DNA Center, wireless clients show Broadcast rekey failed messages

Philip Bosman · ‎10-06-2022

Hi, we are fairly new started with DNA Center and have been using Prime Infrastructure in parallel. What we see in DNA Center version 2.3.3.6 on 5520 WLC using 8.10.171 with 9120 APs that clients show broadcast rekey failed, we are using a WPA2 PSK but als WPA2 802.1X SSIDs. Some clients seem to show this almost every hour repeatedly, but same type of clients in the same environment only show every now and then these messages. There are multiple type of clients that show these messages where the clients don't report issues. It seems to be a cosmetic issue.

Over time the red dots in the graph represent the rekey failed messages.

I cannot find any reports or additional information what this actually is so we created a case with our supplier to investigate, any other experience someone ?

JPavonM · ‎10-06-2022

I've been suffering these kind of EAP/EAPOL timeouts with some Mediatek chipsets MT7920/7921 using different driver versions (not seen on Intel), and the only way I've managed to stop from users complaining aboud disconnection (due to rekeying and M5-key timeouts) was to incrase EAP timeout manually on the C9800 with this command. This way, a rekey does not happen during business hours, unless a device keeps connected to the network for a whole day.

wireless security dot1x group-key interval 54000

Rich R · ‎10-06-2022

@JPavonM that looks like an IOS-XE command for 9800 but Philip says he's using AireOS 8.10.171.0 on 5520?

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs

JPavonM · ‎10-06-2022

Sorry, as @Rich R mentioned that was for IOS-XE, this is for AireOS:

config advanced eap bcast-key-interval 54000

pbosman · ‎11-01-2022

This would mean the failed message would occur on the regular rekey interval. Don't know if i mentionded that the client stays connected by theway. The thing is I upgraded one of these devices with a new firmware, and I don't see them anymore on that device.

JPavonM · ‎11-02-2022

That's correct, this kind of issues happen on the client side so upgrading drivers/firmware is always the best way.