Solved: Cisco Aironet 1142 AP becomes unresponsive

glen4cindy · ‎03-10-2021

I have a Cisco Aironet 1142 configured in autonomous mode and I am just using it for a practice lab/learning environment.

I really do not have anything serious running off of it. I have a couple of indoor cameras connected and a ESP8266 based weather station.

What is going on is this AP will run fine for about 3 days and then will begin to get a bit flaky.

The web interface will stop responding and allowing logins. The devices will seem to be connected but not really have a good connection. The weather station will start to get sporadic updates and then I will need to "power cycle" the AP by pulling the PoE ethernet and let it reboot.

Once I do this it's good for about 3 days and then what I said above starts again.

Anything I can do to see what might be causing this?

patoberli · ‎03-15-2021

Actually you do have some not optimal settings enabled.

Disable the following:

dot11 phone dot11e !unless you have Cisco Wireless Phones

dot11 dot11r pre-authentication over-air !I think, but not entirely sure, this is 802.11r on the CLI, this can often cause issues

no ip http secure-server ! enable this (remove the no) if you like the admin page protected/encrypted with SSL

View solution in original post

patoberli · ‎03-11-2021

Sounds like a typical software bug.

glen4cindy · ‎03-11-2021

Well, unfortunately, that's not very helpful if that's the case.

I'm running c1140-k9w7-xx.153-3.JD17 which I think is the latest version. Even at that these are no longer supported by Cisco and I do not have a support agreement and cannot download software anyway.

I would not know specific filenames to search for different versions anywhere else.

I've tried tweaking settings from various suggestions I've found here but this is one of the last things that keeps happening.

The other thing that happens with one certain client constantly is: Deauthenticating Station 6001.xxxx.xxxx Reason: Sending station has left the BSS But I know the "sending station" didn't go anywhere because it's a fixed device that doesn't ever move.

patoberli · ‎03-11-2021

This does look like a very late version for the 1142. This makes it a bit more difficult. The message you see could be caused because the device stopped responding to packets, for whatever reason.

Can you share your configuration without the passwords? Maybe we see something that could be tweaked.

Make sure to have all fancy features disabled, like 802.11r, 11k and 11v (not sure if the 1142 supports that at all).

glen4cindy · ‎03-12-2021

Thanks for the suggestions.

I do believe I have all of those features turned off.

I believe this is the config file:

!

! Last configuration change at 21:09:01 -0600 Wed Mar 10 2021

version 15.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ap

!

logging rate-limit console 9

no logging console

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX

!

no aaa new-model

clock timezone -0600 -6 0

clock summer-time -0500 recurring

no ip source-route

no ip cef

!

dot11 pause-time 100

dot11 syslog

dot11 activity-timeout unknown default 6000

dot11 activity-timeout client default 6000

!

dot11 ssid JesusIsLord

authentication open

authentication key-management wpa version 2

accounting acct_methods

guest-mode

wpa-psk ascii 7 XXXXXXXXXXXXXXXX

no ids mfp client

!

dot11 ssid JesusIsLord_5G

authentication open

authentication key-management wpa version 2

guest-mode

wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXXX

!

dot11 phone dot11e

!

power inline negotiation prestandard source

no ipv6 cef

!

username Cisco password 7 XXXXXXXXXXXX

username glen privilege 15 password 7 XXXXXXXXXXXX

!

bridge irb

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers aes-ccm

!

ssid JesusIsLord

!

antenna gain 0

speed basic-12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

no dot11 extension aironet

l2-filter bridge-group-acl

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 input-address-list 700

bridge-group 1 output-address-list 700

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1

no ip address

!

encryption mode ciphers aes-ccm

!

ssid JesusIsLord_5G

!

antenna gain 0

peakdetect

dfs band 3 block

speed basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel width 40-above

channel dfs

station-role root

dot11 dot11r pre-authentication over-air

no dot11 extension aironet

l2-filter bridge-group-acl

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 input-address-list 700

bridge-group 1 output-address-list 700

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

l2-filter bridge-group-acl

bridge-group 1

bridge-group 1 input-address-list 700

bridge-group 1 output-address-list 700

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface BVI1

mac-address 0022.bd18.b290

ip address 192.168.86.90 255.255.255.0

ipv6 address dhcp

ipv6 address autoconfig

!

ip default-gateway 192.168.86.1

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

bridge 1 route ip

!

line con 0

line vty 0 4

login local

transport input all

!

end

That filter setting was a mistake I made in the GUI where I accidentally blocked 000.000.0000 to ffff.ffff.ffff Not sure how I managed that but I had to console in and figure out how to fix it in the CLI. I think that's why those lines are still there.

patoberli · ‎03-15-2021

Actually you do have some not optimal settings enabled.

Disable the following:

dot11 phone dot11e !unless you have Cisco Wireless Phones

dot11 dot11r pre-authentication over-air !I think, but not entirely sure, this is 802.11r on the CLI, this can often cause issues

no ip http secure-server ! enable this (remove the no) if you like the admin page protected/encrypted with SSL

glen4cindy · ‎03-15-2021

Thanks so much for pointing out "dot11 phone dot11e !unless you have Cisco Wireless Phones" because I had no idea that was even in there. I really had to dig to find that setting. It must be a default setting because it certainly is one that I did not configure at it is now. I had to go into that part and disable it.

I also tried to adjust the "no ip http secure-server" but got a warning about setting a domain. I do not have a domain per see so it would not let me set that unless something like "cisco.local" would work. I know that would be accepted by the box but would it actually work?

For now I have made the change for cisco IP phones. I can make the change referenced in the middle next time I get a chance to console into it.

patoberli · ‎03-16-2021

The domain is needed for the self-signed certificate. If you anyway access it by ip address, it doesn't really matter what you input there. Please note, you will get in any case an error message (invalid certificate) when accessing the AP via https, but at least it's encrypted.

glen4cindy · ‎03-17-2021

Hard to imagine the Cisco phone setting would cause the freezing but at this point, my uptime is 1 week, 3 days, 17 hours so that change appears to have been what is needed.

Thanks so much!