, you need to physically go onsite and check. This can be a device that has a bad wireless nic causing issue to your environment or something else. If the mac address is the same throughout the log, then find that mac address.
03-01-2023 07:52 AM
And check for AP crash logs on the WLC: Management -> Tech Support -> AP Crash Log
Also check on the AP flash: for crash or event files which may reveal the cause.
If you have a crash log or event log then TAC will be able to decode the result and confirm the likely cause.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide