08-15-2013 12:09 PM - edited 07-04-2021 12:39 AM
Hello everyone I hope you can help me because I really need it.
I have two WLC 5508 and some AP's 1131 and 3602. I don't know why but my clients are lossing connection to WLAN here some logs from WLC.
[01:51:55 p.m.] Jonatan Sosa Franco: dot1xMsgTask: Aug 15 18:49:29.829: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:49:14.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:48:57.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:48:07.225: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 68:7f:74:68:2c:91
*dot1xMsgTask: Aug 15 18:46:35.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:14:bc:f4:c4
*spamApTask4: Aug 15 18:46:27.305: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database
*spamApTask4: Aug 15 18:46:26.615: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A
*apfReceiveTask: Aug 15 18:46:26.370: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
*dot1xMsgTask: Aug 15 18:45:57.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72
*dot1xMsgTask: Aug 15 18:44:16.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47
*apfMsConnTask_3: Aug 15 18:44:13.455: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.
*dot1xMsgTask: Aug 15 18:43:33.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:43:18.222: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:43:15.021: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:6c:1c:63:36
*dot1xMsgTask: Aug 15 18:43:02.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:13:02:3d:e7:f6
*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aboted for client 00:13:02:3d:e7:f6
*dot1xMsgTask: Aug 15 18:42:26.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client f4:0b:93:a5:f5:2f
*apfMsConnTask_7: Aug 15 18:42:23.606: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: f4:0b:93:a5:f5:2f.
*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.699: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:597 Unable to send AAA message for client 00:13:02:3d:e7:f6
*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.697: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aboted for client 00:13:02:3d:e7:f6
*dot1xMsgTask: Aug 15 18:42:05.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M3 retransmissions exceeded for client 00:13:02:3d:e7:f6
*dot1xMsgTask: Aug 15 18:40:25.221: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 18:e7:f4:7c:3b:88
*webauthRedirect: Aug 15 18:40:06.377: %EMWEB-3-READ_ERROR: webauth_redirect.c:938 read error on server socket
*dot1xMsgTask: Aug 15 18:39:51.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:39:36.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:39:19.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:39:16.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e
*dot1xMsgTask: Aug 15 18:39:02.021: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e
*dot1xMsgTask: Aug 15 18:38:47.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e
*dot1xMsgTask: Aug 15 18:38:45.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47
*apfMsConnTask_5: Aug 15 18:38:42.748: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.
*spamApTask3: Aug 15 18:38:34.872: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database
*spamApTask3: Aug 15 18:38:34.185: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A
*apfReceiveTask: Aug 15 18:38:33.938: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
*apfMsConnTask_6: Aug 15 18:36:23.285: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.
*Dot1x_NW_MsgTask_3: Aug 15 18:36:05.902: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:85:08:89:f3:9b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 00
*dot1xMsgTask: Aug 15 18:35:41.817: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 74:e1:b6:92:65:09
*apfMsConnTask_6: Aug 15 18:35:18.777: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.
*dot1xMsgTask: Aug 15 18:35:12.817: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 30:17:c8:43:0c:2d
*apfMsConnTask_5: Aug 15 18:34:12.772: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.
*dot1xMsgTask: Aug 15 18:33:58.217: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72
*dot1xMsgTask: Aug 15 18:33:49.217: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client c8:6f:1d:04:5d:5a
*apfMsConnTask_5: Aug 15 18:33:17.082: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.
*dot1xMsgTask: Aug 15 18:31:53.617: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72
*dot1xMsgTask: Aug 15 18:31:06.017: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 88:53:2e:0f:99:66
*spamApTask4: Aug 15 18:29:18.178: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database
*spamApTask4: Aug 15 18:29:17.491: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A
*apfReceiveTask: Aug 15 18:29:17.246: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
Regards...
Solved! Go to Solution.
09-15-2013 10:17 AM
To make it simple... on a Windows and many other devices, you have some choices:
WPA-Personal <-- Preshared Key
WPA2-Personal <--Preshared Key
WPA-Enterprise <--802.1x
WPA2-Enterprise <--802.1x
When using either of these, your WLC needs to have WPA+WPA2. When you specify 802.1x, you can setup on the radius server to use PEAP, EAP-TLS or machine authentication. These are defined on the Radius and has to also match what you have on the client.
See below:
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
08-15-2013 12:26 PM
This is not the same, but very similar to an issue I had after upgrading to 7.3, see the link below for more details.
http://www.goatnetworking.com/forum/viewtopic.php?f=8&t=1771&p=1844#p1844
08-15-2013 12:31 PM
I have 7.2.110 version and I have disable that options...
08-15-2013 12:33 PM
What type of clients? Can you post your show wlan
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
08-15-2013 12:44 PM
Well they're Laptops, tablets, MAC, etc
08-15-2013 12:44 PM
by the way this happened in every wlan I have 6
08-15-2013 01:27 PM
Sorry Scott
Here's the information:
(Cisco Controller) >show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... Ferromex
Network Name (SSID).............................. Ferromex
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 85
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ usuarios ferromex
--More-- or (q)uit
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
DHCP Server...................................... 10.10.40.10
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
--More-- or (q)uit
Authentication................................ 10.10.40.15 1812
Accounting.................................... Global Servers
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Enabled
Encryption:..................................... 104-bit WEP
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Local Authentication.............. Disabled
--More-- or (q)uit
FlexConnect Learn IP Address.................. Disabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
802.11u........................................ Disabled
Access Network type............................ Not configured
Network Authentication type.................... Not configured
Internet service............................... Disabled
HESSID......................................... 00:00:00:00:00:00
Hotspot 2.0.................................... Disabled
--More-- or (q)uit
WAN Metrics configuration
Link status.................................. 0
Link symmetry................................ 0
Downlink speed............................... 0
Uplink speed................................. 0
Mobility Services Advertisement Protocol....... Disabled
08-15-2013 01:34 PM
You are doing leap? What does the radius server show in the logs?
Sent from Cisco Technical Support iPhone App
08-15-2013 01:40 PM
I'm using PEAP
08-15-2013 01:41 PM
PEAP is using wpa + wpa2 and then 802.1x
Sent from Cisco Technical Support iPhone App
08-15-2013 01:47 PM
Well I just select 802.1x I have this screen.
08-15-2013 01:47 PM
I forgot to tell you I'm using ISE for Auth
08-15-2013 01:48 PM
Same here... I don't deploy PEAP the way you have it though.
Sent from Cisco Technical Support iPhone App
08-15-2013 01:45 PM
08-15-2013 01:51 PM
Ok so I need to change security configuration as you do?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide