Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2881
Views
0
Helpful
6
Replies

%DOT1X-3-INVALID_WPA_KEY_MSG_STATE ... iphone network failure inquiry

Go to solution
inb
Level 1
Level 1

‎05-27-2020 01:43 AM - edited ‎07-05-2021 12:06 PM

I have 300 ap on wlc 5520.
Some clients (only iPhones) are disconnected at unspecified times.
I did the analysis and the log below was checked.
% DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c: 1547 Received invalid EAPOL-key M2 msg in START state-invalid RSN IE; KeyLen 22, Key type 1, client aa: bb: cc: dd: ee: ff
In the log above, all mac addresses were confirmed as apple mac.
I did a community and bug search.
I tried applying all the methods I found in relation to this, but it did not resolve.

Only wpa2 / aes is set in wlan and there is no authentication server.
Both ft and pmf are not used for wlan.
I tried changing the value of EAP-Broadcast Key Interval to 86400, but the result was the same.
os version is 8.5.151 and ap is 1815, 1832.

We do not use a separate authentication server, do we need to see the EAP settings?
Where should I solve the problem?
I sincerely ask for your help from the community cisco.

thank you.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to inb

‎05-29-2020 04:27 AM

There are some issues in the firmware you currently use, which might show this issue.
For this reason I suggest to upgrade to 8.5.161.0.
Release notes with the fixed bugs:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr6.html#resolved-caveats_85mr6

View solution in original post

0 Helpful
6 Replies 6

Go to solution
pieterh
VIP
VIP

‎05-27-2020 07:17 AM

there are posts that pint to a bug in version 8.3

read this post that suggests the client driver or an intruder

it could just be the client prefers to connect using DOT1x first, and reverts to PSK second.

(wild idea: does these clients use the same SSID name elsewhere with DOT1x enabled?)

remove the wlan config from the client device and after some minutes re-add.

0 Helpful

Go to solution
inb
Level 1
Level 1
In response to pieterh

‎05-27-2020 07:04 PM - edited ‎05-27-2020 07:13 PM

We are using WPA2 AES (PSK) only for WLAN.
I do not use an authentication server and local EAP.
However, EAP related logs are generated. Is this normal operation?
I tried adjusting the EAP Timer, but the result is the same.

802.1x is not used.

There is no SSID of the same name using the authentication server.

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to inb

‎05-27-2020 11:06 PM - edited ‎05-27-2020 11:07 PM

normally people take their phone everywhere, also outside your company.
and not only company phones are within reach of your wifi-network!

there will be guests and strangers passing past the office.

 

my suggestion is that some phone at some time outside your network, connected to a SSID with the same name.
and now comes within reach of your network and tries to authenticate using credentials configured for "the other network".
which of course fail..... and that is normal behaviour to show up in your logs.

0 Helpful

Go to solution
inb
Level 1
Level 1
In response to pieterh

‎05-28-2020 05:01 AM - edited ‎05-28-2020 05:08 AM

I don't think that's the problem.
I have a test AP in an enclosed space.
(2.4Ghz and 5Ghz signal absolutely free space)
I was connected to the WLAN in the latest OS of iPhone 11 pro.
If you repeatedly go out of sleep mode several times, communication with the outside is not possible even when connected to WLAN.
The condition of the iPhone's Wi-Fi antenna is full.
It does not occur on Android, MacBook, and laptops.
It only happens on the iphone.
5 ~ 6 years ago, there was a case where the iPhone could not communicate due to a similar problem.
At that time, IOS update or WLC OS update has been solved.
I'm not sure if this is the same problem again.
This time, a special log occurred in WLC.
I don't know what the cause is.

 

I understand your suggestion.
It is a university wireless network and there are only 200 people due to corona.
20 iphone clients a day have the same problem.
It seemed to have been resolved by going through a WLC OS update with a similar issue in early 2019, but it is said that it has recently begun to reappear.
When there are many people, I usually use up to 3000 people.
At this time, it is expected that 300 problems will occur simply by calculating.

This is a very big problem.

Thank you very much for your answer.

 

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to inb

‎05-29-2020 04:27 AM

There are some issues in the firmware you currently use, which might show this issue.
For this reason I suggest to upgrade to 8.5.161.0.
Release notes with the fixed bugs:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr6.html#resolved-caveats_85mr6
0 Helpful

Go to solution
inb
Level 1
Level 1
In response to patoberli

‎06-14-2020 07:40 PM

Eventually, it was confirmed to be an OS problem.
Thanks to everyone who helped. :D

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card