cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11745
Views
0
Helpful
13
Replies

getting this error message "Max EAPOL-key M5 retransmissions exceeded for client"

I've got a cisco 5508 controller and 1252 ap's. on code 6.0.182.0

when using a HP Procurve M111 (WCB-200) client bridge i get this error message all the time "Max EAPOL-key M5 retransmissions exceeded for client"

What could be the cause?

13 Replies 13

George Stefanick
VIP Alumni
VIP Alumni

Can you run drop into the cli and run client debug and post your capture?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

  type = Airespace AP - Learn IP address
  on AP c4:7d:4f:37:f6:80, slot 0, interface = 13, QOS = 0
  ACL Id = 255, Ju
*Feb 04 07:13:51.197: 00:03:52:09:dd:18 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*Feb 04 07:13:51.198: 00:03:52:09:dd:18 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4442, Adding TMP rule
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
  type = Airespace AP - Learn IP address
  on AP c4:7d:4f:37:f6:80, slot 0, interface = 13, QOS = 0
  ACL Id = 255, Jumb
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 Stopping retransmission timer for mobile 00:03:52:09:dd:18
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 Key exchange done, data packets from mobile 00:03:52:09:dd:18 should be forwarded shortly
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 Sending EAPOL-Key Message to mobile 00:03:52:09:dd:18
      state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Feb 04 07:13:51.198: 00:03:52:09:dd:18 Sent EAPOL-Key M5 for mobile 00:03:52:09:dd:18
*Feb 04 07:13:51.997: 00:03:52:09:dd:18 802.1x 'timeoutEvt' Timer expired for station 00:03:52:09:dd:18
*Feb 04 07:13:51.997: 00:03:52:09:dd:18 Retransmit 1 of EAPOL-Key M5 (length 131) for mobile 00:03:52:09:dd:18
*Feb 04 07:13:52.952: 00:03:52:09:dd:18 802.1x 'timeoutEvt' Timer expired for station 00:03:52:09:dd:18
*Feb 04 07:13:52.952: 00:03:52:09:dd:18 Retransmit 2 of EAPOL-Key M5 (length 131) for mobile 00:03:52:09:dd:18
*Feb 04 07:13:53.907: 00:03:52:09:dd:18 802.1x 'timeoutEvt' Timer expired for station 00:03:52:09:dd:18
*Feb 04 07:13:53.907: 00:03:52:09:dd:18 Retransmit failure for EAPOL-Key M5 to mobile 00:03:52:09:dd:18, retransmit count 3, mscb deauth count 0
*Feb 04 07:13:53.907: 00:03:52:09:dd:18 Sent Deauthenticate to mobile on BSSID c4:7d:4f:37:f6:80 slot 0(caller 1x_ptsm.c:467)
*Feb 04 07:13:53.907: 00:03:52:09:dd:18 Scheduling deletion of Mobile Station:  (callerId: 57) in 10 seconds
*Feb 04 07:13:59.359: 00:03:52:09:dd:18 Association received from mobile on AP c4:7d:4f:37:f6:80
*Feb 04 07:13:59.359: 00:03:52:09:dd:18 STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*Feb 04 07:13:59.359: 00:03:52:09:dd:18 STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*Feb 04 07:13:59.359: 00:03:52:09:dd:18 Processing WPA IE type 221, length 22 for mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.359: 00:03:52:09:dd:18 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)

*Feb 04 07:13:59.359: 00:03:52:09:dd:18 0.0.0.0 START (0) Initializing policy
*Feb 04 07:13:59.359: 00:03:52:09:dd:18 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)

*Feb 04 07:13:59.359: 00:03:52:09:dd:18 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)

*Feb 04 07:13:59.360: 00:03:52:09:dd:18 0.0.0.0 Removed NPU entry.
*Feb 04 07:13:59.360: 00:03:52:09:dd:18 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP c4:7d:4f:37:f6:80 vapId 1 apVapId 1
*Feb 04 07:13:59.360: 00:03:52:09:dd:18 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:03:52:09:dd:18 on AP c4:7d:4f:37:f6:80 from Associated to Associated

*Feb 04 07:13:59.360: 00:03:52:09:dd:18 Stopping deletion of Mobile Station: (callerId: 48)
*Feb 04 07:13:59.360: 00:03:52:09:dd:18 Sending Assoc Response to station on BSSID c4:7d:4f:37:f6:80 (status 0)
*Feb 04 07:13:59.360: 00:03:52:09:dd:18 apfProcessAssocReq (apf_80211.c:4361) Changing state for mobile 00:03:52:09:dd:18 on AP c4:7d:4f:37:f6:80 from Associated to Associated

*Feb 04 07:13:59.361: 00:03:52:09:dd:18 Creating a PKC PMKID Cache entry for station 00:03:52:09:dd:18 (RSN 0)
*Feb 04 07:13:59.361: 00:03:52:09:dd:18 Initiating WPA PSK to mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.361: 00:03:52:09:dd:18 dot1x - moving mobile 00:03:52:09:dd:18 into Force Auth state
*Feb 04 07:13:59.361: 00:03:52:09:dd:18 Skipping EAP-Success to mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.361: 00:03:52:09:dd:18 Starting key exchange to mobile 00:03:52:09:dd:18, data packets will be dropped
*Feb 04 07:13:59.361: 00:03:52:09:dd:18 Sending EAPOL-Key Message to mobile 00:03:52:09:dd:18
      state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Feb 04 07:13:59.394: 00:03:52:09:dd:18 Received EAPOL-Key from mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.394: 00:03:52:09:dd:18 Received EAPOL-key in PTK_START state (message 2) from mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.394: 00:03:52:09:dd:18 Stopping retransmission timer for mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.394: 00:03:52:09:dd:18 Sending EAPOL-Key Message to mobile 00:03:52:09:dd:18
      state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 Received EAPOL-Key from mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)

*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP c4:7d:4f:37:f6:80 vapId 1 apVapId 1
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4426, Adding TMP rule
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP c4:7d:4f:37:f6:80, slot 0, interface = 13, QOS = 0
  ACL Id = 255, Ju
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4442, Adding TMP rule
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
  type = Airespace AP - Learn IP address
  on AP c4:7d:4f:37:f6:80, slot 0, interface = 13, QOS = 0
  ACL Id = 255, Jumb
*Feb 04 07:13:59.405: 00:03:52:09:dd:18 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Feb 04 07:13:59.406: 00:03:52:09:dd:18 Stopping retransmission timer for mobile 00:03:52:09:dd:18
*Feb 04 07:13:59.406: 00:03:52:09:dd:18 Key exchange done, data packets from mobile 00:03:52:09:dd:18 should be forwarded shortly
*Feb 04 07:13:59.406: 00:03:52:09:dd:18 Sending EAPOL-Key Message to mobile 00:03:52:09:dd:18
      state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*Feb 04 07:13:59.406: 00:03:52:09:dd:18 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Feb 04 07:13:59.406: 00:03:52:09:dd:18 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Feb 04 07:13:59.407: 00:03:52:09:dd:18 Sent EAPOL-Key M5 for mobile 00:03:52:09:dd:18
*Feb 04 07:14:00.210: 00:03:52:09:dd:18 802.1x 'timeoutEvt' Timer expired for station 00:03:52:09:dd:18
*Feb 04 07:14:00.210: 00:03:52:09:dd:18 Retransmit 1 of EAPOL-Key M5 (length 131) for mobile 00:03:52:09:dd:18
*Feb 04 07:14:01.165: 00:03:52:09:dd:18 802.1x 'timeoutEvt' Timer expired for station 00:03:52:09:dd:18
*Feb 04 07:14:01.165: 00:03:52:09:dd:18 Retransmit 2 of EAPOL-Key M5 (length 131) for mobile 00:03:52:09:dd:18
*Feb 04 07:14:02.120: 00:03:52:09:dd:18 802.1x 'timeoutEvt' Timer expired for station 00:03:52:09:dd:18
*Feb 04 07:14:02.120: 00:03:52:09:dd:18 Retransmit failure for EAPOL-Key M5 to mobile 00:03:52:09:dd:18, retransmit count 3, mscb deauth count 0
*Feb 04 07:14:02.120: 00:03:52:09:dd:18 Sent Deauthenticate to mobile on BSSID c4:7d:4f:37:f6:80 slot 0(caller 1x_ptsm.c:467)

Are you using PSK? If so, did you double check the KEY on the bridge? Are other clients associating fine to the same ssid / access point ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi,

Yes i have triple checked PSK key.

I have other clients connected to this wlan, so there seems to be some incompatibility issues between cisco and HP.

I know i had this working on  a 4.2.205 firmware on a older 4404-25 controller some time ago, could there be a problem with 6.0.182 firmware?

do you have aironet extensions enabled.you will find this under the advanced tab of the ssid. if so disable an reset the bridge

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

already disabled this on all my wlans

There are a couple bugs on this issue being investigated.  I would suggest you open a TAC case so it can be investigated further.

Thanks Dan ... do you have any further info and what the issue may be !?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

When i installed the 5508 it was preloaded with 6.0.188 but on that code it was impossible to get the 1252 to even associate with the controller.

the solution presented by TAC was either to downgrade or place all AP's on a different vlan or enable hsrp, but hsrp is not an option since we're not running cisco gear on switching.

The bug on 6.0.188 forced me to downgrade to 6.0.182.

Now im waiting for the next release which i hope the folks on cisco tried out before releasing.

Does anyone know when this new software is supposed to be released?

'it was impossible to get the 1252 to even associate with the controller'

maybe this can cause the issue ?http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte01087

RLS 6.0.189.0 expected beginning of March.

GG

New software for the 5508 has been released.  I downloaded it the other day, and just finished applying it to my 3rd controller.

New software is 6.0.196.0

Did you get this resolved?  I am seeing these in my WLC log like crazy, and for almost all clients.

Try setting:

>config advanced eap eapol-key-retries 3

The default is "2".  This change has significantly reduced the number of errors we are seeing (although has not completely eliminated them).

darwin_ma
Level 1
Level 1

Hi,

what client adapter are you using?

I experienced the same problem using WLC4402 with 6.0.182, TAC claimed this as client misbehaviour problem. It happens to (so far I found) intel 5100AGN with 13.0.0.107 and 4965ABG with 11.1.1.22.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: