05-17-2013 03:38 PM - edited 11-18-2020 03:02 AM
802.11 Association Status, 802.11 Deauth Reason codes
For example : when there is no ssid specified in an association request
Cannot support all requested capabilities in the Capability Information field
Example Test: Reject when privacy bit is set for WLAN not requiring security
Reassociation denied due to inability to confirm that association exists
Association denied due to reason outside the scope of this standard
Example : When controller receives assoc from an unknown or disabled SSID
Responding station does not support the specified authentication algorithm
For example, MFP is disabled but was requested by the client.
Received an Authentication frame with authentication transaction sequence number
If the authentication sequence number is not correct.
Authentication rejected because of challenge failure
Authentication rejected due to timeout waiting for next frame in sequence
Association denied because AP is unable to handle additional associated stations
Will happen if you run out of AIDs on the AP; so try associating a large number of stations.
Association denied due to requesting station not supporting all of the data rates in the
Will happen if the rates in the assoc request are not in the BasicRateSet in the beacon.
Association denied due to requesting station not supporting the short preamble
Association denied due to requesting station not supporting the PBCC modulation
Association denied due to requesting station not supporting the Channel Agility
Association request rejected because Spectrum Management capability is required
Association request rejected because the information in the Power Capability
Association request rejected because the information in the Supported Channels
Association denied due to requesting station not supporting the Short Slot Time
Association denied due to requesting station not supporting the DSSS-OFDM option
Unspecified, QoS-related failure
Association denied because QAP has insufficient bandwidth to handle another
Association denied due to excessive frame loss rates and/or poor conditions on current
Association (with QBSS) denied because the requesting STA does not support the
If the WMM is required by the WLAN and the client is not capable of it, the association will get rejected.
Reserved in 802.11
This is used in our code ! There is no blackbox test for this status code.
The request has been declined
This is not used in assoc response; ignore
The request has not been successful as one or more parameters have invalid values
The TS has not been created because the request cannot be honored; however, a suggested
Invalid information element, i.e., an information element defined in this standard for
Sent when Aironet IE is not present for a CKIP WLAN
Invalid group cipher
Used when received unsupported Multicast 802.11i OUI Code
Invalid pairwise cipher
Unsupported RSN information element version
If you put anything but version value of 1, you will see this code.
Invalid RSN information element capabilities
If WPA/RSN IE is malformed, such as incorrect length etc, you will see this code.
Cipher suite rejected because of security policy
The TS has not been created; however, the HC may be capable of creating a TS, in
Direct link is not allowed in the BSS by policy
Destination STA is not present within this QBSS
The Destination STA is not a QSTA
Association denied because the ListenInterval is too large
Unspecified, QoS-related failure.
Unspecified QoS Failure. This will happen if the Assoc request contains more than one TSPEC for the same AC.
TSPEC request refused due to AP’s policy configuration (e.g., AP is configured to deny all TSPEC requests on this SSID). A TSPEC will not be suggested by the AP for this reason code.
This will happen if a TSPEC comes to a WLAN which has lower priority than the WLAN priority settings. For example a Voice TSPEC coming to a Silver WLAN. Only applies to CCXv4 clients.
Association Denied due to AP having insufficient bandwidth to handle a new TS. This cause code will be useful while roaming only.
Invalid Parameters. The request has not been successful as one or more TSPEC parameters in the request have invalid values. A TSPEC SHALL be present in the response as a suggestion.
Not defined in IEEE, defined in CCXv4
This happens in cases such as PHY rate mismatch. If the TSRS IE contains a phy rate not supported by the controller, for example. Other examples include sending a TSPEC with bad parameters, such as sending a date rate of 85K for a narrowband TSPEC.
When running a client debug, this code will match the ReasonCode from the output: "Scheduling mobile for deletion with delete Reason x, reasonCode y"
|2||Previous authentication no longer valid||NOT SUPPORTED|
|3||station is leaving (or has left) IBSS or ESS||NOT SUPPORTED|
|4||Disassociated due to inactivity||Do not send any data after association;|
|5||Disassociated because AP is unable to handle all currently associated stations||TBD|
|6||Class 2 frame received from nonauthenticated station|
|7||Class 3 frame received from nonassociated station||NOT SUPPORTED|
|8||Disassociated because sending station is leaving (or has left) BSS||TBD|
|9||Station requesting (re)association is not authenticated with responding station||NOT SUPPORTED|
|10||Disassociated because the information in the Power Capability element is unacceptable||NOT SUPPORTED|
|11||Disassociated because the information in the Supported Channels element is unacceptable||NOT SUPPORTED|
|13||Invalid information element, i.e., an information element defined in this standard for|
which the content does not meet the specifications in Clause 7
|14||Message integrity code (MIC) failure||NOT SUPPORTED|
|15||4-Way Handshake timeout||NOT SUPPORTED|
|16||Group Key Handshake timeout||NOT SUPPORTED|
|17||Information element in 4-Way Handshake different from (Re)Association Request/Probe|
|18||Invalid group cipher||NOT SUPPORTED|
|19||Invalid pairwise cipher||NOT SUPPORTED|
|20||Invalid AKMP||NOT SUPPORTED|
|21||Unsupported RSN information element version||NOT SUPPORTED|
|22||Invalid RSN information element capabilities||NOT SUPPORTED|
|23||IEEE 802.1X authentication failed||NOT SUPPORTED|
|24||Cipher suite rejected because of the security policy||NOT SUPPORTED|
|32||Disassociated for unspecified, QoS-related reason||NOT SUPPORTED|
|33||Disassociated because QAP lacks sufficient bandwidth for this QSTA||NOT SUPPORTED|
|34||Disassociated because excessive number of frames need to be acknowledged, but are not|
acknowledged due to AP transmissions and/or poor channel conditions
|35||Disassociated because QSTA is transmitting outside the limits of its TXOPs||NOT SUPPORTED|
|36||Requested from peer QSTA as the QSTA is leaving the QBSS (or resetting)||NOT SUPPORTED|
|37||Requested from peer QSTA as it does not want to use the mechanism||NOT SUPPORTED|
|38||Requested from peer QSTA as the QSTA received frames using the mechanism for which|
a setup is required
|39||Requested from peer QSTA due to timeout||NOT SUPPORTED|
|40||Peer QSTA does not support the requested cipher suite||NOT SUPPORTED|
|46-65535||46--65 535 Reserved||NOT SUPPORTED|
Used when the reason code sent in a deassoc req or deauth by the client is invalid – invalid length, invalid value etc
|Example: Send a Deauth to the AP with the reason code to be invalid, say zero|
Thanks George, and also your AVC SR takencare as well some days ago I'm on documenting that info to make available in cco. Keep asking hard and challenging questions as always!!!
Thanks Saravanan. You do good work and keep the forum updated in the documentation section. Keep up the efforts my friend.
I dont know if you have time, but I think having a TAC engineer outline what they look at in a client debug would be very helpful to the community.
'client debug' - Suppose to have this done long time ago by Cisco, the thing is it takes enormous effort to cover most of the common/interoperability scenarios to have a good outlook, particularly tried to develop a tool using scripts that will throw the result when copy/paste the debug client output to it, Will keep that in mind and i may try to follow up with you on email regards to this one to cover common scenarios.
I second that. Good idea.
Nice one, Saravanan. +5
Hi Saravanan, What is an AID?
|Association denied because AP is unable to handle additional associated stations||Will happen if you run out of AIDs on the AP; so try associating a large number of stations.|
I always thought this was aggressive load balancing.
@Andrew: AID stands for Associantion ID - a unique number, given by the AP to the client after a successful association.
guess there are 255 AIDs per AP radio or bssid, i am unsure. if all AIDs are used up then new client cannot associate on that radio. resetting the AP should fix it.
Standard 802.11_2012 section 18.104.22.168 states aid value is 1-2007 ..
I agree with you , however cisco using 256 AID, ie from 0 to 255. The below bug reflects the same as proof.
%LWAPP-3-INVALID_AID2: spam_api.c:1068 Association identifier 1 for client 00:26:5e:00:00:00 is already in use by 78:e4:00:00:00:00
%LWAPP-3-MAX_AID2: spam_api.c:1047 Reached max limit on the association ID for AP (max association ID 256)
Nice .. I need to ask, you fired up the lab and found 257 devices to connect ?
(No, in the past i used to work with those wlan simulated hardware/tools, it was fun .)
The no. 256 is still an fiction and never used all of them by AP, the actual AID used is only 200 per AP Radio. (The above bug was used as an Ex: to show what does the upper limit look like.)
Thank you for this post and the other one;
Using knowledge given in these 2 posts will help in resolving lots of issues.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: