Massive wifi phones deauthentication

Unanswered Question

Hi All,


sorry if the issue has already been submitted to the community ...

We've recently implemented a new wifi "area" using Cisco 1131AG access points and a couple of Integrated Cat3750-WLC (sw 4.2.112).

This new area hosts both thin-clients and phones with wireless connectivity.

We're experiencing problems of

massive deauthentication (open space were 2 APs, 16 thin-clients, and 16 wifi-phones - Avaya 3641- are installed).

The problem affects wifi-phones only, which during the day deauthenticate and soon after - in a matter of seconds - reauthenticate themselves (frequently reassocaiting with the same AP) about every hour.


WLC log entries show the followings:


*********************** WLC Message Logs ****************************

Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0b:d0

Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0a:bb

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:11:42

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:d4

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:15:6d

Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:17:ae

Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:09

Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:07:2c

Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0d:80

***********************************************************************


together with the followings:


******************************* WLC Trap Logs

*********************************

20 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0b:d0, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

21 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0a:bb, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

22 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:11:42, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

23 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:08:d4, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

24 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:15:6d, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

25 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:17:ae, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

26 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:08:09, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

27 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:07:2c, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

28 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0d:80, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

*******************************************************************************

Occasionally, when deauthentication occurs, a few wifi-phones "reboots" ...


Any help wuold be greatly appreciated.

Regards,

Sonia

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ericgarnel Wed, 07/09/2008 - 11:13
User Badges:
  • Gold, 750 points or more

from http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html


"Error Message %DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M[int] retransmissions

exceeded for client [hex]:[hex]:[hex]:[hex]:[hex]:[hex]


Explanation Client authentication failed because the client did not respond to an EAPOL-key message.


Recommended Action Ensure that user credentials are correct on the client and on the AAA server. "


Do you have aggressive load balancing turned on?, if so, turn it off.

Aggressive Load Balancing has never been turned on. We've already examined the Cisco web page you're indicating and we're a little bit confused.

Our phones are using WPA2-PSK authentication (at the moment no 802.1x has been enabled) and are permanently turned on.

Examining debug data I understand that phones authentication completes correctly (see wlc_debug_dot1x.txt). Am I right ?


Other - maybe - useful information are:

- radio policy on the WLC is 802.11b/g for the voice WLAN, and 802.11a for the data WLAN (both WLANs SSIDs are broadcasted by the same two APs);

- although configured for negotiating both the b and g standard, phones are contantly using the b standard (I would expect the a "g" choice ...)


Hope somebody has some idea ...

Regards,

Sonia




rseiler Sat, 07/12/2008 - 16:03
User Badges:
  • Silver, 250 points or more

What is the session timeout setting on the ssid advanced page?


Do you have exclusion turned on?


Do you have dhcp required enabled?


Can you send a 'show wlan summary' and 'show wlan ' for the ssid in question?

Hi,


session timeout has been disabled a couple of weeks ago, but this change had no effect on phones' behaviour.


Exclusion is turned on with all the followings ENABLED:

Excessive 802.11 Association Failures

Excessive 802.11 Authentication Failures

Excessive 802.1X Authentication Failures

IP Theft or IP Reuse

Excessive Web Authentication Failures

and an exclusion timeout of 60 seconds. Maybe I could deactivate a few (or all) of these checks ...


"DHCP required" is enabled also.


Attached you'll find the show wlan info requested.

I'm much obliged for you time :-)

Regards,

Sonia



Hi,


further to my investigations I examined the Bug Toolkit more in depth.

Could this issue be determined by one of the following two bugs ?


- CSCsl30758 (no CCKM, no WLAN session timeout and WPA-auth correspond exactly to our configuration ...)

- CSCso95257 (maybe an RF issue which we could investigate with a more detailed survey ?)


Thanks in advance to anybody which will give a suggestion ...

Regards,

Sonia

SJessulat_2 Mon, 09/01/2008 - 04:55
User Badges:

Are the intervals between the disassociations steady, like every 60 minutes?

Then try to increase the reauthentication interval and observe the time between disassociations again. We had a similar problem and that was the cause.

If it is possible, disable the 1-6Mbps data rates. But watch for the thin clients, some clients like barcode-scanners need the 1Mbps data rate.


Regards,

Sebastian

don.click1 Tue, 12/09/2008 - 08:10
User Badges:

Any progress on this? I am also seeing these messages.


DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M3 retransmissions exceeded for client xxxx

SJessulat_2 Thu, 12/11/2008 - 01:05
User Badges:

The problem could be a roaming issues.


Try customizing the roaming parameters on the controller:

Under Wireless->802.11b/g/n->Client-Roaming change the Scan Threshold to -70dbM.

This is the setting we use in our WLAN and it works fine.


We configured our WLAN as recommended in the VoWLAN Design Guide:


http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch1.html


If these recommendations are met in your WLAN, then you should check the survey again and maybe do a spectrum analysis for 2.4GHz interferences.

Actions

This Discussion