Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1222
Views
0
Helpful
2
Replies

MFP Anomaly help

scottwilliamson
Level 2
Level 2

‎08-27-2009 05:13 AM - edited ‎07-03-2021 05:59 PM

Hi Folks,

I just spotted this on our WCS6.0

MFP Anomaly Detected - 3,461 'Invalid MIC' violation(s) have originated from the AP with BSS '00:16:9d:44:65:d0'. This was detected by the radio with Slot ID '0' of the AP with MAC '00:19:aa:f5:5b:a0' when observing 'Probe Response, Beacon, and Deauthentication' frames.

3,461 seems like far too much - is this an attack? What should I do?

The message reads "originated from the AP", I've id'd the AP in WCS - are one of our APs acting up?

What is going on?

Thanks

Scott

Labels:
0 Helpful
2 Replies 2

Lucien Avramov
Level 10
Level 10

‎08-28-2009 12:25 AM

This is a problem on the controller, the WCS is just reporting what the controller says in this case.

There are quite a few bugs on this depending the code of WLC you have:

4.2:

CSCsq87439 "MFP Anomaly Detected - 'Invalid MIC' violation(s)" messages seen on WLC

5.0,5.1 and 5.2:

CSCsl59308 EW: Many 'MFP Anomaly Detected' alarms being reported

0 Helpful

scottwilliamson
Level 2
Level 2
In response to Lucien Avramov

‎09-14-2009 05:28 AM

Hi Lucien,

I'm running version 6.0 on the WLCs and WCS.

Can you tell me how I troubleshoot this, please? is it a false positive or an attack?

Regards

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card