Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2677
Views
0
Helpful
11
Replies

Massive wifi phones deauthentication

artso
Level 1
Level 1

‎07-09-2008 08:42 AM - edited ‎07-03-2021 04:08 PM

Hi All,

sorry if the issue has already been submitted to the community ...

We've recently implemented a new wifi "area" using Cisco 1131AG access points and a couple of Integrated Cat3750-WLC (sw 4.2.112).

This new area hosts both thin-clients and phones with wireless connectivity.

We're experiencing problems of

massive deauthentication (open space were 2 APs, 16 thin-clients, and 16 wifi-phones - Avaya 3641- are installed).

The problem affects wifi-phones only, which during the day deauthenticate and soon after - in a matter of seconds - reauthenticate themselves (frequently reassocaiting with the same AP) about every hour.

WLC log entries show the followings:

*********************** WLC Message Logs ****************************

Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0b:d0

Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0a:bb

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:11:42

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:d4

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:15:6d

Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:17:ae

Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:09

Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:07:2c

Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0d:80

***********************************************************************

together with the followings:

******************************* WLC Trap Logs

*********************************

20 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0b:d0, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

21 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0a:bb, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

22 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:11:42, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

23 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:08:d4, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

24 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:15:6d, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

25 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:17:ae, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

26 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:08:09, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

27 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:07:2c, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

28 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0d:80, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

*******************************************************************************

Occasionally, when deauthentication occurs, a few wifi-phones "reboots" ...

Any help wuold be greatly appreciated.

Regards,

Sonia

Labels:
0 Helpful
11 Replies 11

ericgarnel
Level 7
Level 7

‎07-09-2008 11:13 AM

from http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html

"Error Message %DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M[int] retransmissions

exceeded for client [hex]:[hex]:[hex]:[hex]:[hex]:[hex]

Explanation Client authentication failed because the client did not respond to an EAPOL-key message.

Recommended Action Ensure that user credentials are correct on the client and on the AAA server. "

Do you have aggressive load balancing turned on?, if so, turn it off.

0 Helpful

artso
Level 1
Level 1
In response to ericgarnel

‎07-10-2008 12:17 AM

Aggressive Load Balancing has never been turned on. We've already examined the Cisco web page you're indicating and we're a little bit confused.

Our phones are using WPA2-PSK authentication (at the moment no 802.1x has been enabled) and are permanently turned on.

Examining debug data I understand that phones authentication completes correctly (see wlc_debug_dot1x.txt). Am I right ?

Other - maybe - useful information are:

- radio policy on the WLC is 802.11b/g for the voice WLAN, and 802.11a for the data WLAN (both WLANs SSIDs are broadcasted by the same two APs);

- although configured for negotiating both the b and g standard, phones are contantly using the b standard (I would expect the a "g" choice ...)

Hope somebody has some idea ...

Regards,

Sonia

35582-wlc_debug_dot1x.log
0 Helpful

rseiler
Level 3
Level 3
In response to artso

‎07-12-2008 04:03 PM

What is the session timeout setting on the ssid advanced page?

Do you have exclusion turned on?

Do you have dhcp required enabled?

Can you send a 'show wlan summary' and 'show wlan ' for the ssid in question?

0 Helpful

artso
Level 1
Level 1
In response to rseiler

‎07-13-2008 11:20 PM

Hi,

session timeout has been disabled a couple of weeks ago, but this change had no effect on phones' behaviour.

Exclusion is turned on with all the followings ENABLED:

Excessive 802.11 Association Failures

Excessive 802.11 Authentication Failures

Excessive 802.1X Authentication Failures

IP Theft or IP Reuse

Excessive Web Authentication Failures

and an exclusion timeout of 60 seconds. Maybe I could deactivate a few (or all) of these checks ...

"DHCP required" is enabled also.

Attached you'll find the show wlan info requested.

I'm much obliged for you time :-)

Regards,

Sonia

1 KB
0 Helpful

artso
Level 1
Level 1
In response to artso

‎07-30-2008 07:05 AM

Hi,

further to my investigations I examined the Bug Toolkit more in depth.

Could this issue be determined by one of the following two bugs ?

- CSCsl30758 (no CCKM, no WLAN session timeout and WPA-auth correspond exactly to our configuration ...)

- CSCso95257 (maybe an RF issue which we could investigate with a more detailed survey ?)

Thanks in advance to anybody which will give a suggestion ...

Regards,

Sonia

0 Helpful

kfccolonel
Level 1
Level 1

‎08-12-2008 05:12 PM

What data rates do you have enabled?

0 Helpful

artso
Level 1
Level 1
In response to kfccolonel

‎08-31-2008 11:37 PM

Data rates for the 802.1 b/g standard (the one in use by wifi phones) are as follows:

1 Mbps Supported

2 Mbps Supported

5.5 Mbps Supported

6 Mbps Supported

9 Mbps Supported

11 Mbps Mandatory

12 Mbps Supported

18 Mbps Supported

24 Mbps Supported

36 Mbps Supported

48 Mbps Supported

54 Mbps Supported

0 Helpful

SJessulat_2
Level 1
Level 1
In response to artso

‎09-01-2008 04:55 AM

Are the intervals between the disassociations steady, like every 60 minutes?

Then try to increase the reauthentication interval and observe the time between disassociations again. We had a similar problem and that was the cause.

If it is possible, disable the 1-6Mbps data rates. But watch for the thin clients, some clients like barcode-scanners need the 1Mbps data rate.

Regards,

Sebastian

0 Helpful

artso
Level 1
Level 1
In response to SJessulat_2

‎09-01-2008 05:07 AM

Disassociations occur about every 30 minutes; I've disabled a few weeks ago the Session Timeout parameter (WLANs --> Edit --> Advanced --> Enable Session Timeout unchecked) but this change had no effect ...

Thanks and regards,

Sonia

0 Helpful

don.click1
Level 4
Level 4
In response to artso

‎12-09-2008 08:10 AM

Any progress on this? I am also seeing these messages.

DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M3 retransmissions exceeded for client xxxx

0 Helpful

SJessulat_2
Level 1
Level 1
In response to don.click1

‎12-11-2008 01:05 AM

The problem could be a roaming issues.

Try customizing the roaming parameters on the controller:

Under Wireless->802.11b/g/n->Client-Roaming change the Scan Threshold to -70dbM.

This is the setting we use in our WLAN and it works fine.

We configured our WLAN as recommended in the VoWLAN Design Guide:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch1.html

If these recommendations are met in your WLAN, then you should check the survey again and maybe do a spectrum analysis for 2.4GHz interferences.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card