Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1796
Views
1
Helpful
4
Replies

Problem with flexconnect clients disconnecting

Henrik Josefsson
Level 1
Level 1

‎06-13-2023 12:39 AM

Hello,

We have a situation where our flexconnect clients (mostly ipads and chromebooks) gets disconnected shortly from the network every hour after connecting to our Wi-Fi.

When I'm checking our DNA-C I can clearly see we have problems. We have 4 different models out there 2702i, 3702i, 2802i and 9120i.

I haven't seen the problems yet on our 2702 or 3702 yet.
We are in a lifecycle where we switching our 2/3702i to 9120i so we are getting more and more of these problems out there.

When checking event viewer in DNA-C, clients are failing on Broadcast Rekey but successfully gets a new key after 3 minutes of failing. (Showing in the pictures I attached here).

When I check the messege logs from GUI in our WLC it says the following:

*dot1xMsgTask: Jun 13 09:01:59.838: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1742 Unable to send EAPOL-key msg - invalid WPA state (5) - client 00:00:00:00:00:00

and when I debug a client from CLI, I get this:


*Dot1x_NW_MsgTask_2: Jun 12 11:42:58.858: [PA] 1x: EAPOL frame with dst MAC 11:11:11:11:11:11 and BSSID 22:22:22:22:22:22 discarded

Where MAC 11:11 and 22:22 are 2 different AP:s.

Our WLC 8540 are running the newest software version: 8.10.185.0

The iPads and chromebooks are different models aswell.

The SSID that they are connecting to is a flexconnect with a PSK key. We do have 802.1x activated inside our network but not on SW trunkport towards the accesspoints.

Any idéa what it can be?

Thanks in advanced
Best Regards

Henrik Josefsson

 

 

Preview file
14 KB
Preview file
30 KB
Preview file
32 KB
0 Helpful
4 Replies 4

marce1000
Hall of Fame
Hall of Fame

‎06-13-2023 01:18 AM

 

                                    >...and when I debug a client from CLI, I get this:...
 Perform full client debugging according to https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/100260-wlc-debug-client.html  , you can have client debugs analyzed with :
                                          https://cway.cisco.com/wireless-debug-analyzer

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

JPavonM
VIP
VIP

‎06-13-2023 08:20 AM

I have also suffered this but this time with Windows laptops and Mediatek chipset on certain versions.

The issue seems to be that the driver cannot manage GTK rekeying so the association is dropped, and after a period of time set on the driver (in windows you can tweak this) that seems to be 18 seconds on iPads, the device reconnects.

In C9800 I solved this increasing the timer for group-key renewal to 15 hours with this command:

wireless security dot1x group-key interval 54000

In AireOS try this command:

config advanced eap bcast-key-interval 54000

 

Rich R
VIP
VIP

‎06-13-2023 06:35 PM

Also discussed by @JPavonM on this thread https://community.cisco.com/t5/wireless/dna-center-wireless-clients-show-broadcast-rekey-failed-messages/td-p/4699102
In that case Philip said "The thing is I upgraded one of these devices with a new firmware, and I don't see them anymore on that device." confirming that it's a device issue.  So make sure the device OS and drivers are totally up to date and if still seeing the problem then you'll have to use the workaround to extend the timer.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Henrik Josefsson
Level 1
Level 1
In response to Rich R

‎06-19-2023 02:21 AM

Okej, I will check and see if there are any new updates for the devices.

Otherwise I try to extend the timer and see if that works.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card