08-19-2020 04:23 AM - edited 07-05-2021 12:25 PM
Hi comunnity,
I'm facing some connectivity issues when trying to connect iPhone 6 running any iOS 12.4.x release.
They all get stuck after receiving 4-way handshake M1 and after many retries, the controlelr delete the session. See below RA output:
{wncd_x_R0-0}{1}: [auth-mgr] [25343]: (info): [aabb.ccdd.eeff:capwap_90000013] Authc success from Dot1X, Auth event success
{wncd_x_R0-0}{1}: [auth-mgr] [25343]: (info): [aabb.ccdd.eeff:capwap_90000013] auth mgr attr change notification is received for attr (450)
{wncd_x_R0-0}{1}: [auth-mgr] [25343]: (info): [aabb.ccdd.eeff:capwap_90000013] Received User-Name Username for client aabb.ccdd.eeff
{wncd_x_R0-0}{1}: [client-auth] [25343]: (note): MAC: aabb.ccdd.eeff L2 Authentication Key Exchange Start. Resolved VLAN: 1, Audit Session id: 7808080A000001D5065F3D9B
{wncd_x_R0-0}{1}: [mm-client] [25343]: (debug): MAC: 0000.0000.0000 Sending pmk_update of XID (0) to (MobilityD[0])
{wncd_x_R0-0}{1}: [client-auth] [25343]: (info): MAC: aabb.ccdd.eeff Client auth-interface state transition: S_AUTHIF_DOT1XAUTH_PENDING -> S_AUTHIF_DOT1XAUTH_KEY_XCHNG_PENDING
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff EAP key M1 Sent successfully
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff Client key-mgmt state transition: S_INITPMK -> S_PTK_START
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff Keymgmt: resend eapol key m1. Retrasmitting EAP key packet M1
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff Client key-mgmt state transition: S_PTK_START -> S_PTK_START
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff Keymgmt: resend eapol key m1. Retrasmitting EAP key packet M1
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff Client key-mgmt state transition: S_PTK_START -> S_PTK_START
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (ERR): MAC: aabb.ccdd.eeff Keymgmt: Failed to eapol key m1 retransmit failure. Max retries for M1 over
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff Keymgmt: eapol key failure. Sending client key exchange failure to auth fsm,reason code: 15
{wncd_x_R0-0}{1}: [client-keymgmt] [25343]: (info): MAC: aabb.ccdd.eeff Client key-mgmt state transition: S_PTK_START -> S_KEYMGMT_CLIENT_DELETE
{wncd_x_R0-0}{1}: [client-auth] [25343]: (info): MAC: aabb.ccdd.eeff Client auth-interface state transition: S_AUTHIF_DOT1XAUTH_KEY_XCHNG_PENDING -> S_WAIT_FOR_CO_DELETE
{wncd_x_R0-0}{1}: [client-orch-sm] [25343]: (info): MAC: aabb.ccdd.eeff Deleting the client, reason: 15, CO_CLIENT_DELETE_REASON_KEY_XCHNG_TIMEOUT, Client state S_CO_L2_AUTH_IN_PROGRESS
{wncd_x_R0-0}{1}: [client-orch-sm] [25343]: (note): MAC: aabb.ccdd.eeff Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_KEY_XCHNG_TIMEOUT, fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
Conditions:
Cisco WLAN running either 16.121.2s or 17.3.1
iPhone 6 running from 12.4.5 to 12.4.8
SSID config #1: dot1X WPA/WPA2 with SHA1+SHA256 + Disabled FT
SSID config #2: dot1X WPA/WPA2 with SHA1 + Disabled FT
SSID config #3: dot1X WPA/WPA2 with SHA256 + Disabled FT
SSID config #4: dot1X WPA2/WPA3 with SHA1+SHA256 + Disabled FT
Anyone experiencing same issue?
Regards
08-24-2020 08:54 AM
09-15-2020 06:13 AM
Hello, was somone able to find a solution? We are expierencing "same" issue with various older clients in customer environments. In simple WPA2 AES PSK networks as well. Cisco 1242 as WGB for example.
Same log output saying no response to eapol m1.
No way to tell customers that truck loads of devices must be replaced while working fine on old infrastructure.
01-15-2021 04:59 AM
Hello,
I have the same issue with a C9800-CL version 17.3.2a and Symbol MC9190-G devices. Other devices are working as expected such as Symbol MC92N0.
I am opening a case to TAC and will let you know.
Jon
02-09-2021 12:23 PM - edited 02-09-2021 12:23 PM
Hi,
Regarding my issue, I have further troubleshoot it with TAC and I can give you some news:
-In Central Switching and Central Association, the AP does not send M1 and 4-way handshake times out. TAC filled a new bug for this issue: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx25407
-In Local Switching and Local Association (FlexConnect), the AP sends M1 but Symbol MC9190 and MC92N0 do not answer to it and 4-way handshake times out.
10-15-2021 03:32 PM
Hi, did Cisco provide a solution for this problem?
The mentioned bug is still open 8 months later. There is also no mentioned work around.
Best Regards
Tony
10-17-2021 12:26 PM - edited 10-17-2021 12:29 PM
It's not open - it's Status: Terminated (since 19 April 2021). That means they are not working on it and it will not be fixed. I think it really would be helpful for developer to provide more info in the notes explaining why they've done that.
I suggest you use the "Was the description about this Bug Helpful?" rating option (1 to 5 star) to provide your feedback. If you select 1 star you will be prompted for feedback.
I actually suspect CSCvx25407 should be duplicated to CSCvs73917 as per @Grendizer's reply below.
01-16-2021 08:50 AM
This is because CSCvv80326: iPhones running iOS 14 are not responding to EAPOL M1 during roaming
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv80326
Duplicate by CSCvs73917
Workaround:
Do not use session timeout value of 0
If maximum session timeout is desired, use 86400
01-21-2021 11:45 AM
Just to confirm, this only affects the new IOS based WLC and not the old WLC running 8.x?
01-21-2021 12:05 PM
That’s correct,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide