Clients disconnected randomly from AP1262N-N-K9- Invalid MIC

Unanswered Question
Feb 3rd, 2012

Hi guys,

End user has a AP1262 which at the beguinning was working fine, suddendly clients reports problems with disconnections.

checking logs in AP, one of the main logs are:

failure report from the station 0027.1007.37b0 on the packet (TSC=0x0) encrypte

d and protected by group key.

Feb  2 15:44:55.822: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC

failure report from the station 0027.1007.37b0 on the packet (TSC=0x0) encrypte

d and protected by group key.

Feb  2 15:47:56.978: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC

failure report from the station 0027.1007.37b0 on the packet (TSC=0x0) encrypte

Today I noticed that after typing sh dot11 associations command some  clients are shown, then some minutes or seconds all disappeard.

WLAN#sh dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID RAMINHome] :

MAC Address    IP address      Device        Name            Parent         State
0016.446a.316f 172.16.90.22    ccx-client    -               self           Assoc
0021.638d.dcbf 172.16.90.19    unknown       -               self           Assoc
0024.d60e.2766 172.16.90.23    ccx-client    _WLAN   self           Assoc
0027.1007.37b0 172.16.90.100   ccx-client  TINEZM  self           Assoc
ac81.12ce.0d30 172.16.90.13    ccx-client    -               self           Assoc
ac81.12ce.1138 172.16.90.151   ccx-client    -               self           Assoc
ac81.12ce.4fa6 172.16.90.147   ccx-client    -               self           Assoc

WLAN#

The logs show the next

on the packet (TSC=0x0) encrypted and protected by group key.

Feb  3 11:05:58.386: %DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected within 0 seconds on Dot11Ra

dio0 interface. The interface will be put on MIC failure hold state for next 60 seconds.

Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0027.1007.37b0 Reason: Invalid MIC

Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0024.d60e.2766 Reason: Invalid MIC

Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.0d30 Reason: Invalid MIC

Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.4fa6 Reason: Invalid MIC

Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.1138 Reason: Invalid MIC

Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0021.638d.dcbf Reason: Invalid MIC

Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0016.446a.316f Reason: Invalid MIC

Feb  3 11:07:12.184: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0016.446a.316f Associated KEY_MGMT[WPA PSK]

Feb  3 11:07:16.513: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   0021.638d.dcbf Associated KEY_MGMT[WPA PSK]

PETRAMIN_WLAN#


on the packet (TSC=0x0) encrypted and protected by group key.
Feb  3 11:05:58.386: %DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected within 0 seconds on Dot11Ra
dio0 interface. The interface will be put on MIC failure hold state for next 60 seconds.
Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0027.1007.37b0 Reason: Invalid MIC
Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0024.d60e.2766 Reason: Invalid MIC
Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.0d30 Reason: Invalid MIC
Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.4fa6 Reason: Invalid MIC
Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.1138 Reason: Invalid MIC
Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0021.638d.dcbf Reason: Invalid MIC
Feb  3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0016.446a.316f Reason: Invalid MIC
Feb  3 11:07:12.184: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0016.446a.316f Associated KEY_MGMT[WPA PSK]
Feb  3 11:07:16.513: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   0021.638d.dcbf Associated KEY_MGMT[WPA PSK]
PETRAMIN_WLAN#

the version of IOS is Version 12.4(25d)JA.,  WPA- PSK is set,

I have check this errors in cisco tools, it says about possible reasons;  one of them

A failure of the Michael MIC in a packet usually indicates an active attack on your network

or RF problems.

For the moment I set countermeasure tkip hold-time 0 , based on some recomendations in this forum.

any others recommendations I will apreciate.

regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
vitpatel Fri, 02/03/2012 - 18:16

have u tried using WPA2/AES? Maybe some bug

Sent from Cisco Technical Support iPhone App

filiberto.aguirre Wed, 05/16/2012 - 14:18

Hi Viten,

Thanks for your comments. I didn´t change to WPA2/AES because no more problems were reported but now

many clients with W7 are complaining about disconnections.

Logs in APs show a lot of messages:

May 16 16:08:34.583: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC

failure report from the station 001f.3b32.f6c1 on the packet (TSC=0x0) encrypte d and protected by group key.

Cisco tools  OUTPUT INTERPRETER states:

          Recommended Action: No action is required !!!!

What do you suggest to do ??

regards

maldehne Thu, 05/17/2012 - 01:30

You can try the following as well:

AP(config-if)#packet max-retries 128 drop-packet

wongkingmun81 Wed, 07/04/2012 - 06:52

I have the exact same problem TKIP Michael MIC Failure for my 20x new AP 1262.

Current environment having existing AP running fine without problem. We purchase new AP 1262 to increase the coverage. We configure same config as existing one. All wireless client disconnect randomly due to the TKIP problem. I had issue the countermeasure TKIP hold-time 0, problem still persist.

Anyone can help on this?

Sent from Cisco Technical Support iPhone App

filiberto.aguirre Wed, 07/04/2012 - 07:17

Hi Wong,

I cleared this problem after changing to WPA2  / AES.

dot11 ssid XXX

   vlan 900

   authentication open

   authentication key-management wpa version 2

   guest-mode

   mbssid guest-mode

   wpa-psk ascii 7 124B51

!

bridge irb

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 900 mode ciphers aes-ccm

!

ssid XXXX

!

countermeasure tkip hold-time 0

antenna gain 0

station-role root

world-mode dot11d country-code MX indoor

Why don't you try?.. maybe works for you also.

regards.

wongkingmun81 Wed, 07/04/2012 - 07:25

Thanks Filiberto for the fast response.

I did tried change a AP to WPA2-AES. the client seems connected stable. My problem is if I go for this solution, I need to change all existing AP and new AP setting to WPA2, and also 100 over wireless handheld bar code reader to accept WPA2.

Still looking around for alternative solution.

Thanks again.

Sent from Cisco Technical Support iPhone App

filiberto.aguirre Wed, 07/04/2012 - 07:37

Hi Wong,

If you are working in a noisy enviroment , WPA- TKIP is very unstable.  If you have to many APs you should

move to a WLC, is better.

regards

Actions

Login or Register to take actions

This Discussion

Posted February 3, 2012 at 9:37 AM
Stats:
Replies:8 Avg. Rating:
Views:4817 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard