Re: Intermittent authentication problems

david.chicote · ‎11-25-2021

Hi,

On a WLC 8510 - 8.5.171.0 - we have several clients that are sometimes unable to authenticate properly against a radius server. We have multiple WLANs with 802.1x and CCKM enabled and clients logs in SSIDs with username and password.

WLAN configuration

WLAN Identifier.................................. xx
Profile Name..................................... xxx_name
Network Name (SSID).............................. xxx_name
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)

--More-- or (q)uit
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 3
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 21600 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Web Auth Captive Bypass Mode..................... None
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ if_vlan_xxx
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
Central NAT Peer-Peer Blocking................... Unknown
DHCP Address Assignment Required................. Disabled

CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ xxx.xxx.xxx.xx 1812 *
Accounting.................................... xxx.xx.x.xxx 1813 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security


--More-- or (q)uit
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled

--More-- or (q)uit
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................ 
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled

--More-- or (q)uit
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled

--More-- or (q)uit
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled

EAP PArameters:

EAP-Identity-Request Timeout (seconds)........... 3
EAP-Identity-Request Max Retries................. 10
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 3
EAP-Request Max Retries.......................... 10
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600
RSN Capability Validation........................ enable

Sometimes, the client authenticates correctly but after 30 minutes or roams to another AP, the autentication fails and they cant re-authenticate on the same SSID.

In the WLC log, we can see the following logs:

*Dot1x_NW_MsgTask_4: Nov 25 10:57:15.016: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 84:ad:8d:bd:a1:04 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_4: Nov 25 10:57:13.511: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:57:10.392: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:57:10.349: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client a8:91:3d:84:c1:88 may be using an incorrect PSK
*Dot1x_NW_MsgTask_6: Nov 25 10:57:04.480: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*spamApTask3: Nov 25 10:57:02.768: %CAPWAP-3-DTLS_CLOSED_ERR: [PA]capwap_ac_sm.c:7130 20:3a:07:85:45:a0: DTLS connection closed forAP 77:26:73:5 (53978), Controller: 10:35:0:78 (5246) Join Request Process Failed
*spamApTask3: Nov 25 10:57:02.768: %CAPWAP-3-JOIN_UNSUPP_AP: [PA]capwap_ac_sm.c:5104 The system has received a join request from an unsupported AP 20:3a:07:85:45:a0 CEL000A015 (model AIR-LAP1261N-E-K9), dropping the packet
*Dot1x_NW_MsgTask_4: Nov 25 10:57:01.899: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:57:01.061: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_7: Nov 25 10:57:00.946: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*apfMsConnTask_4: Nov 25 10:57:00.885: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_7: Nov 25 10:56:57.992: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client f4:f5:db:c4:d8:8f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_4: Nov 25 10:56:57.613: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 84:ad:8d:bd:a1:04 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_2: Nov 25 10:56:57.396: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:56:56.881: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:56:52.852: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:56:52.605: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 84:ad:8d:bd:a1:04
*Dot1x_NW_MsgTask_4: Nov 25 10:56:52.593: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 84:ad:8d:bd:a1:04 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*dot1xMsgTask: Nov 25 10:56:51.362: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client e4:76:84:aa:cf:c7
*apfMsConnTask_4: Nov 25 10:56:50.499: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0

--More-- or (q)uit
*spamApTask3: Nov 25 10:56:48.066: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 1, WLAN ID 2, count 1 from AP 00:d7:8f:8c:62:b0
*Dot1x_NW_MsgTask_2: Nov 25 10:56:45.198: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 3c:f8:62:0d:91:a2 may be using an incorrect PSK
*Dot1x_NW_MsgTask_0: Nov 25 10:56:44.762: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:56:43.763: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:56:39.144: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 58:e6:ba:05:2d:1d Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Nov 25 10:56:38.965: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:56:38.910: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_7: Nov 25 10:56:38.791: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*apfMsConnTask_4: Nov 25 10:56:38.747: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_5: Nov 25 10:56:34.137: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 58:e6:ba:05:2d:1d
*Dot1x_NW_MsgTask_5: Nov 25 10:56:34.129: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 58:e6:ba:05:2d:1d Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*haSSOServiceTask1: Nov 25 10:56:32.850: %APF_HA-3-SYNC_RETRANSMIT_FAIL: [PA]apf_ha.c:4483 Maximum retransmission exceeded for client (c0:bd:c8:d8:f2:f9 )data sync block:0x80000. Retry after 150 secs.
*Dot1x_NW_MsgTask_1: Nov 25 10:56:32.081: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:56:30.580: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client fc:18:3c:54:b5:d0 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*dot1xMsgTask: Nov 25 10:56:30.577: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client 4c:f2:02:3a:55:fe
*Dot1x_NW_MsgTask_4: Nov 25 10:56:29.086: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:56:26.829: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_2: Nov 25 10:56:26.651: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:56:26.623: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:56:23.714: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*dot1xMsgTask: Nov 25 10:56:23.373: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client ea:c0:b0:de:e5:9e
*Dot1x_NW_MsgTask_2: Nov 25 10:56:19.334: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_7: Nov 25 10:56:18.845: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client b2:4e:26:af:fd:d7 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02

--More-- or (q)uit
*Dot1x_NW_MsgTask_5: Nov 25 10:56:18.425: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 4a:91:f0:e6:d9:15 may be using an incorrect PSK
*dot1xMsgTask: Nov 25 10:56:17.395: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client 5a:84:0e:bc:f2:ee
*apfMsConnTask_4: Nov 25 10:56:15.766: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_1: Nov 25 10:56:15.079: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:56:14.242: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*dot1xMsgTask: Nov 25 10:56:10.591: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client 04:f1:28:75:70:cc
*spamApTask1: Nov 25 10:56:07.214: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 2, count 3 from AP 58:97:bd:08:0c:f0
*Dot1x_NW_MsgTask_1: Nov 25 10:56:05.518: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:56:04.651: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*spamApTask5: Nov 25 10:56:01.729: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 1, WLAN ID 4, count 1 from AP d8:b1:90:f2:95:d0
*dot1xMsgTask: Nov 25 10:56:00.695: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client a0:57:e3:90:7d:6b
*Dot1x_NW_MsgTask_3: Nov 25 10:55:58.095: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:55:57.208: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:55:54.110: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_3: Nov 25 10:55:50.535: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*spamApTask7: Nov 25 10:55:49.009: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 1, WLAN ID 6, count 106 from AP d8:b1:90:d3:cb:60
*Dot1x_NW_MsgTask_1: Nov 25 10:55:48.232: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*spamApTask3: Nov 25 10:55:48.000: %CAPWAP-3-DTLS_CLOSED_ERR: [PA]capwap_ac_sm.c:7130 20:3a:07:85:45:a0: DTLS connection closed forAP 77:26:73:5 (53978), Controller: 10:35:0:78 (5246) Join Request Process Failed
*spamApTask3: Nov 25 10:55:48.000: %CAPWAP-3-JOIN_UNSUPP_AP: [PA]capwap_ac_sm.c:5104 The system has received a join request from an unsupported AP 20:3a:07:85:45:a0 CEL000A015 (model AIR-LAP1261N-E-K9), dropping the packet
*Dot1x_NW_MsgTask_7: Nov 25 10:55:47.005: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:55:46.699: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client e4:a7:c5:ad:98:43
*Dot1x_NW_MsgTask_2: Nov 25 10:55:46.453: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:55:45.552: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

--More-- or (q)uit
*apfMsConnTask_4: Nov 25 10:55:42.722: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*spamApTask6: Nov 25 10:55:42.060: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 3, count 10 from AP 00:fe:c8:2d:97:20
*spamApTask6: Nov 25 10:55:39.114: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 1, count 6 from AP cc:46:d6:ea:27:70
*Dot1x_NW_MsgTask_5: Nov 25 10:55:37.590: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*spamApTask5: Nov 25 10:55:35.526: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 0, count 1 from AP 58:97:bd:80:8e:40
*Dot1x_NW_MsgTask_7: Nov 25 10:55:33.778: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:55:32.581: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:55:32.572: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_3: Nov 25 10:55:31.490: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_1: Nov 25 10:55:30.963: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:55:30.646: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_0: Nov 25 10:55:28.039: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 2c:33:61:88:82:58
*Dot1x_NW_MsgTask_0: Nov 25 10:55:28.031: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 2c:33:61:88:82:58 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*apfMsConnTask_4: Nov 25 10:55:20.418: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_2: Nov 25 10:55:18.754: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 3c:f8:62:0d:91:a2 may be using an incorrect PSK
*Dot1x_NW_MsgTask_5: Nov 25 10:55:18.304: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:55:18.295: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_1: Nov 25 10:55:14.132: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:55:13.283: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_0: Nov 25 10:55:12.492: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 52:9a:3a:c2:b6:68 - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_0: Nov 25 10:55:12.492: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 52:9a:3a:c2:b6:68 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_0: Nov 25 10:55:10.928: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 62:68:20:d1:0f:a8 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*spamApTask4: Nov 25 10:55:10.876: %LWAPP-3-VENDOR_PLD_VALIDATE_ERR: [PA]spam_lrad.c:12016 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD(185) with length=9 failed - AP 5c:83:8f:f3:7b:90

--More-- or (q)uit
*Dot1x_NW_MsgTask_4: Nov 25 10:55:08.590: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:55:08.394: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_5: Nov 25 10:55:08.275: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:55:08.268: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*dot1xMsgTask: Nov 25 10:55:06.772: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client be:ea:df:16:61:3f
*Dot1x_NW_MsgTask_4: Nov 25 10:55:06.234: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:55:02.098: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:55:00.126: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:54:57.943: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:54:57.293: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_5: Nov 25 10:54:51.970: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_2: Nov 25 10:54:48.331: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:54:48.129: %DOT1X-3-INVALID_WPA_KEY_STATE: [PA]1x_eapkey.c:2909 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client e2:19:6c:7c:91:be
*Dot1x_NW_MsgTask_5: Nov 25 10:54:46.842: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:54:46.833: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_0: Nov 25 10:54:46.718: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:54:46.143: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client e0:aa:96:cf:1e:88 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfMsConnTask_4: Nov 25 10:54:43.124: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*apfMsConnTask_4: Nov 25 10:54:42.169: %APF-3-PREAUTH_FAILURE: [PA]apf_80211.c:14799 There is no PMK cache entry for clientfa:8d:29:c8:f7:d7. Can't do preauth
*dot1xMsgTask: Nov 25 10:54:39.210: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client b4:86:55:62:48:16
*Dot1x_NW_MsgTask_5: Nov 25 10:54:39.009: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client c2:af:b7:6c:c1:d5 may be using an incorrect PSK
*Dot1x_NW_MsgTask_4: Nov 25 10:54:36.330: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:54:35.265: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

--More-- or (q)uit
*spamApTask2: Nov 25 10:54:33.741: %CAPWAP-3-DTLS_CLOSED_ERR: [PA]capwap_ac_sm.c:7130 5c:83:8f:f3:7b:90: DTLS connection closed forAP 85:152:137:39 (54443), Controller: 10:35:0:78 (5246) AP Message Timeout
*spamApTask2: Nov 25 10:54:33.741: %CAPWAP-3-MAX_RETRANSMISSIONS_REACHED: [PA]capwap_ac_sm.c:7677 Max retransmissions reached on AP(5c:83:8f:f3:7b:90),message (CAPWAP_CONFIGURATION_UPDATE_REQUEST
),number of pending messages(2)
*spamApTask3: Nov 25 10:54:33.232: %CAPWAP-3-JOIN_UNSUPP_AP: [PA]capwap_ac_sm.c:5104 The system has received a join request from an unsupported AP 20:3a:07:85:45:a0 CEL000A015 (model AIR-LAP1261N-E-K9), dropping the packet
*apfMsConnTask_4: Nov 25 10:54:32.158: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_2: Nov 25 10:54:29.891: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client ae:07:de:6a:f1:0a - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*haSSOServiceTask1: Nov 25 10:54:26.610: %APF_HA-3-SYNC_RETRANSMIT_FAIL: [PA]apf_ha.c:4483 Maximum retransmission exceeded for client (c0:bd:c8:d8:f2:f9 )data sync block:0x80000. Retry after 120 secs.
*Dot1x_NW_MsgTask_0: Nov 25 10:54:24.267: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:54:20.981: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_0: Nov 25 10:54:12.823: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client a8:91:3d:84:c1:88 may be using an incorrect PSK
*apfMsConnTask_4: Nov 25 10:54:09.897: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_4: Nov 25 10:54:07.948: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:54:04.784: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:54:04.131: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:53:59.774: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_7: Nov 25 10:53:58.610: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_2: Nov 25 10:53:56.499: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client fa:1b:24:3d:5f:f2 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_0: Nov 25 10:53:55.996: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*dot1xMsgTask: Nov 25 10:53:55.417: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client e6:93:e8:fa:a3:55
*Dot1x_NW_MsgTask_2: Nov 25 10:53:54.961: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_2: Nov 25 10:53:53.979: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 3c:f8:62:0d:91:a2 may be using an incorrect PSK
*Dot1x_NW_MsgTask_2: Nov 25 10:53:53.891: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 58:20:59:8e:73:5a - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_5: Nov 25 10:53:53.568: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 4a:91:f0:e6:d9:15 may be using an incorrect PSK

--More-- or (q)uit
*Dot1x_NW_MsgTask_0: Nov 25 10:53:52.212: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_7: Nov 25 10:53:50.694: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:53:50.419: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:53:48.957: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_4: Nov 25 10:53:44.727: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:53:43.203: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

I have to say that this is a large deployment where the WLC and APs are not in the same city and I think the issue could be due to congestion regarding these events:

*Dot1x_NW_MsgTask_3: Nov 25 16:31:32.312: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

Does anyone know the reason for these logs?

The following link does not help to find the root cause:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/message/guide/sysmsg76/dot1d_dot1q_dot1x_dot3ad_msgs8.html

Regards

david.chicote · ‎11-28-2021

Hi,

Does anyone know the reason for these events?

*Dot1x_NW_MsgTask_3: Nov 25 16:31:32.312: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

Regards

patoberli · ‎11-29-2021

I would recommend to disable Aironet IE extensions first, that is more or less unneeded today.

Then you seem to have unsupported APs in your environment:

*spamApTask3: Nov 25 10:54:33.232: %CAPWAP-3-JOIN_UNSUPP_AP: [PA]capwap_ac_sm.c:5104 The system has received a join request from an unsupported AP 20:3a:07:85:45:a0 CEL000A015 (model AIR-LAP1261N-E-K9), dropping the packet

Could it be that you have more than one WLC in use here with different software versions and the problems happen when they try to roam from one WLC to another?

Then there are also a few updates for the firmware out, which do fix some specific authentication issues with one specific AP series, see: https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr8.html#resolved-caveats

david.chicote · ‎11-30-2021

Hi,

We will test it by disabling that feature.

We know that issue that there are APs that are not supported but this is not the issue we are facing.

I have been reading bugs you sent me but I cannot relate it to the following event:

*Dot1x_NW_MsgTask_2: Nov 25 10:53:54.961: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

patoberli · ‎11-30-2021

It's more related to the question if you have multiple WLC in use, maybe with different software releases.

david.chicote · ‎11-30-2021

We only have one WLC. Some APs may not be supported because, a few weeks ago, we upgraded the WLC to 8.5.171, Cisco recommended version for 8510 platform. We have to disconnect these unsupported APs

Thanks for your reply

patoberli · ‎12-08-2021

Ok, so the roaming / authentication fails within the WLC. That does remove one possible error source.
I found this document regarding the error:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/message/guide/sysmsg76/dot1d_dot1q_dot1x_dot3ad_msgs8.html
As this is a fairly rare message, I suggest opening a TAC for this.
Could you create a debug of one of the affected clients with "debug client macaddressofclient"? Then we can parse it with https://cway.cisco.com/wireless-debug-analyzer/