Re: Disconnect due to Reassociation

Jaro · ‎10-03-2017

Hello , I have a problem with disconnecting of few clients(mainly Windows and Mac clients)

I´m using Mobility Express with 4 APs.

There is WPA2/ AES, EAP security with radius.

I made debug of one windows client, and it was disconnected when reassociation process started.

So I found something about fast security-roaming, but I´m not sure what I should use.

I found this document :

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

There is written something with CCKM and OKS but there are some limitations,

Question is if I´m able to change some timer for reassociation or It is needed somehow enable Fast secure-roaming.

Thank you very much for help

Flavio Miranda · ‎10-03-2017

Hi,

Your suspecious would make sense if clients drops while roaming.

Yu can try to extend the session-timeout:

config wlan session-timeout {wlan_id | foreignAp} second

For 802.1x: 300-86400 (sec). Put is in the maximum is not already.

This can present client to re-authenticate very often.

You can run 'debug aaa all' to try to see any error on the process.

Those command is for 8.3 version, if you are running previous version, make sure there are similar commands.

Jaro · ‎10-03-2017

Hi,

Thanks for answer.

I have already changed session-timeout to 86400, before I posted this message, but it looks like something with fast secure-roaming, on same AP.

I ´m sending you part of debug, which caused disconect of client.

xx:xx:xx:xx:xx:xx Recevied management frame REASSOCIATION REQUEST on BSSID yy:yy:yy:yy:yy:yy destination addr zz:zz:zz:zz:zz:zz
xx:xx:xx:xx:xx:xx Processing assoc-req station:xx:xx:xx:xx:xx:xx AP:yy:yy:yy:yy:yy:yy-01 ssid : XX_WIFISSID thread:???????
xx:xx:xx:xx:xx:xx Station: xx:xx:xx:xx:xx:xx 11v BSS Transition not enabled on the AP yy:yy:yy:yy:yy:yy
xx:xx:xx:xx:xx:xx Reassociation received from mobile on BSSID zz:zz:zz:zz:zz:zz AP XX_AP1852_03
xx:xx:xx:xx:xx:xx Station: xx:xx:xx:xx:xx:xx 11v BSS Transition not enabled on the AP yy:yy:yy:yy:yy:yy
xx:xx:xx:xx:xx:xx Global 200 Clients are allowed to AP radio

xx:xx:xx:xx:xx:xx Max Client Trap Threshold: 0 cur: 0

xx:xx:xx:xx:xx:xx Rf profile 600 Clients are allowed to AP wlan

xx:xx:xx:xx:xx:xx override for default ap group, marking intgrp NULL
xx:xx:xx:xx:xx:xx apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
xx:xx:xx:xx:xx:xx In processSsidIE:6517 setting Central switched to FALSE
xx:xx:xx:xx:xx:xx Set Clinet MSCB as Central Association Disabled
xx:xx:xx:xx:xx:xx Applying site-specific Local Bridging override for station xx:xx:xx:xx:xx:xx - vapId 1, site 'default-group', interface 'management'
xx:xx:xx:xx:xx:xx Applying Local Bridging Interface Policy for station xx:xx:xx:xx:xx:xx - vlan 0, interface id 0, interface 'management'
xx:xx:xx:xx:xx:xx Set Clinet Non AP specific WLAN apfMsAccessVlan = 20
xx:xx:xx:xx:xx:xx This apfMsAccessVlan may be changed later from AAA after L2 Auth
xx:xx:xx:xx:xx:xx Cleared localSwitchingVlan, may be assigned later based on AAA override
xx:xx:xx:xx:xx:xx processSsidIE statusCode is 0 and status is 0
xx:xx:xx:xx:xx:xx processSsidIE ssid_done_flag is 0 finish_flag is 0
xx:xx:xx:xx:xx:xx STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
xx:xx:xx:xx:xx:xx suppRates statusCode is 0 and gotSuppRatesElement is 1
RSNIE in Assoc. Req.: (38)

[0000] 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f

[0016] ac 01 3c 00 01 00 de 7d 61 eb be 2f 9d 6d f8 44

[0032] 59 a2 5e 97 1c 71

xx:xx:xx:xx:xx:xx Processing RSN IE type 48, length 38 for mobile xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx Selected Unicast cipher CCMP128 for client device
xx:xx:xx:xx:xx:xx Received 802.11i 802.1X key management suite, enabling dot1x Authentication
xx:xx:xx:xx:xx:xx RSN Capabilities: 60
xx:xx:xx:xx:xx:xx Marking Mobile as non-11w Capable
xx:xx:xx:xx:xx:xx Received RSN IE with 1 PMKIDs from mobile xx:xx:xx:xx:xx:xx
Received PMKID: (16)

[0000] de 7d 61 eb be 2f 9d 6d f8 44 59 a2 5e 97 1c 71

xx:xx:xx:xx:xx:xx Searching for PMKID in MSCB PMKID cache for mobile xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx No valid PMKID found in the MSCB PMKID cache for mobile xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx Trying to compute a PMKID from MSCB PMK cache for mobile xx:xx:xx:xx:xx:xx
CCKM: Find PMK in cache: BSSID = (6)

Here is Monitoring of my device (red colour is disconecting for few seconds) :

And here is wlan configuration:

(Cisco Controller) >show wlan 1

WLAN Identifier.................................. 1
Profile Name..................................... WIFI1
Network Name (SSID).............................. WIFI1
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
ATF Policy....................................... 0
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
Quality of Service............................... Silver

--More-- or (q)uit
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All

--More-- or (q)uit
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Adaptive
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled

--More-- or (q)uit
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled

--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200

--More-- or (q)uit
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Enabled

--More-- or (q)uit
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable

Could you please help me ?

thanks

Jaro · ‎10-03-2017

Hello,

FYI, client is still on one place, but now I found out that, client was connecting to another AP. So because of that, there is a dropping of connection.Device is in zone where both APs have very similar signal strengh.

Question is , how to ensure stable connection to one AP (I have there more APs, so problem will have all of them) or what I should to configure for fast transmintion from one AP to another?

Jaro · ‎10-04-2017

Hello,

do you have any Idea how to solve reassociation, with multivendor clients (win, mac, android), to be without dropping ? I found out 802.11r , but if I understand it correctly, clients, whithout support of this standard will have problem with connection .

thanks

Flavio Miranda · ‎10-05-2017

That's one big problem. As you said if client does not support the feature there's just a feel AP can do. Roaming is a client decision not AP.

If both AP has similar sinal strength it make this more complicate.

Try to play with RSSI value by navigating to your WLC -> 802.11a/n or 802.11b/g/n (depending on which frequency you want to customize) -> Client Roaming. If you change to "Custom" you can change RSSI Thresolds, Hysteresis (How much above threshold) , Scan Threholds (When start scanning) and Transition Time. This way trying to influence on the roaming process.

Method that use RSSI threshold is better then those like Fast Transition which rely on IEEE standard and client does not undestand.

Alos, try to work with the latest client drive. If they support CCX4 or better this would allows client to be smarter and understands AP messages better.

-If I helped you somehow, please, rate it as useful.-

Manish Mathur · ‎10-09-2017

Hi Jaroslav,

Although , the AP coverage area needs to be optimized during the design and deploymet phase , yet , we can try to optimize this using the settings on WLC to an extent. In this case, decreasing the AP coverage area may help.

For that, you need to disable the lower data rates for 802.11a and b/g. This way, the APs will have smaller cells and with less overlap. and the client will need to have a better signal strength from an AP to join it.

In addition to that , you can also play around a bit with the hysteris and RSSI values that Flavio has mentioned.

Cheers,

Manish

Jaro · ‎10-11-2017

Hello,

Thanks for answers, I´m using dual band radio, and I don´t have a option to disable only b, g standard and if I will disable abgn, I will lost 2.4 ghz band.

Next thing, what I find is Challenge Responses. Shoud it indetify some issue?

Flavio Miranda · ‎10-11-2017

Jaroslav,

Actually you don't need to disable 802.11b/g directly or, as you said, you lose 2.4.

It is enough to disable low data rates. If you put 12 MBps as the mandatory data rate and above data rates as supported, automatic you are disabling 802.11b which maximum data rate is 11 Mbps.

This is a good practice, although this is will improve performance on the network maybe this will not solve roaming problem.

I got good results with optimized roaming and I suggest you to try.

-If I helped you somehow, please, rate it as useful.-

Manish Mathur · ‎10-11-2017

The number of challenge responses would not be an issue in this scenario. That's something between the Radius server and the WLC.

In order to disable lower data rates , yeasiest way is to go to the WLC GUI >> Wireless >> 802.11 b/g/n . and disable the lower data rates like 1,2,5.5,6,9 and 11 mbps. Keep 12 mbps as mandatory and rest all enabled. You can do the same under 802.11 a/n/ac . Disable the couple of lower rates and keep 18 mbps as mandatory. This will shrink the cell size (coverage area) of each AP. But please keep in mind that this may also create coverage holes if there are not adequate number of APs.

Cheers,

Manish

Jaro · ‎10-12-2017

Hello,

Thanks for answers, I found out some config:

(Cisco Controller) >config 802.11a disable network

(Cisco Controller) >config 802.11a 11nSupport enable

(Cisco Controller) >config 802.11a rate disabled 6

(Cisco Controller) >config 802.11a rate disabled 9

(Cisco Controller) >config 802.11a rate disabled 12

(Cisco Controller) >config 802.11a rate disabled 18

(Cisco Controller) >config 802.11a rate mandatory 24

(Cisco Controller) >config 802.11a rate supported 36

(Cisco Controller) >config 802.11a rate supported 48

(Cisco Controller) >config 802.11a rate supported 54

(Cisco Controller) >config 802.11a enable network

(Cisco Controller) >config 802.11b disable network

(Cisco Controller) >config 802.11b 11gSupport enable

(Cisco Controller) >config 802.11b 11nSupport enable

(Cisco Controller) >config 802.11b rate disabled 1

(Cisco Controller) >config 802.11b rate disabled 2

(Cisco Controller) >config 802.11b rate disabled 5.5

(Cisco Controller) >config 802.11b rate disabled 11

(Cisco Controller) >config 802.11b rate disabled 6

(Cisco Controller) >config 802.11b rate disabled 9

(Cisco Controller) >config 802.11b rate supported 12

(Cisco Controller) >config 802.11b rate supported 18

(Cisco Controller) >config 802.11b rate mandatory 24

(Cisco Controller) >config 802.11b rate supported 36

(Cisco Controller) >config 802.11b rate supported 48

(Cisco Controller) >config 802.11b rate supported 54

(Cisco Controller) >config 802.11b enable network

Could you please help me to set it somehow?

I´m only sure with this one:

config 802.11b disable network

Thanks

Manish Mathur · ‎10-24-2017

Hi Jaroslav,

Sorry for the late response. I see that the 802.11a rates are a bit too ambitious.

I would suggest enabling the 18 mbps as well. Thus , the command "config 802.11a rate disabled 18" would change to supported.

Rather than disabling the 802.11b using the command , you can just disable the data rates 1,2,5.5 and 11 mbps. This will automatically deter any client connecting with B rates.

Cheers,

Manish