07-09-2008 08:42 AM - edited 07-03-2021 04:08 PM
Hi All,
sorry if the issue has already been submitted to the community ...
We've recently implemented a new wifi "area" using Cisco 1131AG access points and a couple of Integrated Cat3750-WLC (sw 4.2.112).
This new area hosts both thin-clients and phones with wireless connectivity.
We're experiencing problems of
massive deauthentication (open space were 2 APs, 16 thin-clients, and 16 wifi-phones - Avaya 3641- are installed).
The problem affects wifi-phones only, which during the day deauthenticate and soon after - in a matter of seconds - reauthenticate themselves (frequently reassocaiting with the same AP) about every hour.
WLC log entries show the followings:
*********************** WLC Message Logs ****************************
Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0b:d0
Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0a:bb
Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:11:42
Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:d4
Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:15:6d
Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:17:ae
Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:09
Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:07:2c
Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0d:80
***********************************************************************
together with the followings:
******************************* WLC Trap Logs
*********************************
20 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:0b:d0, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
21 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:0a:bb, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
22 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:11:42, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
23 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:08:d4, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
24 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:15:6d, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
25 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:17:ae, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
26 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:08:09, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
27 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:07:2c, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
28 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:0d:80, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
*******************************************************************************
Occasionally, when deauthentication occurs, a few wifi-phones "reboots" ...
Any help wuold be greatly appreciated.
Regards,
Sonia
07-09-2008 11:13 AM
from http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html
"Error Message %DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M[int] retransmissions
exceeded for client [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
Explanation Client authentication failed because the client did not respond to an EAPOL-key message.
Recommended Action Ensure that user credentials are correct on the client and on the AAA server. "
Do you have aggressive load balancing turned on?, if so, turn it off.
07-10-2008 12:17 AM
Aggressive Load Balancing has never been turned on. We've already examined the Cisco web page you're indicating and we're a little bit confused.
Our phones are using WPA2-PSK authentication (at the moment no 802.1x has been enabled) and are permanently turned on.
Examining debug data I understand that phones authentication completes correctly (see wlc_debug_dot1x.txt). Am I right ?
Other - maybe - useful information are:
- radio policy on the WLC is 802.11b/g for the voice WLAN, and 802.11a for the data WLAN (both WLANs SSIDs are broadcasted by the same two APs);
- although configured for negotiating both the b and g standard, phones are contantly using the b standard (I would expect the a "g" choice ...)
Hope somebody has some idea ...
Regards,
Sonia
07-12-2008 04:03 PM
What is the session timeout setting on the ssid advanced page?
Do you have exclusion turned on?
Do you have dhcp required enabled?
Can you send a 'show wlan summary' and 'show wlan
07-13-2008 11:20 PM
Hi,
session timeout has been disabled a couple of weeks ago, but this change had no effect on phones' behaviour.
Exclusion is turned on with all the followings ENABLED:
Excessive 802.11 Association Failures
Excessive 802.11 Authentication Failures
Excessive 802.1X Authentication Failures
IP Theft or IP Reuse
Excessive Web Authentication Failures
and an exclusion timeout of 60 seconds. Maybe I could deactivate a few (or all) of these checks ...
"DHCP required" is enabled also.
Attached you'll find the show wlan info requested.
I'm much obliged for you time :-)
Regards,
Sonia
07-30-2008 07:05 AM
Hi,
further to my investigations I examined the Bug Toolkit more in depth.
Could this issue be determined by one of the following two bugs ?
- CSCsl30758 (no CCKM, no WLAN session timeout and WPA-auth correspond exactly to our configuration ...)
- CSCso95257 (maybe an RF issue which we could investigate with a more detailed survey ?)
Thanks in advance to anybody which will give a suggestion ...
Regards,
Sonia
08-12-2008 05:12 PM
What data rates do you have enabled?
08-31-2008 11:37 PM
Data rates for the 802.1 b/g standard (the one in use by wifi phones) are as follows:
1 Mbps Supported
2 Mbps Supported
5.5 Mbps Supported
6 Mbps Supported
9 Mbps Supported
11 Mbps Mandatory
12 Mbps Supported
18 Mbps Supported
24 Mbps Supported
36 Mbps Supported
48 Mbps Supported
54 Mbps Supported
09-01-2008 04:55 AM
Are the intervals between the disassociations steady, like every 60 minutes?
Then try to increase the reauthentication interval and observe the time between disassociations again. We had a similar problem and that was the cause.
If it is possible, disable the 1-6Mbps data rates. But watch for the thin clients, some clients like barcode-scanners need the 1Mbps data rate.
Regards,
Sebastian
09-01-2008 05:07 AM
Disassociations occur about every 30 minutes; I've disabled a few weeks ago the Session Timeout parameter (WLANs --> Edit --> Advanced --> Enable Session Timeout unchecked) but this change had no effect ...
Thanks and regards,
Sonia
12-09-2008 08:10 AM
Any progress on this? I am also seeing these messages.
DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M3 retransmissions exceeded for client xxxx
12-11-2008 01:05 AM
The problem could be a roaming issues.
Try customizing the roaming parameters on the controller:
Under Wireless->802.11b/g/n->Client-Roaming change the Scan Threshold to -70dbM.
This is the setting we use in our WLAN and it works fine.
We configured our WLAN as recommended in the VoWLAN Design Guide:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch1.html
If these recommendations are met in your WLAN, then you should check the survey again and maybe do a spectrum analysis for 2.4GHz interferences.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide