cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21135
Views
15
Helpful
44
Replies

MFP Anomaly Detected

Alejandro.Angon
Level 1
Level 1

Hi,

I have seen this messege log on WLC 5508 running 7.5 code, but I haven´t found any information about it, I will be gratful if any body know what it means

thanks

MFP Anomaly Detected - 3 Not encrypted event(s) found as violated by the radio XX:XX:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP XX:XX:XX:XX:XX:XX in 300 seconds when observing Disassoc, Deauth. Client's last source mac XX:XX:XX:XX:XX:XX

44 Replies 44

Guys- has this issue been resolved, i also saw the same error.. i 'm running 5508 with code 7.6, AP is 3700

 

 

Hello Guys- further to update my issues, Cisco TAC told me this MFP related bug will be only fixed on version 8.0. but my users experience are a bit different, not sure it's also related see my debugging logs below on ipad , not sure did any of you encountering the same issue on version 7.6.110 on Wlc 5508, AP is 3700. BTW the ipad is stationary. thanks 

  1. I have reviewed the logs at around 5:30 am and following are the logs that stand out –

2014-07-09 05:30:43        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 10.62.3.248 RUN (20) Change state to START (0) last state RUN (20)

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 apfMs1xStateDec

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 apfMsRunStateDec

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Updated location for station old AP b8:38:61:1e:a1:50-0, new AP b8:38:61:1e:a1:50-1

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *pemReceiveTask: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 10.62.3.248 Removed NPU entry.

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 10.62.3.248 RUN (20) Deleted mobile LWAPP rule on AP [b8:38:61:1e:a1:50]

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 unsetting PmkIdValidatedByAp

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Setting active key cache index 0 ---> 8

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Unable to compute a valid PMKID from global PMK cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Found an entry in the global PMK cache for station cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Searching for PMK in global PMK cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 Trying to compute a PMKID from MSCB PMK cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 No valid PMKID found in the MSCB PMKID cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 Searching for PMKID in MSCB PMKID cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 Received RSN IE with 1 PMKIDs from mobile cc:78:5f:d4:ca:70

 

                2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.811: cc:78:5f:d4:ca:70 Reassociation received from mobile on BSSID b8:38:61:1e:a1:51

Based on the information contained here, around 5:30 the following events took place –

Client was in RUN state and sent a re-association to the same AP for some reason.

Upon looking for a valid PMKID cache for the client there was none found so the AP tried computing a new PMKID based on the cached PMK but was unable to do so.

The AP as it seems registered the client to move from one radio to another on the same AP thereby resulting is disconnection & re-association.

rupert.wever
Level 1
Level 1

Running 7.6.110.0 w/ AP3700s

Disabled MFP: Still seeing the errors

Disabled WMM: Mac wireless clients in RUN state sometimes unable to ping gateway (including Windows Clients)

Has TAC indicated a possible fix?

dominik78
Level 4
Level 4

 

 

We were seeing the same issues while running 7.6.110 and .120 on 3700s and good number of older model APs. In our case TAC had us downgrade to 7.4 for now.

TAC told you to downgrade to 7.4? They must be kidding, or did you throw away all of your 3700s and got a refund, because they won't work with 7.4...

 

Correct, we only had the 3700s on a trial basis as part of a proof of concept, which is why we were able to downgrade to 7.4 after removing the 3700s. The issues went away with the downgrade (as far as we know, based on no new complaints since the downgrade).

 

bkoch1
Level 1
Level 1

I am seeing this as well on a controller that we've upgrade from 7.3.101 to 7.6.120.

I second that.  Seeing the problem on 7.6.120 with 3702i APs.

What devices?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

In my case it's been limited to Apple devices.  iPhone, iPad and Macbook have all shown the same symptoms.  Appear to be fully connected, in RUN state according the the controller, but unable to communicate.

Hello guys,

 

same problem with MFP, but it's only on 1 on my SSID's, and only for clients who are using Motorola scanners 9190...

WLC : 5508 (code 7.6.120.0)

AP's : 2602

Devices impacted : Motorola 9190

 

I'm really annoyed because users who uses these motorla are starting to complain...

 

diondohmen
Level 1
Level 1

I think this finally has been resolved:

 

CSCum87504

I upgrade to 7.6.120 on my 5508 over the weekend, this morning I am seeing the above errors in the log looking at the config, I see that MFP is disabled, and also nobody is complaining so far.

reason to go to 7.6 was for AP 2702 support which we are purchasing.

questions:

can I now ignore the error message?

does 7.6.130 fix the problem?

Hi chrbradf1,

 

i have not yet upgraded my wlc's to 7.6.130, but according to the release notes, this should have been fixed now.

I upgraded to 7.6.130 at the weekend,  no longer get the MFP messages, so that is fixed.

 

Review Cisco Networking for a $25 gift card