Persistent, chronic, false alarms for the past eight months

Unanswered Question

We now have two installations that utilize a unified wireless (WLC or WiSM - AIR-LAP1131AG, AIR-LAP1231G, AIR-LAP1242AG access points) that have been exhibiting the following IDS false alarms:

Disassoc Flood

AP Impersonation

We have TAC cases going back to October 2006 to address them and have upgraded to the latest/greatest version 4.0.206.0 in hopes of getting this solved.

Version 4.0.206.0 was supposed to have fixed these problems, and it did reduce some of the other false alarms (not listed). However, the two mentioned above persist.

Is anyone else out there experiencing this?

- John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Toivo Tue, 03/06/2007 - 08:21

Yes. The controllers mistakenly treat APs as rogues and their rogue suppression as attacks. It's bug CSCse87066 (this was hidden from customer view until relatively recently.)

Note that the status says verified (and not resolved) despite also giving fixed-in releases. Just as you, we're still seeing the bug in 4.0.206.0 as well.

kwonza Tue, 03/06/2007 - 10:10

Boy I am glad someone is seeing this in the latest code. TAC stated that I upgrade but my SE requested not to. I am also seeing this alarm all the time and it's a pain. Please post when there is a permanent fix. Did v4.0.206.0 offer anything else worth upgrading to at this time?

Toivo Tue, 03/06/2007 - 10:29

The upgrade helped with some other assorted multicast and reporting bugs, so we did go ahead with it, and it didn't break anything new that we noticed. It didn't fix the bug it was supposed to either, but we didn't know that at the time. Overall we're still in a boat where we'll pretty much upgrade when a new version comes out, as it can't possibly be worse than the old versions.

Our account team had told us from the get go (and reiterated later last year) that the 4.x releases are bleeding edge feature releases and not recommended for production; the 3.x train was stable, but as we have a bunch of 1121-series APs we were forced to run 4.x.

Thank you for confirming this behavior.

In answer to your question, upgrading to 4.0.206.0 did get rid of the "Generic Netstumbler" IDS alarm that turned out to be another false positive.

As it turns out, there have been comments from Cisco that now indicate that .206 has stability issues (nice to know that now). However, we have not experienced any of these issues at the two installations where this version is operating.

I also wanted to point out that we went ahead and opened TAC cases for each error at each customer site.

Currently, most of them have reached a status of "Release Pending". (Now as to *WHICH* release....)

If you have not opened a TAC case for these issues, taking the time to do so will help Cisco be aware of the extent to which this problem exists in the field and, hopefully, will help them prioritize the fix to this problem.

John

Actions

This Discussion

 

 

Trending Topics - Security & Network