MFP Anomaly Detected - WLC-4402-25-K9 -

Unanswered Question
Mar 17th, 2008
User Badges:

From time to time I see messages like the one below in the Trap logs of a WLC-4402-25-K9 running

MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio <offending-MAC> and detected by the dot11 interface at slot 0 of AP <reporting-MAC> in 300 seconds when observing Deauthentication frames. Client's last source mac <client-MAC>

Is my WLC misconfigured or is this a (known) bug in


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ivillegas Fri, 03/21/2008 - 11:34
User Badges:
  • Silver, 250 points or more

This message might occur when the access joins another contoller because initially joined controller goes out of service. This is documented in the Bug id: CSCse80121 . As a wordaround disable MFP and reboot the controller.

sabhasin Fri, 03/21/2008 - 11:39
User Badges:

There are some known issues in this area (mainly cosmetic) but it might also be an indication of an attack. You'd have to track this down with a packet capture to see if this is a false positive or not. From the MIB, the description of the event that triggers this message is:

"bcastDeauthenticationFrameRcvd - The Access Point detected a broadcast deauthentication frame. Broadcast

deauthentication frames are rejected by CCXv5 compliant


More info in:


This Discussion



Trending Topics - Security & Network