WLC 3504, 802.1x clients are disconnected sometime

Ha Dao · ‎09-20-2024

Hi guys

My office is using WLC 3504:

With some Cisco AP:

Users complain me, they are often disconnected to the wireless (802.1x) 5-10 times a day.

I tried to debug a client and this is the log when it was disconnected

debug client log is in the attach file

Anyone can help me to see why they are disconnected.

This is some my wlan configurations: Some one on the internet recommend to uncheck the "Aironet 1E", should I follow it ?

marce1000 · ‎09-20-2024

- Below you will find the output of disconnected-logs.txt when processed with Wireless Debug Analyzer
it looks not too bad , as per https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
use 8.5.182.12 (8.5.182.13 for 3504s
on the 3504 as the aireos models are EOL , you should use the last release available :

Connection attempt #1
Sep 20 11:02:34.797	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Sep 20 11:02:34.816	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Sep 20 11:02:35.416	*Dot1x_NW_MsgTask_2	RADIUS Server permitted access
Sep 20 11:02:35.416	*Dot1x_NW_MsgTask_2	Client will be required to Reauthenticate in 1800 seconds
Sep 20 11:02:35.428	*Dot1x_NW_MsgTask_2	4-Way PTK Handshake, Received M2
Sep 20 11:02:35.428	*Dot1x_NW_MsgTask_2	4-Way PTK Handshake, Sending M3
Sep 20 11:02:35.429	*Dot1x_NW_MsgTask_2	4-Way PTK Handshake, Received M4
Sep 20 11:02:35.429	*Dot1x_NW_MsgTask_2	Client is entering the 802.1x or PSK Authentication state
Sep 20 11:02:35.429	*Dot1x_NW_MsgTask_2	Client has completed PSK Dot1x or WEP authentication phase
Sep 20 11:02:35.430	*Dot1x_NW_MsgTask_2	Client has entered RUN state
Sep 20 11:02:35.438	*DHCP Socket Task	Received DHCP request from client
Sep 20 11:02:35.438	*DHCP Socket Task	Sending DHCP Request to DHCP Server 140.231.150.19 through gateway 140.231.150.45 requesting 140.231.150.240 on VLAN 0
Sep 20 11:02:38.269	*DHCP Socket Task	Received DHCP request from client
Sep 20 11:02:38.269	*DHCP Socket Task	Sending DHCP Request to DHCP Server 140.231.150.19 through gateway 140.231.150.45 requesting 140.231.150.240 on VLAN 0
Sep 20 11:02:40.779	*DHCP Socket Task	Received DHCP request from client
Sep 20 11:02:40.779	*DHCP Socket Task	Sending DHCP Request to DHCP Server 140.231.150.19 through gateway 140.231.150.45 requesting 140.231.150.240 on VLAN 0
Sep 20 11:02:44.398	*DHCP Socket Task	Received DHCP request from client
Sep 20 11:02:44.398	*DHCP Socket Task	Sending DHCP Request to DHCP Server 140.231.150.19 through gateway 140.231.150.45 requesting 140.231.150.240 on VLAN 0
Sep 20 11:02:49.398	*DHCP Socket Task	Received DHCP request from client
Sep 20 11:02:49.398	*DHCP Socket Task	Sending DHCP Request to DHCP Server 140.231.150.19 through gateway 140.231.150.45 requesting 140.231.150.240 on VLAN 0
Sep 20 11:02:51.362	*DHCP Socket Task	Received DHCP request from client
Sep 20 11:02:51.362	*DHCP Socket Task	Sending DHCP Request to DHCP Server 140.231.150.19 through gateway 140.231.150.45 requesting 140.231.150.240 on VLAN 0
Sep 20 11:02:55.074	*DHCP Socket Task	Received DHCP request from client
Sep 20 11:02:55.074	*DHCP Socket Task	Sending DHCP Request to DHCP Server 140.231.150.19 through gateway 140.231.150.45 requesting 140.231.150.240 on VLAN 0

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ha Dao · ‎09-20-2024

Hi Marce

Thank you for your review and some helpful information you gave. But the problem is that client was connected to wifi at about 10h36. Then you see at 11h02, it was disconnected and reconnect again.

*apfPmkCacheTimer: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Expiring PMK cache of 54:6c:eb:09:be:9
*apfPmkCacheTimer: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Removing expired PMK cache entry for station 54:6c:eb:09:be:92 AKM was:APF_KY_MGMT_80211i
*apfPmkCacheTimer: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Removing expired PTK entry for station 54:6c:eb:09:be:92
*apfReceiveTask: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Found an cache entry for BSSID e0:0e:da:df:4f:8f in PMKID cache at index 0 of tation 54:6c:eb:09:be:92
*apfReceiveTask: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Removing BSSID e0:0e:da:df:4f:8f from PMKID cache of station 54:6c:eb:09:be:92
*apfReceiveTask: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Resetting MSCB PMK Cache Entry @index 0 for station 54:6c:eb:09:be:92
*apfReceiveTask: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Initiating 802.1x due to PMK Timeout Event for STA
*apfReceiveTask: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 Sent 1x reauth initiate message to multi thread task for mobile 54:6c:eb:09:be92 1
*Dot1x_NW_MsgTask_2: Sep 20 11:02:34.796: 54:6c:eb:09:be:92 dot1xProcessInitiate1XtoMobile to mobile station 54:6c:eb:09:be:92 (mscb 9 msg 9)

MHM Cisco World · ‎09-20-2024

If use is guest and you use CWA then what you see (Connect disconnect) is normal there is no problem

First connect to allow use conenct to CWA ISE and then after CoA the WLC disconnect and user reconnect again.

Above if you use CWA

MHM

marce1000 · ‎09-20-2024

>...Thank you for your review and some helpful information you gave. But the problem is that client was connected to wifi at about 10h36. Then you see at 11h02, it was disconnected and reconnect again.
You should always these days upgrade to 8.5.182.3 , because if it related to bugs and Cisco considers that last release for support , then check again ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Simon Blomqvist · ‎09-20-2024

Increase session timeout, I usually use 43200 seconds which is 12 hours. I usually combine that with a user idle timout of 3600 seconds (1 hour). Aireonet IE is typically something you should have disabled.

Ha Dao · ‎09-20-2024

Thank you, I ll try

Leo Laohoo · ‎09-20-2024

MAC OUI shows Intel.

Are the affected clients mostly Intel AX2xxx wireless NIC?

Ha Dao · ‎09-20-2024

uhm I don't think the problem comes from Intel wireless NIC card. I only face with unstable connection issue happen with Mediatek NIC card (build in by default in some Lenovo laptops)

Leo Laohoo · ‎09-20-2024

IF the wireless NIC cards of the affected wireless client are not Intel AX2xx (CSCwe50033) or Realtek RTL88xx (CSCwf03870), then I'd recommend first updating the wireless NIC of the wireless card.

Alternatively, disable 802.11 k, v & r from the SSID.

Haydn Andrews · ‎09-22-2024

As for aireonet IE, Cisco best practices is this is only enabled for Cisco VoWIFI SSIDs, although I generally have it running on my guest network mainly so when i survey i get the AP names.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***