m2 key getting failed

Anjana A · ‎03-06-2023

Hello Wireless team,

One user printer which is connecting to the ssid which on PSK and user authentication getting failed.

Pls suggest what can be on this .

wlc 9800

ios:17.09.02

wlan: [WPA2][PSK][AES],MAC Filtering

AP-mode:flex

[client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue EAP key M1 Sent successfully
2023/03/06 07:25:08.622349625 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue Client key-mgmt state transition: S_INITPMK -> S_PTK_START
2023/03/06 07:25:09.622355990 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue Keymgmt: resend eapol key m1. Retrasmitting EAP key packet M1
2023/03/06 07:25:09.622520614 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue Client key-mgmt state transition: S_PTK_START -> S_PTK_START
2023/03/06 07:25:10.622950339 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue Keymgmt: resend eapol key m1. Retrasmitting EAP key packet M1
2023/03/06 07:25:10.623051662 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue Client key-mgmt state transition: S_PTK_START -> S_PTK_START
2023/03/06 07:25:11.623066195 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (ERR): MAC: 8425.3f92.buue Keymgmt: Failed to eapol key m1 retransmit failure. Max retries for M1 over
2023/03/06 07:25:11.623070111 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue Keymgmt: eapol key failure. Sending client key exchange failure to auth fsm,reason code: 15
2023/03/06 07:25:11.623131372 {wncd_x_R0-1}{1}: [client-keymgmt] [17074]: (info): MAC: 8425.3f92.buue Client key-mgmt state transition: S_PTK_START -> S_KEYMGMT_CLIENT_DELETE
2023/03/06 07:25:11.623234509 {wncd_x_R0-1}{1}: [client-auth] [17074]: (info): MAC: 8425.3f92.buue Client auth-interface state transition: S_AUTHIF_PSK_AUTH_KEY_XCHNG_PENDING -> S_WAIT_FOR_CO_DELETE
2023/03/06 07:25:11.623297591 {wncd_x_R0-1}{1}: [client-orch-sm] [17074]: (info): MAC: 8425.3f92.buue Deleting the client, reason: 15, CO_CLIENT_DELETE_REASON_KEY_XCHNG_TIMEOUT, Client state S_CO_L2_AUTH_IN_PROGRESS
2023/03/06 07:25:11.623319035 {wncd_x_R0-1}{1}: [client-orch-sm] [17074]: (note): MAC: 8425.3f92.buue Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_KEY_XCHNG_TIMEOUT, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|05|0f|07|15|1e|27|
2023/03/06 07:25:11.623409431 {wncd_x_R0-1}{1}: [client-orch-sm] [17074]: (note): MAC: 8425.3f92.buue Delete mobile payload sent for BSSID: 9cd5.7da2.b005 WTP mac: 9cd5.7da2.b000 slot id: 0
2023/03/06 07:25:11.623415418 {wncd_x_R0-1}{1}: [client-orch-state] [17074]: (note): MAC: 8425.3f92.buue Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/03/06 07:25:11.623566888 {wncd_x_R0-1}{1}: [ewlc-qos-voice] [17074]: (info): MAC: 8425.3f92.buue Successfully freed the bw for sip client
2023/03/06 07:25:11.623626133 {wncd_x_R0-1}{1}: [multicast-main] [17074]: (info): MAC: 8425.3f92.buue No Flex/Fabric main record exists for client

Anjana

Mark Elsen · ‎03-06-2023

- Have some more elaborated client debugging using these instructions : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , you can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer/ . Also review the 9800 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎03-06-2023

Make sure the printer firmware is fully up to date. Note that some older printers do not support WPA2. I have an old HP Laserjet 1022NW (still going strong) which claimed when I bought it to support WPA2 but after a long case with HP support they admitted it only supports WPA1 so it's now connected by ethernet cable. There are numerous faulty firmware and drivers out there which don't work with newer WiFi features even including WiFi 6 (802.11ax) so you can try disabling newer options on the WLAN to work out which one the client can't handle then take it up with the printer manufacturer.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390