What type of clients ? Monte

Sergey Tarasevich · ‎04-02-2015

Hi all!!! Have a WLC 2504 (AirOS 8.0.100.0) and AP 1602, 2602, 1141 in flexconnect mode and 50-60 clients. Came across the following problem, occurs reassociation (disconnect) from mobile stations every 1800 sec. WLAN(SSID) set with WPA2-AES PSK and in the settings WLANs > Edit > Advanced >Enable Session Timeout > unchecked. What could be the problem?

Freerk Terpstra · ‎04-02-2015

Do you currently have any issues or is it just an observation? Could you give us the output from a "show wlan x"?

Besides that I would advice you to upgrade to 8.0.110 and also check if your FUS is the current one as well. If you need to upgrade the FUS, plan a big enough maintenance window because this process will take at least 30 minutes to complete.

Sergey Tarasevich · ‎04-03-2015

Currently this is a problem.Current FUS 1.9 and has been updated more than a year ago.

output from a "show wlan x" :

(Cisco Controller) >show wlan 1

WLAN Identifier.................................. 1
Profile Name..................................... internet
Network Name (SSID).............................. internet
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 66
Exclusionlist.................................... Disabled
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 20 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... WLC-2504
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ internet
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Disabled
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. Cisco-Prime
Flow Monitor Name................................ Monitor
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
DMS DB is empty
Band Select...................................... Enabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Admin.................................. Disabled

Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

Sandeep Choudhary · ‎04-07-2015

Hi,

Set:

session timeout : 65535
Idle timeout: 86400
ARP timeout: 86400

https://rscciew.wordpress.com/2014/05/07/timeout-setting-on-wireless-lan-controller/

Try it and let us know.

Regards

Don't forget to rate helpful posts

Sergey Tarasevich · ‎04-08-2015

The problem was not solved.

Scott Fella · ‎04-08-2015

Keep the idle timer at 300 seconds. You can leave the session timer at what you have or disable it. I prefer to disable this.

Like George mentioned, what type of clients?

-Scott

-Scott
*** Please rate helpful posts ***

Sergey Tarasevich · ‎05-15-2015

Hi all. After some tests come back to this topic. Updated WLC to version AirOS 8.0.115. The problem occurs with Windows 8/8.1 and some Apple MacBook devices (1 or 2 device), reassociation random (it may be 400 or 600 or 1800 or 2020 seconds). I note the following, after configure technology 802.11w (Protected Management Frame) (mode Optional) clients uptime stable and session is not broken. But turn on 802.11w, all clients in the network (Android, Apple, Windows, Linux and so on) have lose speed (3-12 Mbit/s) and packets - ping 2500 - 4000 ms. As soon as I turn off 802.11w on WLC everything becomes normal - high speed, no packets lose - ping 1-3 ms. What is the reason? Maybe it is a WLC bug?

Scott Fella · ‎05-15-2015

Client support for 802.11w can be why. I never turn that feature on to be honest. As you can see, the wireless supports certain features, but in the end, all clients have to also support it.

-Scott

-Scott
*** Please rate helpful posts ***

Sergey Tarasevich · ‎05-15-2015

How do you explain to a client retention uptime with turn on 802.11w??? And lose speed and packets with turn on 802.11w??? I need a clear answer.

Scott Fella · ‎05-15-2015

For that to work, you need to find out if the end devices support 802.11w. If one type doesn't, then there you go, you shouldn't turn that on on that given WLAN. The ping times you are seeing is not normal as you know, so that typically means compatibility issues and points to the end devices and or drivers. If the devices do not support 802.11w, then they will not work well or at all. If you think it is a bug, then you need to open a TAC case. Set it to default, which is optional and those that support it will use it and those that don't will not.

-Scott

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎04-08-2015

What type of clients ?

Monte playing with the idle timeout is playing with fire. The WLC doesn't honor deauth frames in other words your client data base will grow and keep disconnected clients on the client data base for a very extended time.

Yiur best eat be is to debug the client and start from there ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Abhishek Abhishek · ‎04-06-2015

Station Services

The 802.11 standard defines services for providing functions among stations. A station may be within any wireless element on the network, such as a handheld PC or handheld scanner. In addition, all access points implement station services. To provide necessary functionality, these stations need to send and receive MSDUs and implement adequate levels of security.
Authentication

Because wireless LANs have limited physical security to prevent unauthorized access, 802.11 defines authentication services to control LAN access to a level equal to a wired link. Every 802.11 station, whether part of an independent BSS or an ESS network, must use the authentication service prior to establishing a connection (referred to as an association in 802.11 terms) with another station with which it will communicate. Stations performing authentication send a unicast management authentication frame to the corresponding station.

The IEEE 802.11 standard defines the following two authentication services:

Open system authentication This is the 802.11 default authentication method. It is a very simple two-step process. First the station wanting to authenticate with another station sends an authentication management frame containing the sending station's identity. The receiving station then sends back a frame indicating whether it recognizes the identity of the authenticating station.

Shared key authentication This type of authentication assumes that each station has received a secret shared key through a secure channel independent from the 802.11 network. Stations authenticate through shared knowledge of the secret key. Use of shared key authentication requires implementation of the Wired Equivalent Privacy algorithm (WEP).

For more information please refer to the link-

http://www.informit.com/articles/article.aspx?p=24411&seqNum=7

ajc · ‎04-07-2015

Hi Sergey,

Taking into account your ENABLE SESSION TIMEOUT is DISABLED, I am thinking that you could be facing an USER IDLE TIMEOUT.

Check the following parameter on the specific SSID-- > Advanced Option - >

Client user idle timeout(15-100000)

BOX

If that parameter is UNCHECKED for the specific SSID then the WLC applies the VALUE Globally configured on your WLC. This parameter is located at CONTROLLER -- > GENERAL -- > User Idle Timeout (seconds).

Hoping this helps.

Sergey Tarasevich · ‎04-07-2015

Hi Abraham!!! USER IDLE TIMEOUT for this WLAN established a long time ago and equal 20 sec. This does not solve the problem.

ajc · ‎04-14-2015

20 Sec??

Reassociation (disconnect) from mobile stations every 1800 sec.