Your logs show that there is

khem thapa · ‎03-11-2016

Hi All,

All the APs are registered in WLC5500 controller, users started to complained that there is a drop out and lose connectivity when he move around within the AP range. i have logged one of the AP and found below logs.

12:16:39.295: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 6c88.14a5.aee8
*Mar 10 12:29:52.655: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 6067.20cc.3034
*Mar 10 13:03:26.259: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 843a.4b3e.55b0
*Mar 10 13:25:27.831: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:5 Channel:6 Source MAC:8c64.2230.18d6
*Mar 10 13:25:28.843: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:5 Channel:6 Source MAC:8c64.2230.18d6
*Mar 10 13:45:27.343: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:5 Channel:6
*Mar 10 13:45:28.355: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:5 Channel:6
*Mar 10 14:00:21.307: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth acfd.ce15.a6b2capwap_central_auth_info_add_mn: Invalid client mac address 28e1.4c9b.2f2e

*Mar 10 15:42:03.807: %DOT11-4-CCMP_REPLAY: Client acfd.ce0a.e362 had 1 AES-CCMP TSC replays
*Mar 10 15:47:48.183: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 4c34.88d0.8d42
*Mar 10 15:51:53.587: %DOT11-4-CCMP_REPLAY: Client acfd.ce0a.e362 had 1 AES-CCMP TSC replays
*Mar 10 16:02:49.803: %DOT11-4-CCMP_REPLAY: Client acfd.ce0a.e362 had 1 AES-CCMP TSC replays
*Mar 10 16:31:06.767: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 6067.20cc.3034
*Mar 10 16:33:53.939: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth a44e.31b5.ed20
*Mar 10 17:25:01.183: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 6067.20c9.d81a
*Mar 11 08:13:04.511: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 843a.4b3d.a148
*Mar 11 09:12:39.559: %DOT11-4-CCMP_REPLAY: Client acfd.ce15.a6b2 had 1 AES-CCMP TSC replays
*Mar 11 09:30:10.559: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 843a.4b3e.55b0
*Mar 11 09:57:14.175: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth acfd.ce15.efe1
*Mar 11 10:59:00.003: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 8019.3432.1cd4
*Mar 11 11:14:01.075: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth f816.5422.010a
*Mar 11 11:31:26.771: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 843a.4b3e.55b0
*Mar 11 11:54:53.395: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth a44e.31b5.ed20
*Mar 11 12:13:41.279: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth f816.5422.010a
*Mar 11 12:26:31.175: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth 4c34.88d0.8d42
*Mar 11 12:43:33.999: %DOT11-4-FLUSH_DEAUTH: Consecutive tx fail 500+: deauth acfd.ce0a.a564

Can anyone suggest or guide what is the meaning of the above log?

Regards.

Khem

Freerk Terpstra · ‎03-27-2016

Which software version are you running on the controller? I recommend to run at least 8.0.121.0 with FUS 1.9. If you have to upgrade the FUS plan at least a window of one hour for the upgrade because the FUS will take at least 35 min with no access to the controller.

If after the upgrade there are still problems provide us with the output of a "debug client MAC" while the client is roaming.

Please rate useful posts... 🙂

Leo Laohoo · ‎03-27-2016

Death flood.

mohanak · ‎03-28-2016

Your logs show that there is some kind of attacks happened. All the APs are getting same error?. Do you have rogue APs around?

Issue with AP