User switching every few minutes between 2.4ghz and 5ghz

simon.dwyer · ‎08-21-2012

Hi All,

This first started when a user said they were getting disconnected and reconnected a few times a day to our wireless network. He is in a remote office with a 1142 which is set to H-Reap talking back to our 5508. Our WLC is running 7.0.166

The laptop has an intel ulitmate 6300agn wireless card with the latest 15.x drivers.

We are using an SSID with wpa2 and 802.1x auth back to our ACS server using PEAP with our windows credentials.

attached is what i am seeing on the wcs troubleshooting page.

When i do a debug client on the WLC i see many reauthentications coming from the client on the different radio.

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Reassociation received from mobile on AP 0c:85:25:f3:7d:40

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying site-specific IPv6 override for station 00:24:d7:d1:16:6c - vapId 512, site 'VH-GasWorks', interface 'management'

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying IPv6 Interface Policy for station 00:24:d7:d1:16:6c - vlan 2, interface id 0, interface 'management'

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying site-specific override for station 00:24:d7:d1:16:6c - vapId 512, site 'VH-GasWorks', interface 'management'

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c STA - rates (8): 140 18 24 36 48 72 96 108 48 72 96 108 0 0 0 0

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Processing RSN IE type 48, length 38 for mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Received RSN IE with 1 PMKIDs from mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: Received PMKID: (16)

*apfMsConnTask_2: Aug 22 12:59:36.762: [0000] e0 79 8a 5f 4d 38 a0 52 b5 64 96 22 23 86 be 24

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Searching for PMKID in MSCB PMKID cache for mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c No valid PMKID found in the MSCB PMKID cache for mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Trying to compute a PMKID from MSCB PMK cache for mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: CCKM: Find PMK in cache: BSSID = (6)

*apfMsConnTask_2: Aug 22 12:59:36.762: [0000] 0c 85 25 f3 7d 40

*apfMsConnTask_2: Aug 22 12:59:36.762: CCKM: Find PMK in cache: realAA = (6)

*apfMsConnTask_2: Aug 22 12:59:36.762: [0000] 0c 85 25 f3 7d 4f

*apfMsConnTask_2: Aug 22 12:59:36.762: CCKM: Find PMK in cache: PMKID = (16)

*apfMsConnTask_2: Aug 22 12:59:36.762: [0000] e0 79 8a 5f 4d 38 a0 52 b5 64 96 22 23 86 be 24

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Unable to compute a valid PMKID from MSCB PMK cache for mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Searching for PMK in global PMK cache for mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Found an entry in the global PMK cache for station 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.762: CCKM: AA (6)

*apfMsConnTask_2: Aug 22 12:59:36.763: [0000] 0c 85 25 f3 7d 4f

*apfMsConnTask_2: Aug 22 12:59:36.763: CCKM: SPA (6)

*apfMsConnTask_2: Aug 22 12:59:36.763: [0000] 00 24 d7 d1 16 6c

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c computed a valid PMKID from global PMK cache for mobile 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c Creating a PKC PMKID Cache entry for station 00:24:d7:d1:16:6c (RSN 0) on BSSID 0c:85:25:f3:7d:4f

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c Adding BSSID 0c:85:25:f3:7d:4f to PMKID cache for station 00:24:d7:d1:16:6c

*apfMsConnTask_2: Aug 22 12:59:36.763: New PMKID: (16)

*apfMsConnTask_2: Aug 22 12:59:36.763: [0000] e0 79 8a 5f 4d 38 a0 52 b5 64 96 22 23 86 be 24

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Deleted mobile LWAPP rule on AP [0c:85:25:f3:7d:40]

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c Updated location for station old AP 0c:85:25:f3:7d:40-0, new AP 0c:85:25:f3:7d:40-1

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c apfMsRunStateDec

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c apfMs1xStateDec

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Change state to START (0) last state RUN (20)

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c 10.24.8.108 START (0) Initializing policy

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c 10.24.8.108 START (0) Change state to AUTHCHECK (2) last state RUN (20)

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c 10.24.8.108 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c 10.24.8.108 8021X_REQD (3) DHCP required on AP 0c:85:25:f3:7d:40 vapId 512 apVapId 1for this client

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c 10.24.8.108 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 0c:85:25:f3:7d:40 vapId 512 apVapId 1

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:24:d7:d1:16:6c on AP 0c:85:25:f3:7d:40 from Associated to Associated

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c Sending Assoc Response to station on BSSID 0c:85:25:f3:7d:40 (status 0) ApVapId 1 Slot 1

*apfMsConnTask_2: Aug 22 12:59:36.763: 00:24:d7:d1:16:6c apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:24:d7:d1:16:6c on AP 0c:85:25:f3:7d:40 from Associated to Associated

*apfMsConnTask_2: Aug 22 12:59:36.807: 00:24:d7:d1:16:6c Updating AID for REAP AP Client 0c:85:25:f3:7d:40 - AID ===> 1

*dot1xMsgTask: Aug 22 12:59:36.862: 00:24:d7:d1:16:6c Initiating RSN with existing PMK to mobile 00:24:d7:d1:16:6c

*dot1xMsgTask: Aug 22 12:59:36.862: 00:24:d7:d1:16:6c Disable re-auth, use PMK lifetime.

*dot1xMsgTask: Aug 22 12:59:36.862: 00:24:d7:d1:16:6c dot1x - moving mobile 00:24:d7:d1:16:6c into Force Auth state

*dot1xMsgTask: Aug 22 12:59:36.862: 00:24:d7:d1:16:6c Skipping EAP-Success to mobile 00:24:d7:d1:16:6c

*dot1xMsgTask: Aug 22 12:59:36.863: Including PMKID in M1 (16)

*dot1xMsgTask: Aug 22 12:59:36.863: [0000] e0 79 8a 5f 4d 38 a0 52 b5 64 96 22 23 86 be 24

*dot1xMsgTask: Aug 22 12:59:36.863: 00:24:d7:d1:16:6c Starting key exchange to mobile 00:24:d7:d1:16:6c, data packets will be dropped

*dot1xMsgTask: Aug 22 12:59:36.863: 00:24:d7:d1:16:6c Sending EAPOL-Key Message to mobile 00:24:d7:d1:16:6c

state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.912: 00:24:d7:d1:16:6c Received EAPOL-Key from mobile 00:24:d7:d1:16:6c

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.912: 00:24:d7:d1:16:6c Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:24:d7:d1:16:6c

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.912: 00:24:d7:d1:16:6c Received EAPOL-key in PTK_START state (message 2) from mobile 00:24:d7:d1:16:6c

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.912: 00:24:d7:d1:16:6c PMK: Sending cache add

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.912: 00:24:d7:d1:16:6c Stopping retransmission timer for mobile 00:24:d7:d1:16:6c

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.913: 00:24:d7:d1:16:6c Sending EAPOL-Key Message to mobile 00:24:d7:d1:16:6c

state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c Received EAPOL-Key from mobile 00:24:d7:d1:16:6c

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:24:d7:d1:16:6c

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:24:d7:d1:16:6c

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c apfMs1xStateInc

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c 10.24.8.108 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c 10.24.8.108 L2AUTHCOMPLETE (4) DHCP required on AP 0c:85:25:f3:7d:40 vapId 512 apVapId 1for this client

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c 10.24.8.108 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:85:25:f3:7d:40 vapId 512 apVapId 1

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c apfMsRunStateInc

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.960: 00:24:d7:d1:16:6c 10.24.8.108 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)

*Dot1x_NW_MsgTask_4: Aug 22 12:59:36.961: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Reached PLUMBFASTPATH: from line 4864

Now this may be not be the issue thats causing our dropouts a couple times a day as this is happening every 5 mins.

Any ideas would be brilliant.

Simon

Leo Laohoo · ‎08-21-2012

Duplicate post #2.

Amjad Abdullah · ‎08-25-2012

You can try disabling band select if that helps.

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70ccfg.html#wp1934253

Rating useful replies is more useful than saying "Thank you"

Erik Boss · ‎08-26-2012

Do the clients have the latest driver installed?

The latest Intel updates are doing great!

simon.dwyer · ‎08-26-2012

Thanks for the ideas so far. Already had Band Select disabled.

The driver is the latest 15.x from Intel still no luck.

Upgrading to the latest 7.0 code tomorrow morning and will see how that goes.

Leo Laohoo · ‎08-26-2012

5508? Go 7.2.110.0 instead.

simon.dwyer · ‎08-26-2012

Sadly we still have some 1230 AP so we cant go to 7.2 yet. I am trying to get money to get them upgraded but wont be for a little while yet.

Saravanan Lakshmanan · ‎08-26-2012

this debug output is clean, get the debug when the issue gets reproduced.

Scott Fella · ‎08-27-2012

Can you post how your wlan ssid is configured?

-Scott
*** Please rate helpful posts ***

fbarboza · ‎08-27-2012

Hi,

Please post the configuration and let us know the WLAN with the issue.

If not make sure that the WLAN is set to braodcast the SSID, that it is configured to do wither WPA with TKIP or WPA2 with AES not both, then under the advance tab make sure that you have disable aironet IE, session time out, client exclusion and MFP protection.

This is just to have a valid configuration and avoid any issues with the wireless clients connecting to the WLAN.

Also does the site where the issue have only has an access point or is there more than 1 access point managed by your WLC?

simon.dwyer · ‎08-27-2012

Hey,

Thanks for the tips. I the only thing i had to change with your info is the aironet IE. I have now disabled it and will see how i go.

The usecase i am atm only has one ap which we control. We have had some complaints from some other users on another ssid, the only linking thing is that the ones that seem to have trouble are on H-REAP.

Following is the config for the ssid:

(Cisco Controller) >show wlan 512

WLAN Identifier.................................. 512

Profile Name..................................... Mulawa

Network Name (SSID).............................. Mulawa

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 8

Exclusionlist.................................... Disabled

Session Timeout.................................. Infinity

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

--More-- or (q)uit

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Enabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver (best effort)

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Disabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 75

DTIM period for 802.11b radio.................... 75

Radius Servers

Authentication................................ 10.20.0.7 1812

--More-- or (q)uit

Accounting.................................... 10.20.0.7 1813

Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Disabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Disabled

AES Cipher.............................. Enabled

Auth Key Management

802.1x.................................. Enabled

PSK..................................... Disabled

CCKM.................................... Disabled

FT(802.11r)............................. Disabled

FT-PSK(802.11r)......................... Disabled

FT Reassociation Timeout......................... 20

FT Over-The-Air mode............................. Enabled

FT Over-The-Ds mode.............................. Enabled

CCKM tsf Tolerance............................... 1000

--More-- or (q)uit

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

H-REAP Local Switching........................ Enabled

H-REAP Local Authentication................... Disabled

H-REAP Learn IP Address....................... Enabled

Client MFP.................................... Disabled

Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Scott Fella · ‎08-27-2012

I would change your DTIM to 2, you have it at 75

DTIM period for 802.11a radio.................... 75

DTIM period for 802.11b radio.................... 75

-Scott
*** Please rate helpful posts ***

fbarboza · ‎08-29-2012

Hi,

I wiould set the DTIM to 1 or 2 under the WLAN advince TAB.