Solved: for all 3 controllers:

Rosa Ladeira · ‎03-25-2014

I habe been seeing lots of this message on WLC log.

All of them refer to mobile phones.

*dot1xMsgTask: Mar 25 16:57:27.787: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 8c:00:6d:5c:4e:35

Is it necessary a specific configuration for mobile phones ?

Ali Aqrabawi · ‎03-25-2014

this is the most probably cause of this message , as this message indicate that the M1 message of the eapol-key messages exchange is not receivd to the client as the client is not replying to these messages, the eapol messages are the 4-way-handshake of the WPA/WPA2 key management

View solution in original post

Ali Aqrabawi · ‎03-26-2014

the M1 and M5 are exchange messages of the handshake messages ,

the perpuse of these messages is to generate the PMK of the client, the clinet and the WLC exchange some messages to generate this key , M1 and M5 are one of these messages,

in a technical perspective there is no difference as we can't do or change in these messages , as these messages are a standard

View solution in original post

Ali Aqrabawi · ‎03-25-2014

can you share , show WLAN <id>

Rosa Ladeira · ‎03-25-2014

In fact i do not have a specific wlan for mobile phones.

I have a wlan where all wi-fi clients can login

(Cisco Controller) >show wlan 1

WLAN Identifier.................................. 1
Profile Name..................................... impa-nwl
Network Name (SSID).............................. impa-nwl
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 105
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ wifi-clients
Multicast Interface.............................. Not Configured

WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Disabled
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Enabled
         TKIP Cipher............................. Enabled
         AES Cipher.............................. Enabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Enabled
         AES Cipher.............................. Enabled
   Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------

Ali Aqrabawi · ‎03-25-2014

ok the configuration of this WLAN is not recommended , use either WPA+TKIP or WPA2+AES,

using a combination of WPA WPA2 TKIP AES , may cause confusing for some clients.

Rosa Ladeira · ‎03-25-2014

Is this the cause of the message?

Ali Aqrabawi · ‎03-25-2014

this is the most probably cause of this message , as this message indicate that the M1 message of the eapol-key messages exchange is not receivd to the client as the client is not replying to these messages, the eapol messages are the 4-way-handshake of the WPA/WPA2 key management

Rosa Ladeira · ‎03-25-2014

Tks

Ali Aqrabawi · ‎03-25-2014

welcome

Rosa Ladeira · ‎03-26-2014

After enabling only WPA + AES I still have

%DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M3

%DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M5

Have I do enable WPA2 + AES too? booth of then?

I thought those msgs would desapear after WPA + AES (only) reconfiguration

Sandeep Choudhary · ‎03-26-2014

Hi

your error coming because:

the Client is not responding to the WPA M1 To M4 handshake..

1>> Check the client settings

2>> Upgrade the client driver to the latest and see if that helps.

Regards

Rosa Ladeira · ‎03-26-2014

I will.

Tks

Ratchapas Shatsa-Nga · ‎03-05-2015

Hi,

I am facing the same issue but I change another AP the issue has been solved.

Same client with new AP is fine.

Cloud you share idea another solution?

Thanks

Ali Aqrabawi · ‎03-26-2014

what is the software version of the WLC?

also if you can share , >show advanced eap

Rosa Ladeira · ‎03-26-2014

for all 3 controllers: Software Version 7.0.235.0

(Cisco Controller) >show advanced eap

EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 5000
EAPOL-Key Max Retries............................ 4
EAP-Broadcast Key Interval....................... 3600

(Cisco Controller) >logout
(Cisco Controller)
User: ******
Password:********
(Cisco Controller) >show advanced eap

EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600

(Cisco Controller) >logout

User:********
Password:********
(Cisco Controller) >show advanced eap

EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 5000
EAPOL-Key Max Retries............................ 4
EAP-Broadcast Key Interval....................... 3600

(Cisco Controller) >logout

for all 3 controllers

(Cisco Controller) >show advanced timers

Authentication Response Timeout (seconds)........ 60
Rogue Entry Timeout (seconds).................... 1200
AP Heart Beat Timeout (seconds).................. 30
AP Discovery Timeout (seconds)................... 10
AP Local mode Fast Heartbeat (seconds)........... disable
AP Hreap mode Fast Heartbeat (seconds)........... disable
AP Primary Discovery Timeout (seconds)........... 3600
AP Primed Discovery Timeout (seconds)............ 0

Ali Aqrabawi · ‎03-26-2014

these messages seen on all controllers ?

%DOT1X-3-MAX_EAPOL_KEY_RETRANS messages