Strange happenings with 4.1.185

Unanswered Question
Oct 15th, 2007
User Badges:

Since moving to 4.1.185 I've started seeing a lot of these messages in my log:

MAX_EAP_IE_RETRIES_REACHED: Reached Max EAP-Identity Request retries (21) for STA00:19:7e:42:a4:fc


Oct 15 14:31:01.055 dtl_net.c:1210 DTL-1-ARP_POISON_DETECTED: STA [00:11:f5:1b:93:15,] ARP (op 1) received with invalid SPA 172.XX.XXX.XXX/TPA 172.XX.XXX.X

I also get some clients that, although still connected to the AP, aren't able to ping their gateway or get anywhere else. The have to do a "repair" with Windows WZC to get working again. Anyone got any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fella Mon, 10/15/2007 - 18:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well for your error, enter this in the CLI: config advanced eap identity−request−timeout 30

For your clients, that is weird to hear from a code upgrade to 4.1.185. When windows fails the way you are saying, it is due to the client and I know there is an MS hotfix for that. Can't really tell you what it is because i don't know the exact hotfix. If I find it i will post it.

dennischolmes Tue, 10/16/2007 - 06:13
User Badges:
  • Gold, 750 points or more

What is happening is that the clients are trying to do an authentication request. That request is proxied and handed up to the authentication authority (RADIUS). If the the controller does not get the response in the alotted time it will resend the request. After a certain number of requests it will fail giving you this error. The default setting for this response time is 2 seconds. Two seconds in not enough time for the transaction to take place in several different EAP configurations. Cisco suggests you move to 12 but I agree with the other poster. 30 is good number. This is quite frequently the problem when users have to type in a name and password. I am betting that when you upgraded code it reset the value for EAP timeouts back to 2 seconds. That is probably why you are seeing it now.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode