10-01-2021 12:27 AM
Hello Wireless Ninjas,
Our Wireless clients connected to the same AP complain about slowness and frequent disconnections. The only strange logs flooding in the AP which I noticed are mentioned below.
%DOT11-4-CCMP_REPLAY: Client 84c5.a6fc.2f97 had 2 AES-CCMP TSC replays
%DOT11-4-CCMP_REPLAY: Client 84c5.a6fb.ceda had 1 AES-CCMP TSC replays
%DOT11-4-CCMP_REPLAY: Client 84c5.a6fc.2f97 had 1 AES-CCMP TSC replays
%WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:1 Source MAC:a618.88c7.50b5
%WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:6 Source MAC:a618.88c7.559b
%WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:11
%WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:1
%DOT11-6-ASSOC: Interface Dot11Radio0, Station 84c5.a6fc.2f97 REAP Associated KEY_MGMT[Open]
%DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 84c5.a6fc.2f97 Sending station has left the BSS
%DOT11-6-ASSOC: Interface Dot11Radio0, Station 84c5.a6fc.2f97 REAP Associated KEY_MGMT[Open]
%DOT11-4-BAD_BASSN: Client d472.2626.2bee(40165) DELBA upstream for priority 0 on packet seq jump
%DOT11-4-BAD_BASSN: Client d472.2626.2bee(40165) DELBA upstream for priority 0 on packet seq jump
AP Model:AIR-CAP3602I-N-K9
AP Version: 15.3(3)JD16
LWAPP image version 8.3.143.0
Kindly help to solve this problem. we tried changing the channel but getting the same error on the new channel as well.
Please let me know if you need any other details.
Thank You
MK
10-01-2021 12:54 AM
Hi, while investigating i found below bug report and can be related to your issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs40343/?rfs=iqvred
also by reading logs, it seems like some wireless client sending replay packets and WIDS detecting them as a attack. if someone trying to do DOS kind attack, other user's traffic will get dropped and users will feel slowness and disconnections. last logs are kind of related to sequence number mismatching, which can occur with packet drops. better to check AP statistics and connected clients list to identify any abnormal traffic behaviors or unknown users. WLC's client list can use to get good idea about user list and observe unknown/known abnormal details for each client.
Good luck
KB
10-01-2021 02:59 AM
@MohanKumar30269 wrote:
Our Wireless clients connected to the same AP complain about slowness and frequent disconnections.
Slowness and frequent disconnections happening to wireless clients connecting to ONE AP? Is that correct?
10-01-2021 03:03 AM
10-01-2021 03:21 AM
If 2.4 Ghz is turned off, is the wireless better?
10-01-2021 03:26 AM
10-01-2021 03:40 AM
@MohanKumar30269 wrote:
Will those same clients be able to connect 5 GHz, if we shutdown 2.4 GHz ?
Depends if the wireless clients have dual band radios (2.4 Ghz & 5.0 Ghz).
@MohanKumar30269 wrote:
We haven’t tried that but most of them are connected to 2.4GHz, are you recommending to try that ?
2.4 Ghz in an enterprise environment will never work. There are too many co-channel interference that can cripple 2.4 Ghz.
10-01-2021 04:20 AM
10-01-2021 04:39 AM
@MohanKumar30269 wrote:
I have attached the complete logs and few show commands
And? What is the objective of showing me the logs?
The logs tell me Channel 11 is being hammered. That leaves 2 channels in the 2.4 Ghz to use. What are the chances there are co-channel interference there too?
10-01-2021 05:13 AM - edited 10-01-2021 06:07 AM
Yes, Channel 11 and 149 are being hammered. I tried changing to channel 11 to 6 in 2.4GHz and 149 to 64 in 5GHz but there is no improvement in performance and the clients are kept disconnecting and reconnect very frequently.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide