cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21132
Views
15
Helpful
44
Replies

MFP Anomaly Detected

Alejandro.Angon
Level 1
Level 1

Hi,

I have seen this messege log on WLC 5508 running 7.5 code, but I haven´t found any information about it, I will be gratful if any body know what it means

thanks

MFP Anomaly Detected - 3 Not encrypted event(s) found as violated by the radio XX:XX:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP XX:XX:XX:XX:XX:XX in 300 seconds when observing Disassoc, Deauth. Client's last source mac XX:XX:XX:XX:XX:XX

1 Accepted Solution

Accepted Solutions

these're the respective defects filed for the mentioned issues.

CSCum49200 Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum62305 Traffic stops for iphone/mac OS in 7.6 in 3600/3700

View solution in original post

44 Replies 44

Abhishek Abhishek
Cisco Employee
Cisco Employee

Hello,

As per your query i can suggest you the following solution-

This error message is seen when frames with incorrect MIC values are detected by MFP enabled LAPs. Refer to Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example for more information on MFP. Complete one of these four steps:

  1. Check      and remove any rogue or invalid APs or clients in your network, which      generate invalid frames.
  2. Disable      the Infrastructure MFP, if MFP is not enabled on other members of the      Mobility group as LAPs can hear management frames from LAPs of other WLCs      in the group that do not have MFP enabled. Refer to Wireless      LAN Controller (WLC) Mobility Groups FAQ for more information on      Mobility Group.
  3. The      fix for this error message is available in the WLC releases 4.2.112.0 and      5.0.148.2. Upgrade the WLCs to either of these releases.
  4. As      a last option, try to reload the LAP that generates this error message.

Hope this will help you.

Upgrade from 7.5 to 4 or 5 level code ? I am also receiving these errors, I check my rogues every morning. Also, since upgraded to 7.5, I see in unreasonable amount of rogues I have never seen before. Something is wrong with the code. I also get xomplainrts that clients randomly hang since 7.5.

08:01:47 2013

MFP Anomaly Detected - 1 Not encrypted event(s) found as violated by the radio xxxxx and detected by the dot11 interface at slot 0 of AP xxxxxx in 300 seconds when observing . Client's last source mac xxxxxx

Same here. Upgraded from 7.4 to 7.6 (because of support for 3700 APs) and now I get "flooded" with this messages 24/7. I already disabled Infrastructure MFP and also set MFP from optional to disabled on all of my WLANs but the problem still persists. There seems to be something wrong within the code...

I also see that message and I'm running v7.6. I have MFP disabled and still seeing errors from clients in that WLAN.

Have you experienced client, mainly Apple devices loose layer2/3 connectivity but still associated and in the RUN state? George and I have been testing this and we have seen it on the 3600's and the 3700's? If so, keep us posted.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Well Scott,

I only replaced one (the one in my area) of our 1260's at the moment to be sure everything runs fine with the new APs, so I only have about 20 clients (some Android, iOS, many Win7) connecte to the 3700 at the moment and nearly all of them run fine. Only one iPhone 5c which is connected to our guest WLAN, web-authenticated and in RUN state has to repeat the web-auth nearly every time it awakes. I tried with another iPhone 4 and a Galaxy S4 and none of them had any troubles. I even went home with them and the next morning they could browse the web without the need for repeating web-auth. All of these devices are associated and in RUN state, but this particular 5c always has to repeat the web-auth... I'm not sure if this has to do something with 7.6 or the 3700, but since you asked. BTW, my global idle-timeout is set to 24h, idle-timeout at WLANs advanced settings is disabled and eap-bcast-key-interval is also 24h, so this can't be the problem.

Additionally I experience loose of L2 connectivity with my own notebook with Intel 7260AC when connected at 11ac, but this seems to be a problem of this card and it's drivers as far as I found out with google... The Galaxy S4 has a stable connection to the 3700 at 11ac.

But this MFP thing is really annoying at the moment and the solution "try to reload the LAP" won't work at all - I'd have to reload all of them (but even tried one, without success)...

Regards,

Christian

Christian,

George and I are working with the BU on some issue with loosing layer 2 and v7.6. I have seen issue with my iPhone, iPad and some windows machines but a MacBook Air has no issues. I would open a TAC case so maybe they can start logging something.

George has some MacBooks on the 3700 that also loose layer 2. I'm currently testing on the 3600's bit will test on the 3700 this week.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott,

I installed many of the 3702 this week and a lot of our users are using Apple products so they should complain if something doesn't work anymore as it did before. I'll keep you updated, but as Saravanan stated that Cisco is already working on this I'd think that we would also run into these effects...

BTW, MFP is still flooding the logs...

regards,

Christian

George and I have been working with the BU on issues with v7.6 and I do see issues mainly with Apple, but also with a few Windows machines.  MFP logs..... well yes I see those to and just tend to ignore them as most likely an upgrade would or might fix that.  Give it some time for users to really complain... I have seen clients bring us in after a few months, because they find out that users are finally complaining that they have to reboot or reset their wireless every so often.  I use my iphone a lot and I notice it right away and typically have to just disable my wireless and use cellular.  Apple TV's don't seem to have issues, but that's what I have seen so far.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Hi Scott,

Are you still seeing these issues even on the latest 7.6.120.0?  Specifically, the L2 communication loss on the Apple devices?

Thanks!

We were running 7.6.120 on one of our controllers, and that's when we started seeing those alarms. I've upgraded that controller to 8.0, and those messages have disappeared.

I see the error message with 7.6.130 code. Here is setup detail

 

WLC2504 running 7.6.130

AP3702

 

Error message screenshot attached. 

 

 

Thanks, Kunal

Happy to help you !

Hi,

 

I am having AP image upgrade problem .I have a 5500  WLC which has been up graded  from 7.3 to 7.6.130 ,When I run AP pre-download option then 2602 and 3602 AP image up grade is failed every time though some of 2600/3600 are working fine with 7.6.I have also tried to reboot AP`s so that they can auto upgrade their Image while contacting WLC but it did not help. have gone through cisco wirless compatibility list but nothing helped me. Please suggest any solution for this issue.

Hi Mohit, If you haven't fixed this issue, often doing a factory reset on the AP can help when an AP won't preload.  Remember this wipes your high availability and IP settings off the AP so use carefully...:)

these're the respective defects filed for the mentioned issues.

CSCum49200 Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum62305 Traffic stops for iphone/mac OS in 7.6 in 3600/3700

Review Cisco Networking for a $25 gift card