08-15-2013 12:09 PM - edited 07-04-2021 12:39 AM
Hello everyone I hope you can help me because I really need it.
I have two WLC 5508 and some AP's 1131 and 3602. I don't know why but my clients are lossing connection to WLAN here some logs from WLC.
[01:51:55 p.m.] Jonatan Sosa Franco: dot1xMsgTask: Aug 15 18:49:29.829: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:49:14.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:48:57.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:48:07.225: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 68:7f:74:68:2c:91
*dot1xMsgTask: Aug 15 18:46:35.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:14:bc:f4:c4
*spamApTask4: Aug 15 18:46:27.305: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database
*spamApTask4: Aug 15 18:46:26.615: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A
*apfReceiveTask: Aug 15 18:46:26.370: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
*dot1xMsgTask: Aug 15 18:45:57.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72
*dot1xMsgTask: Aug 15 18:44:16.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47
*apfMsConnTask_3: Aug 15 18:44:13.455: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.
*dot1xMsgTask: Aug 15 18:43:33.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:43:18.222: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:43:15.021: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:6c:1c:63:36
*dot1xMsgTask: Aug 15 18:43:02.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:13:02:3d:e7:f6
*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aboted for client 00:13:02:3d:e7:f6
*dot1xMsgTask: Aug 15 18:42:26.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client f4:0b:93:a5:f5:2f
*apfMsConnTask_7: Aug 15 18:42:23.606: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: f4:0b:93:a5:f5:2f.
*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.699: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:597 Unable to send AAA message for client 00:13:02:3d:e7:f6
*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.697: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aboted for client 00:13:02:3d:e7:f6
*dot1xMsgTask: Aug 15 18:42:05.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M3 retransmissions exceeded for client 00:13:02:3d:e7:f6
*dot1xMsgTask: Aug 15 18:40:25.221: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 18:e7:f4:7c:3b:88
*webauthRedirect: Aug 15 18:40:06.377: %EMWEB-3-READ_ERROR: webauth_redirect.c:938 read error on server socket
*dot1xMsgTask: Aug 15 18:39:51.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:39:36.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:39:19.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42
*dot1xMsgTask: Aug 15 18:39:16.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e
*dot1xMsgTask: Aug 15 18:39:02.021: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e
*dot1xMsgTask: Aug 15 18:38:47.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e
*dot1xMsgTask: Aug 15 18:38:45.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47
*apfMsConnTask_5: Aug 15 18:38:42.748: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.
*spamApTask3: Aug 15 18:38:34.872: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database
*spamApTask3: Aug 15 18:38:34.185: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A
*apfReceiveTask: Aug 15 18:38:33.938: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
*apfMsConnTask_6: Aug 15 18:36:23.285: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.
*Dot1x_NW_MsgTask_3: Aug 15 18:36:05.902: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:85:08:89:f3:9b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 00
*dot1xMsgTask: Aug 15 18:35:41.817: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 74:e1:b6:92:65:09
*apfMsConnTask_6: Aug 15 18:35:18.777: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.
*dot1xMsgTask: Aug 15 18:35:12.817: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 30:17:c8:43:0c:2d
*apfMsConnTask_5: Aug 15 18:34:12.772: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.
*dot1xMsgTask: Aug 15 18:33:58.217: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72
*dot1xMsgTask: Aug 15 18:33:49.217: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client c8:6f:1d:04:5d:5a
*apfMsConnTask_5: Aug 15 18:33:17.082: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.
*dot1xMsgTask: Aug 15 18:31:53.617: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72
*dot1xMsgTask: Aug 15 18:31:06.017: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 88:53:2e:0f:99:66
*spamApTask4: Aug 15 18:29:18.178: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database
*spamApTask4: Aug 15 18:29:17.491: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A
*apfReceiveTask: Aug 15 18:29:17.246: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
Regards...
Solved! Go to Solution.
09-15-2013 02:10 AM
get the debug client < mac address of the client >
wait till the client disconnects to figure out the true reason for the disconnection.
changing the eap type on the client has nothing to do with client disconnectivity.
-----------------------------------------------------------------------------------------------------------
Please make sure to rate correct answers
09-15-2013 08:18 AM
Daniel,
It seems like you might have multiple things wrong in the install. Having fixed the regulatory domain is important, but should of been caught when verifying that all AP's are joined to the WLC and in the RUN state. With 802.1x, there are so many variables. You have to make sure there is a certificate, that the client wireless podlike is configured properly, that the WLC WLAN is setup to use the correct 802.1x EAP type the client is using and that the radius server is setup properly with a policy that is working. Having all WLAN's mapped to the same interface doesn't have an impact unless you run out of dhcp address.
We have to assume that the basic stuff is setup right and we tend to jump ahead. When we see a poster that has issues with 802.1x we ask if everything works on open or pre shared key, this helps eliminate any possible WLC configuration, maybe network configuration and client issues.
My next question since I do assume things, is how comfortable are you with radius and setting up a radius policy.
Sent from Cisco Technical Support iPhone App
09-15-2013 09:29 AM
Hello Scott.
Well honestly i never set up a WCS or radius, but our client does, and he told me that before the upgrade his wirless network if never get this issues.
I'm following to you since some time and your post, and yes... I know you always ask if with an open auth or wpa wpa 2 have the same issues.
So I created a new SSID with dhcp on one switch and used wpa + wpa2 for auth and it work I never get desconeected.
The client have an external DHCP server, for this reason I decided created new interfaces with new ip adressing.
By the way the client have to changed the way in how they access to the network, because they was using on their property connections 802.1x son they changed this for WPA2 enterprise and we probe it with his Radius and AD and everything looked fine.
09-15-2013 09:39 AM
Daniel,
I have clients that also say they have radius experience because they have it up and running already, but if they had to bring up a new radius and configure everything, they can't. I have experienced policies being an issue also from moving from one system to another and them saying that it was working before... man do I hate when they say that! Drives me crazy. The logs on the radius server can tell you what the issue is almost 90% of the time. To be honest, You really need to see the policy create, the configuration on the WLC and the configuration on the wireless client device. If that all matches up, then the debugs really comes in handy. Debugs are always handy along with error logs.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-15-2013 09:52 AM
Well I guess I need to learn about Radius Server.
But I have one option and this options is changed the auth way use wpa + wpa 2. and begin from zero with new polices of security. If I changed the auth way can I tell to the client we have problem with his radius server.
Do you have any hit for an inexpert on radius server?
09-15-2013 10:17 AM
To make it simple... on a Windows and many other devices, you have some choices:
WPA-Personal <-- Preshared Key
WPA2-Personal <--Preshared Key
WPA-Enterprise <--802.1x
WPA2-Enterprise <--802.1x
When using either of these, your WLC needs to have WPA+WPA2. When you specify 802.1x, you can setup on the radius server to use PEAP, EAP-TLS or machine authentication. These are defined on the Radius and has to also match what you have on the client.
See below:
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
10-23-2013 08:17 AM
Thank you Scott you was right I configured the security how you told me and now everything is working fine.
01-30-2014 06:32 AM
So, after changes which are on a screen shot from Scott, you are not getting tons of the errors, which you had posted in the beginning? Or you just resolved "disconnecting" issue?
Thanks
Gennadiy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide