cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1102
Views
5
Helpful
4
Replies

WLC 5504 Specific VLAN not connecting hosts

TC2013
Level 1
Level 1

Good Afternoon All,

 

I am currently having an issue with some of my hosts when they try to connect to a specific WLAN. 

This WLAN is static mappings only, which is controlled through the firewall (IP reservation through MAC Address). 

The Cisco 5504 is running 8.0.154.0

 

At the start I thought it was NAS ID issue, due to the WLC not assigning one. I have manually added it and the NAS ID appears on the debug, but didn't resolve issue. 

 

*apfMsConnTask_0: Jan 17 14:24:32.847: dc:53:60:5c:e4:c8 Check before Setting the NAS Id to WLAN specific Id ''

 

The first line that makes me wonder is the following:


*apfMsConnTask_0: Jan 17 14:48:45.229: dc:53:60:5c:e4:c8 Applying Interface(crew) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

Crew interface is on VLAN 21 and the role should be Local ( I assume as I am comparing from other WLANS).

 

The following line makes me think that this specific host has been blacklisted. However, connecting to the WLAN Crew is a bit erratic (sometimes tells me network not available or it takes several attempts to authenticate with the WLC) with other hosts.

 

*apfMsConnTask_4: Jan 17 14:24:56.360: dc:53:60:5c:e4:c8 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_4: Jan 17 14:24:56.360: dc:53:60:5c:e4:c8 Sending client blacklist entry to roamed AP 64:f6:9d:9b:08:20 with remaining time to be excluded 51sec
*apfMsConnTask_4: Jan 17 14:24:56.892: dc:53:60:5c:e4:c8 Processing assoc-req station:dc:53:60:5c:e4:c8 AP:64:f6:9d:9b:08:20-00 thread:151c2c00

 

I have attached the full debug from when I try to connect to when it times out and gives me the "unable to connect".

 

Any help is greatly appreciated,

J

 

 

 

1 Accepted Solution

Accepted Solutions

You seem to have WPA1 and also WPA2 active. Disable those two options for WPA1:

         TKIP Cipher............................. Enabled
         AES Cipher.............................. Enabled

In the gui disable the option "WPA Policy" on the SSID and make sure TKIP is not enabled either. 

View solution in original post

4 Replies 4

patoberli
VIP Alumni
VIP Alumni

For cases like this, the debug analyzer is very useful: 

https://cway.cisco.com/wireless-debug-analyzer/

 

In your case:

Jan 17 14:48:45.231 *apfMsConnTask_0 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Jan 17 14:48:45.231 *apfMsConnTask_0 Client is trying to associate in 5 Ghz band
Jan 17 14:48:45.237 *Dot1x_NW_MsgTask_0 4-Way PTK Handshake, Sending M1
Jan 17 14:48:45.240 *Dot1x_NW_MsgTask_0 4-Way PTK Handshake, Received M2
Jan 17 14:48:46.380 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jan 17 14:48:46.380 *dot1xMsgTask 4-Way PTK Handshake, Retransmitting M1 retry #1
Jan 17 14:48:46.382 *Dot1x_NW_MsgTask_0 4-Way PTK Handshake, Received M2
Jan 17 14:48:47.380 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jan 17 14:48:47.380 *dot1xMsgTask 4-Way PTK Handshake, Retransmitting M1 retry #2
Jan 17 14:48:47.452 *Dot1x_NW_MsgTask_0 4-Way PTK Handshake, Received M2
Jan 17 14:48:48.380 *osapiBsnTimer 4-Way PTK Handshake, Client did not respond with M2
Jan 17 14:48:48.381 *dot1xMsgTask Client has been deauthenticated

 

So this might also be a driver/firmware issue of the client or a bug in the used WLC code.

 

Can you share your SSID configuration? I assume you might have enabled some fancy features like 802.11r, 802.11v or 802.11k. Try to disable those on the SSID if enabled (or if available in your firmware) and check again.

Hi Patoberli,

 

Thank you, I didn't know it even existed! 

 

Find attached. I'll start digging regarding the firmware. 

You seem to have WPA1 and also WPA2 active. Disable those two options for WPA1:

         TKIP Cipher............................. Enabled
         AES Cipher.............................. Enabled

In the gui disable the option "WPA Policy" on the SSID and make sure TKIP is not enabled either. 

Hi Patoberli,

 

That did it! Thank you very much.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: