DNA Center, wireless clients show Broadcast rekey failed messages

Philip Bosman · ‎10-06-2022

Hi, we are fairly new started with DNA Center and have been using Prime Infrastructure in parallel. What we see in DNA Center version 2.3.3.6 on 5520 WLC using 8.10.171 with 9120 APs that clients show broadcast rekey failed, we are using a WPA2 PSK but als WPA2 802.1X SSIDs. Some clients seem to show this almost every hour repeatedly, but same type of clients in the same environment only show every now and then these messages. There are multiple type of clients that show these messages where the clients don't report issues. It seems to be a cosmetic issue.

Over time the red dots in the graph represent the rekey failed messages.

I cannot find any reports or additional information what this actually is so we created a case with our supplier to investigate, any other experience someone ?

JPavonM · ‎10-06-2022

I've been suffering these kind of EAP/EAPOL timeouts with some Mediatek chipsets MT7920/7921 using different driver versions (not seen on Intel), and the only way I've managed to stop from users complaining aboud disconnection (due to rekeying and M5-key timeouts) was to incrase EAP timeout manually on the C9800 with this command. This way, a rekey does not happen during business hours, unless a device keeps connected to the network for a whole day.

wireless security dot1x group-key interval 54000

Rich R · ‎10-06-2022

@JPavonM that looks like an IOS-XE command for 9800 but Philip says he's using AireOS 8.10.171.0 on 5520?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

JPavonM · ‎10-06-2022

Sorry, as @Rich R mentioned that was for IOS-XE, this is for AireOS:

config advanced eap bcast-key-interval 54000

pbosman · ‎11-01-2022

This would mean the failed message would occur on the regular rekey interval. Don't know if i mentionded that the client stays connected by theway. The thing is I upgraded one of these devices with a new firmware, and I don't see them anymore on that device.

JPavonM · ‎11-02-2022

That's correct, this kind of issues happen on the client side so upgrading drivers/firmware is always the best way.