dot1x authentication retransmit failures on WLC4400

dongill · ‎01-17-2008

Users at a remote office are dropping network connectivity at random intervals. We are using a dot1x client on windows clients to manage the WPA keys etc and using the HREAP solution with central WLC4400.

Sites are connected via a 4Mb MPLS link, link utilisation is normal. We have enabled priority queuing on for all interfaces the traffic will traverse (UDP ports 12222 LWAP), but this has not solved the problem. Any help would be appreciated!?

Thanks

Don

jsivulka · ‎01-23-2008

Were you able to capture any packets when the problem was occurring? The network is dropping at random intervals, because someone is transmitting at random intervals causing the link to go down. You have to change the transmit channel, because the interruption is most likely to be caused by a neighbor transmitting at random intervals or "channel surfing", crossing the transmit beam.

dongill · ‎02-21-2008

Hi I'm sorry for delayed reply, but your reply doesn't make 100% sense?

Just to clarify we have a backend ACS to authenticate users,this uses RSA for token codes as password to authenticate.

I haven't captured any packest as yet, but have lots of debug outputs - we find the following in the WLC logs when the timeouts occur:

Feb 21 14:04:44.939 1x_ptsm.c:404 DOT1X-1-MAX_EAPOL_KEY_RETRANS_FOR_MOBILE: MAX EAPOL-Key M5 retransmissions reached for mobile00:1e:4c:40:ed:5b

This is the result of multiple EAP retries:

Thu Feb 21 14:04:42 2008: 00:1e:4c:40:ed:5b 802.1x 'timeoutEvt' Timer expired for station 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:42 2008: 00:1e:4c:40:ed:5b Retransmit 1 of EAPOL-Key M5 (length 131) for mobile 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:42 2008: 00:1e:4c:40:ed:5b Sending 802.11 EAPOL message to mobile 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:42 2008: 00000000: 02 03 00 7f 02 13 82 00 00 00 00 00 00 00 00 00 ................

00000010: 03 ae 78 3f ea 3b 70 24 4e 7c 28 5c 0a 5a f5 83 ..x?.;p$N|(\.Z..

00000020: ff ee 0e 35 8e 24 c1 fb 6e b7 ef 8d d4 e9 c9 cb ...5.$..n.......

00000030: 7e 00 00 00

Thu Feb 21 14:04:43 2008: 00:1e:4c:40:ed:5b 802.1x 'timeoutEvt' Timer expired for station 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:43 2008: 00:1e:4c:40:ed:5b Retransmit 2 of EAPOL-Key M5 (length 131) for mobile 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:43 2008: 00:1e:4c:40:ed:5b Sending 802.11 EAPOL message to mobile 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:43 2008: 00000000: 02 03 00 7f 02 13 82 00 00 00 00 00 00 00 00 00 ................

00000010: 04 ae 78 3f ea 3b 70 24 4e 7c 28 5c 0a 5a f5 83 ..x?.;p$N|(\.Z..

00000020: ff ee 0e 35 8e 24 c1 fb 6e b7 ef 8d d4 e9 c9 cb ...5.$..n.......

00000030: 7e 00 00 00

Thu Feb 21 14:04:44 2008: 00:1e:4c:40:ed:5b 802.1x 'timeoutEvt' Timer expired for station 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:44 2008: 00:1e:4c:40:ed:5b Retransmit failure for EAPOL-Key M5 to mobile 00:1e:4c:40:ed:5b, retransmit count 3, mscb deauth count 0

Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b Processing RSN IE type 48, length 38 for mobile 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b Received RSN IE with 1 PMKIDs from mobile 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:47 2008: Received PMKID: (16)

Thu Feb 21 14:04:47 2008: [0000] 25 d1 3e 91 40 82 7f 7c 7c 33 26 0e 94 85 68 4e

Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b No valid PMKID found in the cache for mobile 00:1e:4c:40:ed:5b

Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b Unable to compute a valid PMKID from dot1x PMK cache for mobile 00:1e:4c:40:ed:5b

I am also seeing decrypt errors (only occasionally) when these users sessions drop off:

Thu Feb 21 10:32:07 2008Decrypt errors occurred for client 00:1e:4c:40:ed:5b using WPA2 key on 802.11b/g interface of AP 00:18:74:c6:52:60

I understand that these can be due to driver issues and have updated the drivers on the EU machine to the latest and greatest (Dell) - awaiting to see if the problem reoccurrs.

Does anyone have any idea?

rajeshakumar · ‎03-04-2008

Please try increasing the session-timeout value on the WLC/ACS Server.

issue the command show client details to check if the session timeout is configured 1800 secs (30 mins).

Increase the session timeout value under WLAN Tab (advanced tab) in WLC

tkhan · ‎03-04-2008

Don't use the windows client. Try a third party client, like Meetinghouse or Odyssey. We abandoned the Windows client about 4 years ago due to similar issues.

menace1320 · ‎11-10-2008

Interesting that Cisco hasn't found a way to compensate for a poor performing WZC -- if in fact that is the only issue occurring here.

I just looked at one of my client device's detail as suggested in this conversation. It shows that the session timeout is '0'. Yet on the controller within the WLAN in questions config we have set the session timeout to 43200 seconds or 12 hours.

I don't understand if the '0' value indicates there isn't a session timeout --- it never expires --- or if it is trying to expire all the time. ???