Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1463
Views
3
Helpful
2
Replies

Supected Auto-Immune attack

andres_morales
Community Member

‎03-04-2011 02:13 PM - edited ‎07-03-2021 07:54 PM

Hi,

I have a problem with my WLAN, my client experience session terminal losses, other applications run fine.

The log of my WLC is full of this message:

*Mar 04 13:24:10.075: %APF-1-SEND_ASSOC_RESP_FAILED: apf_80211.c:4359 Could not send a Client Association response to 00:a0:f8:b3:f1:ed.  Supected Auto-Immune attack Not sending Assoc Response.

Labels:
0 Helpful
2 Replies 2

Sharath Kattemane Prabhakar
Cisco Employee
Cisco Employee

‎03-04-2011 07:16 PM

Hi ,

PLease find details of about the same ,

Auto-Immune Feature—A potential attacker can use specially crafted packets to mislead the intrusion detection system (IDS) into treating a legitimate client as an attacker. It causes the controller to wrongly disconnect this legitimate client and launches a DoS attack. The auto-immune feature, when enabled using the config wps auto-immune enable command, is designed to protect against such attacks.

Note If "auto-immune" messages appear for certain clients (for example, "mac_address Suspected Auto-Immune attack: Not Sending Assoc Response to station on BSSID 00:11:22:33:44:50 (status 1) statusCode=0)," you can enter this CLI command to disable the auto-immune feature:config wps auto-immune disable (CSCsx74467).

Note Conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled

However there are certains bugs associated with the same feature which falsely report these messages like

CSCsw52367—The controller CLI command debug client mac_address incorrectly shows the following error message when shared authentication is not enabled or shared authentication is failing: "*Dec 05 11:12:52.550: 00:1f:5b:c2:07:a4 Suspected Auto-Immune attack: Not Sending Assoc Response to station on BSSID 00:21:d8:93:cb:00 (status 13)." The message should be changed to reflect the actual problem.

Workaround : None

            CSCsx74467—For controllers running software release 4.2, 5.2, or 6.0, certain client conditions might cause "auto-immune" messages to appear (for example,                  "mac_address Suspected Auto-Immune attack: Not Sending Assoc Response to station on BSSID 00:11:22:33:44:50 (status 1) statusCode=0)." In software releases where this problem is fixed, enter this CLI command to disable the auto-immune feature: config wps auto-immune disable.

Do let us know what version you are running and the situation in which these messages were reported .

Regards ,

Sharath K.P.

========================================================

Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

andres_morales
Community Member
In response to Sharath Kattemane Prabhakar

‎03-06-2011 05:18 PM

Hi Sharath,

I run the version 5.2.157.0 and upgrade to 6.0.199.4, after this the problem began to present. I revert all changes and run again the first version but the problem remains.

In the actual version the command dont run, i will find a software version with the bug resolved and try again. If you know any please let me know.

Thak you very much for your timely response.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card