07-09-2008 08:42 AM - edited 07-03-2021 04:08 PM
Hi All,
sorry if the issue has already been submitted to the community ...
We've recently implemented a new wifi "area" using Cisco 1131AG access points and a couple of Integrated Cat3750-WLC (sw 4.2.112).
This new area hosts both thin-clients and phones with wireless connectivity.
We're experiencing problems of
massive deauthentication (open space were 2 APs, 16 thin-clients, and 16 wifi-phones - Avaya 3641- are installed).
The problem affects wifi-phones only, which during the day deauthenticate and soon after - in a matter of seconds - reauthenticate themselves (frequently reassocaiting with the same AP) about every hour.
WLC log entries show the followings:
*********************** WLC Message Logs ****************************
Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0b:d0
Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0a:bb
Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:11:42
Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:d4
Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:15:6d
Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:17:ae
Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:09
Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:07:2c
Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max
EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0d:80
***********************************************************************
together with the followings:
******************************* WLC Trap Logs
*********************************
20 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:0b:d0, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
21 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:0a:bb, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
22 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:11:42, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
23 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:08:d4, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
24 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:15:6d, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
25 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:17:ae, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
26 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:08:09, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
27 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:07:2c, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
28 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC
Address:00:90:7a:07:0d:80, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:
0,
Reason:Unspecified, ReasonCode: 1
*******************************************************************************
Occasionally, when deauthentication occurs, a few wifi-phones "reboots" ...
Any help wuold be greatly appreciated.
Regards,
Sonia
07-09-2008 11:13 AM
from http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html
"Error Message %DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M[int] retransmissions
exceeded for client [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
Explanation Client authentication failed because the client did not respond to an EAPOL-key message.
Recommended Action Ensure that user credentials are correct on the client and on the AAA server. "
Do you have aggressive load balancing turned on?, if so, turn it off.
07-10-2008 12:17 AM
Aggressive Load Balancing has never been turned on. We've already examined the Cisco web page you're indicating and we're a little bit confused.
Our phones are using WPA2-PSK authentication (at the moment no 802.1x has been enabled) and are permanently turned on.
Examining debug data I understand that phones authentication completes correctly (see wlc_debug_dot1x.txt). Am I right ?
Other - maybe - useful information are:
- radio policy on the WLC is 802.11b/g for the voice WLAN, and 802.11a for the data WLAN (both WLANs SSIDs are broadcasted by the same two APs);
- although configured for negotiating both the b and g standard, phones are contantly using the b standard (I would expect the a "g" choice ...)
Hope somebody has some idea ...
Regards,
Sonia
07-12-2008 04:03 PM
What is the session timeout setting on the ssid advanced page?
Do you have exclusion turned on?
Do you have dhcp required enabled?
Can you send a 'show wlan summary' and 'show wlan
07-13-2008 11:20 PM
Hi,
session timeout has been disabled a couple of weeks ago, but this change had no effect on phones' behaviour.
Exclusion is turned on with all the followings ENABLED:
Excessive 802.11 Association Failures
Excessive 802.11 Authentication Failures
Excessive 802.1X Authentication Failures
IP Theft or IP Reuse
Excessive Web Authentication Failures
and an exclusion timeout of 60 seconds. Maybe I could deactivate a few (or all) of these checks ...
"DHCP required" is enabled also.
Attached you'll find the show wlan info requested.
I'm much obliged for you time :-)
Regards,
Sonia
07-30-2008 07:05 AM
Hi,
further to my investigations I examined the Bug Toolkit more in depth.
Could this issue be determined by one of the following two bugs ?
- CSCsl30758 (no CCKM, no WLAN session timeout and WPA-auth correspond exactly to our configuration ...)
- CSCso95257 (maybe an RF issue which we could investigate with a more detailed survey ?)
Thanks in advance to anybody which will give a suggestion ...
Regards,
Sonia
08-12-2008 05:12 PM
What data rates do you have enabled?
08-31-2008 11:37 PM
Data rates for the 802.1 b/g standard (the one in use by wifi phones) are as follows:
1 Mbps Supported
2 Mbps Supported
5.5 Mbps Supported
6 Mbps Supported
9 Mbps Supported
11 Mbps Mandatory
12 Mbps Supported
18 Mbps Supported
24 Mbps Supported
36 Mbps Supported
48 Mbps Supported
54 Mbps Supported
09-01-2008 04:55 AM
Are the intervals between the disassociations steady, like every 60 minutes?
Then try to increase the reauthentication interval and observe the time between disassociations again. We had a similar problem and that was the cause.
If it is possible, disable the 1-6Mbps data rates. But watch for the thin clients, some clients like barcode-scanners need the 1Mbps data rate.
Regards,
Sebastian
09-01-2008 05:07 AM
Disassociations occur about every 30 minutes; I've disabled a few weeks ago the Session Timeout parameter (WLANs --> Edit --> Advanced --> Enable Session Timeout unchecked) but this change had no effect ...
Thanks and regards,
Sonia
12-09-2008 08:10 AM
Any progress on this? I am also seeing these messages.
DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M3 retransmissions exceeded for client xxxx
12-11-2008 01:05 AM
The problem could be a roaming issues.
Try customizing the roaming parameters on the controller:
Under Wireless->802.11b/g/n->Client-Roaming change the Scan Threshold to -70dbM.
This is the setting we use in our WLAN and it works fine.
We configured our WLAN as recommended in the VoWLAN Design Guide:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch1.html
If these recommendations are met in your WLAN, then you should check the survey again and maybe do a spectrum analysis for 2.4GHz interferences.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: