voice gaps in 7921 when roaming between cisco APs controlle

Unanswered Question
Feb 19th, 2009

Good Afternoon,

We have installed Cisco WS-C3750G-24WS-S25 to provide wireless coverage in the facilities of a company and We are having a lot of problems with the roaming process of the Wireless LAN Controller. The wireless client are Cisco 7921 IP Phones associated with a Cisco Call Manager Bussiness Edition. We have detected voice gaps in cisco ip phones 7921 when roaming between cisco APs conntolled by WS-C3750G-24WS-S25 but the call never ends during the gap. The gap finish when roam to the other AP has finished successfully.

Contoller information:

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 5.2.157.0

RTOS Version..................................... 5.2.157.0

Bootloader Version............................... 4.0.217.0

Emergency Image Version.......................... 5.2.157.0

Build Type....................................... DATA + WPS

System Name...................................... Cisco_8a:b2:87

System Location..................................

System Contact...................................

System ObjectID.................................. 1.3.6.1.4.1.9.1.747

IP Address....................................... 192.168.1.192

System Up Time................................... 0 days 0 hrs 10 mins 43 secs

System Timezone Location.........................

Current Boot License Level.......................

Next Boot License Level..........................

Configured Country............................... ES - Spain

Operating Environment............................ Commercial (0 to 40 C)

Internal Temp Alarm Limits....................... 0 to 65 C

Internal Temperature............................. +34 C

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Disabled

Number of WLANs.................................. 3

3rd Party Access Point Support................... Disabled

Number of Active Clients......................... 1

Burned-in MAC Address............................ 00:23:5E:8A:B2:80

Crypto Accelerator 1............................. Absent

Crypto Accelerator 2............................. Absent

Power Supply 1................................... Present, OK

Power Supply 2................................... Present, OK

Maximum number of APs supported.................. 25

Version 7921 :

CP7921G-1.2.1

Version CUCM : 6.1.3.1000-16

Debug output and Logging output:

(Cisco Controller) >*Feb 19 13:05:31.211: Neighbor List for LRAD 00:23:5e:d4:98:30, Slot 1 not found in [l2roamGetNeighborListForSlot].

*Feb 19 13:05:31.211: Sending L2ROAM Broadcast Neighbor List Packet

*Feb 19 13:05:31.211: Sending Broadcast Packet to AP 00:23:5e:d4:98:30 Slot 0

*Feb 19 13:05:31.212: 00000000: 00 95 33 81 ff ff ff ff ff ff 00 23 5e d4 98 30 ..3........#^..0

*Feb 19 13:05:31.212: 00000010: 28 11 00 23 5e d4 98 30 06 00 06 01 06 ab 02 02 (..#^..0........

*Feb 19 13:05:31.212: 00000020: 02 b8 05 28 11 00 23 5e 4a 59 b0 0b 00 06 01 06 ...(..#^JY......

*Feb 19 13:05:31.212: 00000030: ab ff ff 02 b8 05 28 11 00 23 5e d4 97 40 01 00 ......(..#^..@..

*Feb 19 13:05:31.212: 00000040: 06 01 06 ab 05 05 02 b8 05 28 11 00 23 5e 96 b1 .........(..#^..

*Feb 19 13:10:45.474: %APF-1-SEND_ASSOC_RESP_FAILED: apf_80211.c:4262 Could not send a Client Association response to 00:23:5e:67:1b:f8. Supected Auto-Immune attack Not sending Assoc Response.

-Traceback: 1061f694 10624e80 10103140 1010335c 104be944 10e42470 11033dec

*Feb 19 13:10:43.464: %APF-1-SEND_ASSOC_RESP_FAILED: apf_80211.c:4262 Could not send a Client Association response to 00:23:5e:67:1b:f8. Supected Auto-Immune attack Not sending Assoc Response.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
mjose.zambrano Fri, 02/20/2009 - 01:34

Hi migilles,

The gaps can last about 5 or 6 second. The call never disconnects during this gaps.

When the gap occurs, each peer hear silence until the comunication retuns.

The authentication is [WPA + WPA2][Auth(PSK)].

I think the problem is produced by the roaming process.

The configuration of the WLC is the default.

I have modified some parameters about QoS and the problem persists.

The dedicated Wlan to voice traffic is Platinum traffic. I have allowed VMM Policy.

I have made some proves to solve the problem. I have especified the EDCA Profile as VMM or Voice Optimized but the problem goes on.

I have followed the Deployment Guide of 7921.

Additional Guidelines for Using 7921 and 7920 Wireless IP Phones

Follow these guidelines to use Cisco 7921 and 7920 Wireless IP Phones with controllers:

• Aggressive load balancing must be disabled for each controller. Otherwise, the initial roam attempt by the phone may fail, causing a disruption in the audio path.

• The Dynamic Transmit Power Control (DTPC) information element (IE) must be enabled using the config 802.11b dtpc enable command. The DTPC IE is a beacon and probe information element that allows the access point to broadcast information on its transmit power. The 7921 or 7920 phone uses this information to automatically adjust its transmit power to the same level as the access point to which it is associated. In this manner, both devices are transmitting at the same level.

• Both the 7921 and 7920 phones and the controllers support Cisco Centralized Key Management (CCKM) fast roaming.

• When configuring WEP, there is a difference in nomenclature for the controller and the 7921 or 7920 phone. Configure the controller for 104 bits when using 128-bit WEP for the 7921 or 7920.

• For standalone 7921 phones, load-based CAC must be enabled, and the WMM Policy must be set to Required on the WLAN.

• The controller supports traffic classification (TCLAS) coming from 7921 phones using firmware version 1.1.1. This feature ensures proper classification of voice streams to the 7921 phones.

Are there aditional parameters that I have taked into account?

Thanks

migilles Fri, 02/20/2009 - 18:52

Ok, did you change the EAPOL key timeout in the "show advanced eap" in the WLC cli? It sounds like you did.

If so, you will need to change this back to 1 second. Sometimes the broadcast encrypted key comes too quickly and must retry the packet, where this timeout is used.

I would suggest to use WPA+CCKM if possible.

mjose.zambrano Tue, 02/24/2009 - 09:14

The optimized configuration provided by TAC in this scenario:

- DTIM period should be 2 for 7921s

- The platinum profile for not have the 802.1p making, this is be marked to cos 6

- Low data rates (1 and 2 mbps) must be disabled for voice, check in 802.11b Network Configuration

- 5.5 mbps should be disabled for voice, check in 802.11b Network Configuration. This depends on phone density versus desired cell size

- ACM is not enabled, check in 802.11b Voice Configuration

- Low data rates (6 and 9 mbps) should be disabled for voice, check in 802.11a Network Configuration (7921 recommendations)

- ACM is not enabled, check in 802.11a Voice Configuration

- Traffic Stream Metrics collection is disabled. It is recommended, although not mandatory, to enable it in 11a band

- Depending on your RF coverage, and desired call density, it may be recommended to disable high data rates for voice services (36, 48, 54 mbps) in 11b/g band

and (36, 48, 54 mbps) in 11a band

- SSID wifivoip does not have AP CAC limit enabled

- Session timeout should be either disabled (zero) or high, to avoid voice disruptions during authentication, WLAN:wifivoip, Current Timeout:1800 seconds

- WLAN has TKIP as L2 policy, and Hold Down timer is not disabled, this is not recommended, as it may cause voice problems in case of MIC errors introduced by other devices, wifivoip

- WLAN has exclusion timer enabled, it is recommended to disable in voice WLANs to allow faster recovery: wifivoip

Another thing to keep in mind in your configuration is that the syslog messages are sent to broadcast address. If there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server.

The problem has been solved

bfowles Thu, 04/09/2009 - 03:03

I am having the same issue with auto-immune problems on the 5.2.178.0 code and have been informed by TAC that it is a bug in the 5.2 code and the developers are working on a solution but nothing releasesd as yet. It seem to affect only the 7921 phones. Cisco are recommending code rev 1.1.1 on these phones but I have tried this yet to see if it helps.

lamadam Thu, 06/25/2009 - 18:29

I have aslo experience this issue. Do you have the bug ID? Is this problem solved in WLC 6.0?

migilles Sun, 06/28/2009 - 23:47

Yes the DDTS for the WLC is below. The auto-immune feature is enabled in 4.2.176.0 and 5.X and is not configurable.

There is a MR for 4.2 and 5.2 trains (4.2.205.0 and 5.2.193.0), which have the auto-immune feature diabled by default.

It is also disabled by default in 6.0.182.0.

There will be no future MRs for 5.0 or 5.1.

Can do "show wps summary" from cli to check the status.

CSCsx74467 CLI to enable and disable auto-immune feature

We are also adding some fixes to the 792xG side to prevent from sending an incorrect timestamp during CCKM roams as well. This will be in the 1.3(3) release, which is scheduled to release this week.

CSCsx67996 7921/7925 sometimes sending wrong TSF when roaming

lamadam Mon, 06/29/2009 - 00:44

Thanks migilles~

I am using WLC version 5.2.178.0.

Is it mean I should upgrade/downgrade the software that contains CSCsx74467?

Thank you very much.

migilles Mon, 06/29/2009 - 23:25

Yes would advise to upgrade to 5.2.193.0 when you can.

But you shouldn't see too many of these auto-immune messages if triggered by the 792xG phone.

lamadam Wed, 07/15/2009 - 22:43

It seems that the problem is only occur when the AP using H-REAP mode. The problem is disappaered in local mode. I have configured the H-REAP group in WLC and follow the setting base on 792xG wireless phone deployment guide. Am I doing something wrong or missed? or H-REAP doesn't support VoIP?

migilles Fri, 07/17/2009 - 16:13

So CCKM is supported with H-REAP.

We have released 1.3(3) now with a fix, which should help from seeing those auto-immune messages.

Otherwise may want to open a TAC case to troubleshoot further.

tplambeck Thu, 07/30/2009 - 04:53

Does the Auto-Immune feature only come into play when doing Intercontroller Roaming? Where can I find the specifics on how the feature works?

migilles Wed, 08/05/2009 - 15:42

Unfortunately, there is not much documentation if any in regards to the auto-immune feature.

It is not just for intercontroller roaming.

Auto-Immune can be triggered based on different issues even config related this can be triggered.

Can be triggered by client CCKM timestamp (most common), data rates for TSPEC, QoS profile.

Auto immune is disabled in 4.2.207.0, 5.2.193.0 and 6.0.182.0.

Can show the status via "show wps summary".

It is enbaled by default in previous releases.

So if using CCKM, I suggest that you use 5.2.193.0 and 1.3(3) for the 7921/7925, which also has some fixes in that area.

dasfranky Thu, 07/23/2009 - 01:38

Hi there.

One of our customer had same problem with gabs while roaming.

He used 7921G phones and 1131 AP with controller and WPA2 PSK encryption.

We tried everything to solve this. Final solution we found was to downgrade encryption to WEP. It is less secure but alltough better than gaps while roaming.

migilles Wed, 08/05/2009 - 15:47

Shouldn't see auto-immune messages in regards to PSK authentication unless there are config issues on the WLC like data rates or QoS profile for the voice ssid.

However, I have seen that some customers have been configuring the EAPOL key timer from the default of 1 second to something greater (i.e. 5 seconds).

It is imperative that this stay at the default of 1 second, when using WPA.

When roaming using PSK, the first encrypted EAPOL key comes too quickly for the client to decrypt it. So the client must wait for the retransmission of that packet. If the EAPOL key timeout is too long, then the client may give up waiting and try to roam to another AP. This would trigger voice gaps when on call.

To check the setting, do "show advanced eap".

Should see the following:

(WiSM-slot4-1) >show advanced eap

EAP-Identity-Request Timeout (seconds)........... 30

EAP-Identity-Request Max Retries................. 2

EAP Key-Index for Dynamic WEP.................... 0

EAP Max-Login Ignore Identity Response........... enable

EAP-Request Timeout (seconds).................... 30

EAP-Request Max Retries.......................... 0

EAPOL-Key Timeout (seconds)...................... 1

EAPOL-Key Max Retries............................ 2

In the 6.0 release, this is now configurable in milliseconds, but the default is still 1 second.

c.larsen Tue, 09/15/2009 - 18:54

Is this true for enterprise wpa as well or just wpa-psk?

thanks.

migilles Wed, 09/16/2009 - 12:38

We have seen that issue primarily with PSK, but those timers apply for WPA enterprise as well.

Actions

This Discussion