Thanks George,

enabled this debug:

show debug

MAC Addr 1.................................. 28:CF:E9:13:7B:37

Debug Flags Enabled:
  dhcp packet enabled.
  dot11 mobile enabled.
  dot11 state enabled
  dot1x events enabled.
  dot1x states enabled.
  mobility client handoff enabled.
  pem events enabled.
  pem state enabled.
  802.11r event debug enabled.
  802.11w event debug enabled.
  CCKM client debug enabled.

debug client says:

apfReceiveTask: Mar 08 21:31:29.891: 28:cf:e9:13:7b:37 deleting SA query timer
*osapiBsnTimer: Mar 08 23:54:27.220: 28:cf:e9:13:7b:37 apfMsExpireCallback (apf_ms.c:632) Expiring Mobile!
*apfReceiveTask: Mar 08 23:54:27.221: 28:cf:e9:13:7b:37 apfMsExpireMobileStation (apf_ms.c:6976) Changing state for mobile 28:cf:e9:13:7b:37 on AP 68:86:a7:d6:7f:30 from Associated to Disassociated

*apfReceiveTask: Mar 08 23:54:27.221: 28:cf:e9:13:7b:37 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds

config:

 802.11a 11nSupport a-mpdu tx scheduler enable
 802.11a 11nSupport a-mpdu tx scheduler timeout rt 10
 802.11a beacon range 0
 802.11a rx-sop threshold auto default
 802.11a cca threshold 0 default
 802.11a multicast buffer 0
 802.11a multicast data-rate 0 default
 802.11a cac video cac-method static
 802.11a rssi-check enable
 802.11a max-clients 200
 802.11a rate disabled 6
 802.11a rate disabled 9
 802.11a rate disabled 12
 802.11a rate disabled 18
 802.11a rate disabled 24
 802.11a rate mandatory 36
 802.11a cleanair enable network
 802.11a dfs-peakdetect enable
 802.11b 11nSupport a-mpdu tx scheduler enable
 802.11b 11nSupport a-mpdu tx scheduler timeout rt 10
 802.11b beacon range 0
 802.11b rx-sop threshold auto default
 802.11b cca threshold 0 default
 802.11b multicast buffer 0
 802.11b multicast data-rate 0 default
 802.11b cac video cac-method static
 802.11b max-clients 200
 802.11b rate disabled 1
 802.11b rate disabled 2
 802.11b rate disabled 11
 802.11b rate disabled 6
 802.11b rate disabled 9
 802.11b rate disabled 12
 802.11b cleanair enable network
802.11h channelswitch enable quiet
 aaa auth mgmt  local radius
 flexconnect fallback-radio-shut disable
 advanced 802.11a channel dca interval 1
 advanced 802.11a channel dca anchor-time 0
 advanced 802.11a channel dca chan-width-11n 40
 advanced 802.11a channel dca sensitivity 5
 advanced 802.11a channel dca min-metric -95
 advanced 802.11a Ccx location-meas global enable 60
 advanced 802.11a channel load enable
 advanced 802.11a channel device enable
 advanced 802.11a channel add 100
 advanced 802.11a channel add 104
 advanced 802.11a channel add 108
 advanced 802.11a channel add 112
 advanced 802.11a channel add 116
 advanced 802.11a channel add 120
 advanced 802.11a channel add 124
 advanced 802.11a channel add 128
 advanced 802.11a channel add 132
 advanced 802.11a channel add 136
 advanced 802.11a channel add 140
 advanced 802.11a reporting neighbor 180
 advanced 802.11a reporting interference 120
 advanced 802.11b channel dca interval 0
 advanced 802.11b channel dca anchor-time 0
 advanced 802.11b channel dca sensitivity 5
 advanced 802.11b channel dca min-metric -95
 advanced 802.11b Ccx location-meas global enable 60
 advanced 802.11b reporting neighbor 180
 advanced 802.11b reporting interference 120
 advanced 802.11b profile level global 5
 advanced 802.11b channel add 2
 advanced 802.11b channel add 3
 advanced 802.11b channel add 4
 advanced 802.11b channel add 5
 advanced 802.11b channel add 7
 advanced 802.11b channel add 8
 advanced 802.11b channel add 9
 advanced 802.11b channel add 10
 advanced 802.11b channel add 12
 advanced 802.11b channel add 13
 advanced 802.11b channel load enable
 advanced 802.11b channel device enable
 advanced 802.11b tpcv1-thresh -80
 location info rogue extended
 location rssi-half-life tags 0
 location rssi-half-life client 0
 location rssi-half-life rogue-aps 0
 location expiry tags 5
 location expiry client 5
 location expiry calibrating-client 5
 location expiry rogue-aps 5
 advanced timers ap-fast-heartbeat local enable 10
 advanced timers ap-fast-heartbeat flexconnect enable 10
 advanced backup-controller primary
 advanced backup-controller secondary
 advanced backup-controller
 advanced backup-controller
 ap retransmit count 8 all
 ap retransmit interval 2 all
 advanced sip-snooping-ports 0 0
 advanced eap bcast-key-interval 3600
 advanced 802.11-abgn pak-rssi-location enable
 advanced 802.11-abgn pak-rssi-location threshold -100
 advanced 802.11-abgn pak-rssi-location trigger-threshold 10
 advanced 802.11-abgn pak-rssi-location reset-threshold 8
 advanced 802.11-abgn pak-rssi-location ntp 10.62.1.2
 advanced 802.11-abgn pak-rssi-location timeout 3
 advanced hotspot cmbk-delay 50
Cisco Public Safety is not allowed to set in this domain
 ap syslog host global 10.62.1.8
 ap dtls-cipher-suite RSA-AES128-SHA
 ap dtls-wlc-mic sha2
 ap mgmtuser add username admin password *** secret *** all
 cdp advertise-v2 enable
 country BG,CZ,DE
 cts sxp disable
 cts sxp connection default password ****
 cts sxp retry period 120
 cts sxp sxpversion 2
 database size 2048
 dhcp opt-82 remote-id ap-mac
 flexconnect group Getoto add
 flexconnect group Getoto radius ap enable
 flexconnect group Getoto radius ap server-key <hidden>
 flexconnect group Getoto radius ap authority id 436973636f0000000000000000000000
 flexconnect group Getoto radius ap authority info Cisco A_ID
 local-auth method fast server-key ****
interface address management 10.62.1.10 255.255.255.0 10.62.1.1
interface address service-port 10.13.0.1 255.255.255.0
interface address virtual 1.1.1.1
interface dhcp  management primary 10.62.1.5
interface dhcp service-port disable
interface port management 1
 mdns snooping disable
 mdns policy service-group create default-mdns-policy default-mdns-policy
 mdns policy service-group user-role add default-mdns-policy admin
 mdns profile create default-mdns-profile
 mdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enable
 mdns service create AirTunes _raop._tcp.local. origin All LSS disable query enable
 mdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enable
 mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin All LSS disable query enable
 mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS disable query enable
 mdns service create Printer _printer._tcp.local. origin All LSS disable query enable
 mdns profile service add default-mdns-profile AirPrint
 mdns profile service add default-mdns-profile AirTunes
 mdns profile service add default-mdns-profile AppleTV
 mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
 mdns profile service add default-mdns-profile HP_Photosmart_Printer_2
 mdns profile service add default-mdns-profile Printer
 mdns query interval 15
 wlan mdns disable 1
 wlan mdns disable 2
 wlan mdns disable 3
 ipv6 ra-guard ap enable
 ipv6 capwap udplite disable all
 ipv6 multicast mode unicast
 load-balancing aggressive enable
 load-balancing window 5
 wlan apgroup add Getoto2 Getoto2
 wlan apgroup add default-group
 wlan apgroup qinq tagging eap-sim-aka default-group enable
 wlan apgroup interface-mapping add Getoto2 1 management
 wlan apgroup interface-mapping add Getoto2 2 management
 wlan apgroup interface-mapping add Getoto2 3 management
 wlan apgroup interface-mapping add default-group 1 management
 wlan apgroup interface-mapping add default-group 2 management
 wlan apgroup interface-mapping add default-group 3 management
 wlan apgroup nac-snmp disable Getoto2 1
 wlan apgroup nac-snmp disable Getoto2 2
 wlan apgroup nac-snmp disable Getoto2 3
 wlan apgroup nac-snmp disable default-group 1
 wlan apgroup nac-snmp disable default-group 2
 wlan apgroup nac-snmp disable default-group 3
 logging buffered 6
 logging syslog level 2
 msglog level verbose
 memory monitor errors enable
 memory monitor leak thresholds 10000 30000
Outdoor Mesh Ext.UNII B Domain channels: Disable
mesh security rad-mac-filter disable
mesh security rad-mac-filter disable
 mesh security eap
mesh lsc advanced ap-provision open-window enable
 mgmtuser add admin **** read-write
 mobility group domain demo
 mobility group member hash 10.62.1.10 4d9e4166967a82960911b91a19583b4dc961bf35
 mobility dscp 0
 network multicast igmp snooping enable
 network multicast mld snooping enable
 network master-base enable
 network ap-priority enabled
 network rf-network-name demo
 network secureweb cipher-option rc4-preference disable
 network client-ip-conflict-detection disable
 qos priority bronze background background background
 qos priority gold video video video
 qos priority platinum voice voice voice
 qos priority silver besteffort besteffort besteffort
 radius callStationIdType macaddr
 radius auth callStationIdType ap-macaddr-ssid
 radius fallback-test mode off
 radius fallback-test username cisco-probe
 radius fallback-test interval 300
 radius dns disable
 radius dns auth network disable
 radius dns auth management disable
 radius dns acct network disable
 radius dns auth rfc3576 disable
 tacacs dns disable
 rogue detection report-interval 60
 rogue detection min-rssi -80
 rogue detection transient-rogue-interval 120
 rogue detection client-threshold 0
 rogue detection security-level low
 rogue ap ssid alarm
 rogue ap valid-client alarm
 rogue adhoc disable
 rogue adhoc alert
 rogue ap rldp disable
 rogue ap timeout 240
 rogue auto-contain level 1 monitor_ap_only
 rogue containment flex-connect disable
 rogue containment auto-rate enable
 snmp version v2c enable
 snmp version v3 enable
 snmp community create hor-ror-ro
 snmp community create hor-ror-rw
 snmp community accessmode ro hor-ror-ro
 snmp community accessmode ro hor-ror-rw
 snmp snmpEngineId 0000376300007dd40a013e0a
snmp community ipsec ike auth-mode pre-shared-key ****
 switchconfig strong-pwd case-check enabled
 switchconfig strong-pwd consecutive-check enabled
 switchconfig strong-pwd default-check enabled
 switchconfig strong-pwd username-check enabled
 switchconfig strong-pwd position-check disabled
 switchconfig strong-pwd case-digit-check disabled
 switchconfig strong-pwd minimum upper-case 0
 switchconfig strong-pwd minimum lower-case 0
 switchconfig strong-pwd minimum digits-chars 0
 switchconfig strong-pwd minimum special-chars 0
 switchconfig strong-pwd min-length 3
 sysname vWLC1
 stats-timer realtime 5
 stats-timer normal 180
 time ntp interval 36000
 time ntp server 1 10.62.1.5
 time ntp server 2 10.62.1.2
 trapflags client nac-alert enable
 trapflags ap ssidKeyConflict disable
 trapflags ap timeSyncFailure disable
 trapflags mfp disable
 trapflags adjchannel-rogueap disable
 trapflags mesh excessive hop count disable
 trapflags mesh sec backhaul change disable
 wlan create 1 Getoto Getoto
 wlan create 2 GetotoGuest GetotoGuest
 wlan create 3 Monitoring Monitoring
 wlan nac snmp disable 1
 wlan nac snmp disable 2
 wlan nac snmp disable 3
 wlan nac radius disable 1
 wlan nac radius disable 2
 wlan nac radius disable 3
 wlan multicast interface 1 disable
 wlan multicast interface 2 disable
 wlan multicast interface 3 disable
 wlan broadcast-ssid disable 3
 wlan band-select allow enable 1
 wlan band-select allow disable 2
 wlan band-select allow disable 3
 wlan custom-web global enable 2
 wlan custom-web sleep-client enable 2
 wlan custom-web sleep-client timeout 2 6
 wlan exclusionlist 1 disabled
 wlan exclusionlist 1 0
 wlan load-balance allow disable 1
 wlan load-balance allow disable 2
 wlan load-balance allow disable 3
 wlan multicast buffer disable 0 1
 wlan multicast buffer disable 0 2
 wlan multicast buffer disable 0 3
 wlan session-timeout 1 1800
 wlan session-timeout 2 1800
 wlan session-timeout 3 disable
 wlan flexconnect local-switching 1 enable
 wlan flexconnect local-switching 2 enable
 wlan flexconnect local-switching 3 enable
 wlan flexconnect learn-ipaddr 2 enable
 wlan flexconnect learn-ipaddr 3 enable
 wlan security wpa disable 2
 wlan security splash-page-web-redir disable 1
 wlan security splash-page-web-redir disable 2
 wlan security splash-page-web-redir disable 3
 wlan security static-wep-key enable 2
 wlan security static-wep-key authentication shared-key 2
 wlan security static-wep-key encryption 2 104 <mode unknown> <passwd hidden> 1
 wlan user-idle-threshold 70 1
 wlan user-idle-threshold 70 2
 wlan user-idle-threshold 70 3
 wlan security web-auth enable 2
 wlan security wpa akm psk enable 1
 wlan security wpa akm pmf psk enable 1
 wlan security wpa akm psk enable 3
 wlan security wpa akm cckm timestamp-tolerance  1000 1
 wlan security wpa akm cckm timestamp-tolerance  1000 2
 wlan security wpa akm cckm timestamp-tolerance  1000 3
 wlan security ft over-the-ds disable 2
 wlan security ft over-the-ds disable 3
 wlan security wpa gtk-random enable 1
 wlan security wpa gtk-random disable 2
 wlan security wpa gtk-random disable 3
 wlan security wpa wpa1 enable 1
 wlan security wpa wpa1 enable 3
 wlan security wpa wpa1 ciphers aes enable 1
 wlan security wpa wpa1 ciphers aes enable 3
 wlan security wpa wpa2 disable 3
 wlan security pmf optional 1
 wlan security pmf association-comeback 4 1
 wlan security pmf association-comeback 1 2
 wlan security pmf association-comeback 1 3
 wlan security pmf saquery-retrytimeout 400 1
 wlan security pmf saquery-retrytimeout 200 2
 wlan security pmf saquery-retrytimeout 200 3
 wlan exclusionlist 1 disabled
 wlan exclusionlist 1 0
 wlan profiling radius dhcp disable 1
 wlan profiling radius http disable 1
 wlan profiling radius dhcp disable 2
 wlan profiling radius http disable 2
 wlan profiling radius dhcp disable 3
 wlan profiling radius http disable 3
 wlan apgroup hotspot venue type Getoto2 0 0
 wlan enable 1
 wlan enable 3
 WMM-AC disabled
 coredump disable
media-stream multicast-direct disable
media-stream message url
media-stream message email
media-stream message phone
media-stream message note denial
media-stream message state disable
802.11a media-stream multicast-direct enable
802.11b media-stream multicast-direct enable
802.11a media-stream multicast-direct radio-maximum 0
802.11b media-stream multicast-direct radio-maximum 0
802.11a media-stream multicast-direct client-maximum 0
802.11b media-stream multicast-direct client-maximum 0
802.11a media-stream multicast-direct admission-besteffort disable
802.11b media-stream multicast-direct admission-besteffort disable
802.11a media-stream video-redirect enable
802.11b media-stream video-redirect enable
 ipv6 neighbor-binding timers reachable-lifetime 300
 ipv6 neighbor-binding timers stale-lifetime 86400
 ipv6 neighbor-binding timers down-lifetime 30
 ipv6 neighbor-binding ra-throttle disable
 ipv6 neighbor-binding ra-throttle allow at-least 1 at-most 1
 ipv6 neighbor-binding ra-throttle max-through 10
 ipv6 neighbor-binding ra-throttle throttle-period 600
 ipv6 neighbor-binding ra-throttle interval-option passthrough
 ipv6 ns-mcast-fwd disable
 ipv6 na-mcast-fwd enable
 ipv6 enable
 nmheartbeat disable
 ipv6 interface address management primary XXXXX 64 fe80::7ada:6eff:fe51:e06
 ipv6 slaac service-port disable
 sys-nas vWLC1
 WLAN Express Setup - False

When you captured this did you rclient actually disconnect .. Is this an "i'device by chance? 

yes, client disconnects at the very same moment I see this,

yeas, it is macbook and I am not sure whether the problem started after upgrading to yosemite or it was there, but I did not notice it (as I am spending much more time in this wi-fi environment now than before the upgrade)

Well, I did not have other to test with or be sure they experience the problem (have one that disconnects pretty quickly and never connects again, but do nto have physical access to reset it)

Thus I set up today raspberry pi with wi-fi adapter, it does not to have any problems so far for today (made script to ping constantly and checked it jsut now, no losses)

Just made the suggested config changes, let's see...

Thank you George!

What OS are you running on the Mac bud?

Yosemite MAC OS

Disabling session and user time out solved the issue. Thank you George!

So, rekeying on mac was broken once again?

That solved it for me, thanks a ton! I've been looking for that for a while and had my raspberry Pi constantly disconnecting and had a cron job to reconnect (sigh...). Thanks! :)