Errors from WLC

Unanswered Question
Nov 10th, 2008
User Badges:

We have several WLCs (mostly 4402s) at several remote sites. A number of them have been showing the same strange messages? They seem to be functional for the most part. Are these cause to be alarmed? How would I go about tracking down the cause of these? I'm especially interested in the first one...it's the one that started me looking into this.


Thanks!


From 'Show Log' on switch to which WLC is connected:


Nov 4 12:34:58.049: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 2 times)Packet received with invalid source MAC address (3B:95:45:6B:00:1E) on port Gi1/1 in vlan 1


Traps:


Decrypt errors occurred for client 00:13:e8:81:1a:a1 using WPA key on 802.11b/g interface of AP 00:1d:71:e2:a6:40


Radar signals have been detected on channel 116 by 802.11a radio with MAC: 00:1d:71:e2:a6:40 and slot 1


Channel changed for Base Radio MAC: 00:21:d8:92:7e:e0 on 802.11b/g radio. Old Channel: 1. New Channel: 11. Why: Interference. Energy before/after change: -54/-82. Noise before/after change: -82/-82. Interference before/after change: -54/-118


IDS Signature attack detected. Signature Type: Standard, Name: NULL probe resp 1, Description: NULL Probe Response - Zero length SSID element, Track: per-Mac, Detecting AP Name: 12-c11-ap8M, Radio Type: 802.11b/g, Preced: 2, Hits: 1, Channel: 11, srcMac: 00:17:FA:04:2D:CD



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Sat, 11/15/2008 - 19:22
User Badges:
  • Bronze, 100 points or more

IDS Disassociation Flood attacks against valid clients are sometimes reported where the attacker's MAC address is that of an AP joined to that controller.

When a client is associated to the AP but stops communicating because of card removal, roaming out of range, etc. to the AP, the AP will wait until the idle timeout. Once the idle timeout is reached, the AP sends that client a disassociate frame. When the client does not acknowledge the disassociate frame, the AP retransmits the frame numerous times (around 60 frames). The IDS subsystem of the controller hears these retransmits and alerts with this message.

This bug is resolved in version 4.0.217.0. Upgrade your Controller version to this version in order to overcome this alert message against valid clients and APs.



c.fuller Tue, 01/06/2009 - 13:53
User Badges:

This is a good description of the cause of this error message. I always see these messages and ignore them. Now I at least have an idea of what may be causing them. The only thing that I am confused about is that I am running 4.1.185 on my WLC's. So either the bug was not fixed in this release or I am dealing with another issue. Thoughts?

Actions

This Discussion

 

 

Trending Topics - Security & Network