Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11030
Views
0
Helpful
8
Replies

Cisco WLC - 4 way handshake timeout/failure - Troubleshooting

JRD1213
Level 1
Level 1

‎05-29-2021 04:42 PM - edited ‎07-05-2021 01:22 PM

Dear Cisco Technology & Support Community,

 

We are experiencing an issue with our Cisco 5508 Wireless LAN controller (Software Version 8.3.143.61) and Cisco Wireless access points. After the WLC is operational for a period of 30-60 days or so, clients begin experiencing the inability to authenticate new devices with the wireless network. For example, a windows client may attempt to connect to the wireless network and provide the correct password, the authentication process with hang, and then fail without an error (on the windows machine). Sometimes the windows machine may say "invalid password" even though it is not the case of an incorrect password.

 

We are using the following security authentication: [WPA2][Auth(PSK)]

 

When we visit the WLC to review error(s) we see errors of this nature: "[DATE] Client Deauthenticated: MACAddress:[X] 1f Base Radio MAC:[Y] Slot: 0 User Name: unknown Ip Address: unknown Reason:4-Way Handshake timeout ReasonCode: 15"

 

For troubleshooting:

1.) Power recycling the services in the past has solved our issue. 

2.) We had thought in the past that this was an issue with DHCP and something to do with the inability to lease an IP address from our Cisco switch, however, we have moved the DHCP to both the firewall for one wireless network, and kept the DHCP on the switch for another wireless network, which ruled out DHCP, because DHCP leases from both the firewall and switch are functional.

3.) I have reviewed some articles on the support community about adjusting the eap eapol key timeout and retries via the following commands:

config advanced eap eapol-key-timeout
config advanced eap eapol-key-retries

However, we are not certain about what key 'timeout' or key 'retry' adjustments would be necessary against default settings and more importantly why, as this appears to be stop-gap-fix measure against a larger issue concerning wireless network uptime(s).

 

Would be happy to provide additional logs or additional troubleshooting information as required.

Any assistance concerning this matter would be much appreciated.

 

Thanks,

--

JD

1 person had this problem
Labels:
0 Helpful
8 Replies 8

marce1000
VIP
VIP

‎05-29-2021 11:36 PM

 

 - You may do some client (mac) debugging and have it then analyzed with :

            https://cway.cisco.com/tools/WirelessDebugAnalyzer/

  Also use the latest and or last-forever supported software version on the 5508 (as it is EOL)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

JRD1213
Level 1
Level 1

‎06-01-2021 02:32 AM

Hi there, thank you for your reply.

 

I parsed some logs through the Wireless Debug Analyzer.

We are seeing a great number of these connection failures from all over the network.

(Multiple access points. Multiple BSSID(s).)

We have the maximum EAP connection timeout thresholds set.

It would appear that the client fails to respond to the M2 handshake.

If I power cycle the hardware, things generally work fine and this issue "goes away".

Any thoughts?


Jun 01 04:53:21.329 *apfMsConnTask_2 Client made new Association to AP/BSSID BSSID aa:bb:cc:dd:ee:ff AP LWAPxx
Jun 01 04:53:21.331 *apfMsConnTask_2 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Jun 01 04:53:21.331 *apfMsConnTask_2 Client is entering the 802.1x or PSK Authentication state
Jun 01 04:53:21.331 *apfMsConnTask_2 Client has successfully cleared AP association phase
Jun 01 04:53:21.331 *apfMsConnTask_2 Client is entering PSK Dot1x or WEP authentication phase
Jun 01 04:53:21.332 *apfMsConnTask_2 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Jun 01 04:53:21.336 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Sending M1
Jun 01 04:53:26.345 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jun 01 04:53:26.345 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Retransmitting M1 retry #1
Jun 01 04:53:31.345 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jun 01 04:53:31.345 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Retransmitting M1 retry #2
Jun 01 04:53:36.345 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jun 01 04:53:36.345 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Retransmitting M1 retry #3
Jun 01 04:53:41.345 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jun 01 04:53:41.345 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Retransmitting M1 retry #4
Jun 01 04:53:46.345 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jun 01 04:53:46.346 *Dot1x_NW_MsgTask_5 Client has been deauthenticated
Jun 01 04:53:46.346 *Dot1x_NW_MsgTask_5 Client expiration timer code set for 10 seconds. The reason: Roaming failed due to WLAN security policy mismatch between controllers (configuration error). It can also be used to report EAPoL retry errors, and GTK rotation failure (in 8.5)
Jun 01 04:53:56.345 *apfReceiveTask Client session has timed out
Jun 01 04:53:56.345 *apfReceiveTask Client expiration timer code set for 10 seconds. The reason: Client was marked for deletion, and it was on associated, power save or blacklist state. Other message would provide reason for delete
Jun 01 04:54:06.345 *apfReceiveTask Client session has timed out

0 Helpful

marce1000
VIP
VIP
In response to JRD1213

‎06-01-2021 09:11 AM

 

 - Which authenticating-policy-platform are you using ? Are the intended policy rules being hit ? Check the logs for the clients on the wireless network (expecting to get authenticated).

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

JRD1213
Level 1
Level 1
In response to marce1000

‎06-01-2021 10:24 AM

Everything is handled locally by the wireless LAN controller.

 

Layer 2 Security = WPA+WPA2

WPA+WPA2 Parameters = WPA2 Policy, WPA2 Encryption (AES)

Authentication Key Management = PSK

 

Thanks,

0 Helpful

Matt Kahle
Level 1
Level 1
In response to JRD1213

‎06-15-2021 08:03 PM

Hi All,

 

Since I am assisting JRD1213 with this issue. I can confirm the previous comment that WPA2 is being used. The WLC is locally preforming the authentication for all WiFi clients. Is there something we should be checking on the WLC for Auth? 

 

Regards,

0 Helpful

rayyaanfayker0006
Level 1
Level 1
In response to Matt Kahle

‎08-25-2021 10:42 PM

Hi were you able to resolve this issue, I am getting multiple scanners dropping off the same time failing m2 handshake. Then only after the scanners are rebooted does it come back up.

0 Helpful

JRD1213
Level 1
Level 1
In response to rayyaanfayker0006

‎08-27-2021 06:46 AM

No, we have not found a solution for this issue.
Our only workaround is to restart the access points.
0 Helpful

rayyaanfayker0006
Level 1
Level 1

‎08-26-2021 03:20 PM

Hi JRD

 

did you find a fix for this issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card