LAP drops client connections

Answered Question
Feb 15th, 2012

Hello! we have WLC 5508 (6.0.188.0) and some converted APs   AIR-AP1141N-E-K9. Everything works fine except one moment:

1 of this converted APs is located beyond the office building, but it is still connected to our local network as if it was located within the office (there is a fiber channel between our cisco core switch and a switch, to which that 1 LAP is connected)

The trouble is that users can't have the normal wi-fi on that beyond LAP. I see few successful pings to the "associated" client then drops, again a little success, than long drops.

Logs from the WLC:

Feb 15 10:04:53 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:11:17.702: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client xx:xx:xx:xx:xx:xx

Feb 15 10:04:57 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:11:22.104: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client xx:xx:xx:xx:xx:xx

Feb 15 10:36:14 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:42:38.859: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:354 Invalid replay counter from client xx:xx:xx:xx:xx:xx - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01

Feb 15 10:37:07 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:43:32.061: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M3 retransmissions exceeded for client xx:xx:xx:xx:xx:xx

Feb 15 10:37:12 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:43:37.061: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client xx:xx:xx:xx:xx:xx

Feb 15 10:37:16 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:43:40.888: %DOT1X-1-INVALID_WPA_KEY_STATE: 1x_eapkey.c:1638 Received EAPOL-key message while in invalid state (0) - version 1, type 3, descriptor 2, client xx:xx:xx:xx:xx:xx

Feb 15 10:37:21 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:43:45.661: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client xx:xx:xx:xx:xx:xx

Feb 15 10:37:23 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:43:47.540: %DOT1X-1-INVALID_WPA_KEY_STATE: 1x_eapkey.c:1638 Received EAPOL-key message while in invalid state (0) - version 1, type 3, descriptor 2, client xx:xx:xx:xx:xx:xx

Feb 15 10:37:26 172.22.90.20 Wi-Fi_Controller: *Feb 15 10:43:50.461: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client xx:xx:xx:xx:xx:xx

What could it be? Is it possible that some noises or whatever could cause it? The building with this problematic LAP is a kind of film studio...

I have this problem too.
0 votes
Correct Answer by Scott Fella about 2 years 1 month ago

Well... Your roaming will break if you roam from another ap and the client needs to roam to that AP. Click on the blue triangle next to the AP under Wireless then Radios 802.11bgn. You might be able to disable the radio there.

Thanks,

Scott Fella

Sent from my iPhone

Correct Answer by Scott Fella about 2 years 2 months ago

Well as long as the connection between the remote location and the location where the wlc is connected to is fine, then it can be interference. If you click on the ap from the wlc wireless tab, on the bottom of the image you can see the uptime and the join time. If these times are okay and not short, then the link is okay. Have you tried to swap an ap to see if you still have the same issue and I'm guessing that clients in the main building work fine, but when they go to the other site, they have issues on the same SSID. If you think it is interference, you might want to use a spectrum analyzer to determine that. Could be some of the lighting or various wireless devices they might use out there.

Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Scott Fella Wed, 02/15/2012 - 04:51

Well as long as the connection between the remote location and the location where the wlc is connected to is fine, then it can be interference. If you click on the ap from the wlc wireless tab, on the bottom of the image you can see the uptime and the join time. If these times are okay and not short, then the link is okay. Have you tried to swap an ap to see if you still have the same issue and I'm guessing that clients in the main building work fine, but when they go to the other site, they have issues on the same SSID. If you think it is interference, you might want to use a spectrum analyzer to determine that. Could be some of the lighting or various wireless devices they might use out there.

Sent from Cisco Technical Support iPhone App

18091988n Wed, 02/15/2012 - 05:21

thank you much for your answer!

yes, due to your recommendations I am inclined to think that the problem is in the interference.. Although the D-link AP works fine there...

what would you advise, maybe to change in settigs to minify its influence?..

I have tried to change the channels in Wireless -- 802.11b/g/n --DCA, but it didn't seem to work... in Wireless-- Access Point -- Radios --

802.11b/g/n I still see the channel 1,6 or 11 ......

airframes Wed, 02/15/2012 - 22:00

Natalia,

If you don't have any mission critical reason to stay on 6.0.x code, you might consider moving up to 7.0.x, preferably 7.0.220.0 or higher and then continue troubleshooting. If you have to stay on 6.0.x, consider upgrading to 6.0.220.0.

Another thing to consider is physical placement of the LAP. Do you have it mounted to a ceiling or wall? Is it near (within 40cm or so) sheet metal or a solid metal I-beam or other metal construction? As Scott mentioned, it is possible the AP is experiencing interference (or is interfering with itself). A best practice is to make sure that AP is mounted horizontally, typically to a ceiling or at the end of a mast extending downward from the ceiling, with the white dome facing the floor. Try to keep the AP vertically within 7m of the service area (i.e., don't mount it too high and away from where your mobile clients will be), and keep it away from hard metal surfaces.

Justin

18091988n Thu, 02/16/2012 - 00:44

Guys, thank you for your replies!

Justin, your advises will be useful for me in future.

We have found out that our AP is located between mobile television station and TV-cameras that broadcast on 2,4 GHz frequencies as our b/g/n  AP. As a solution we decided either to move the AP somewhere else or to change this to another one that is a/n. Hope one of these will help.

And as I was told today the D-Link AP also does not work fine while all the TV equipment is on =) only when it is off.

18091988n Tue, 03/13/2012 - 04:11

Is it possible to make the individual LAP work only in 5GHz using WLC? or how to disable the 2.4 GHz radio module on that LAP? I want it to support only 802.11a & 802.11n on only 5 GHz.

Thanks

Scott Fella Tue, 03/13/2012 - 04:37

You go to the Wireless tab then on the left side click 802.11bgn, click networks and disable 802.11b. That will disable globally 2.4.

Thanks,

Scott Fella

Sent from my iPhone

18091988n Tue, 03/13/2012 - 04:53

no, I don't want to disable it globally! only on one LAP, not on all! is it possible?

I have read that I can manually configure the channel for an individual AP, that I can configure the LAP to use 40 MHz (Channel Bonding) in 5 GHz (802.11a/n). Is that what I need?

Correct Answer
Scott Fella Tue, 03/13/2012 - 04:57

Well... Your roaming will break if you roam from another ap and the client needs to roam to that AP. Click on the blue triangle next to the AP under Wireless then Radios 802.11bgn. You might be able to disable the radio there.

Thanks,

Scott Fella

Sent from my iPhone

18091988n Wed, 03/21/2012 - 03:32

sorry for disturbing again, Scott!

while I was trying to solve this,

"

Is it possible to make the individual LAP work only in 5GHz using WLC? or how to disable the 2.4 GHz radio module on that LAP? I want it to support only 802.11a & 802.11n on only 5 GHz.

"

I was making an experiment of changing Radio Policy on a WLAN for SSID, to which only Apple users are connecting. I had chosen "802.11a only", then "802.11a/g" only, but finally I left "All" as it was before.

But now Apple devices choose only radio 802.11g or 802.11a to connect to, although they could choose 802.11n before my experiments! Don't understand what went wrong and how to deal with it.

Scott Fella Wed, 03/21/2012 - 03:41

EDIT:  You need to go to the wilreless tab on the WLC and then click on Access Points | Radios | 802,11 b/g/n.  Go to the right of the AP and click on the blue triange, click configure and disable the status.

Thanks,

Scott Fella

Sent from my iPhone

18091988n Wed, 03/21/2012 - 03:54

oh, I badly explained what I need again(((

I don't need only 2.4 Ghz now. I cited just to remind why I was doing this:

"  I was making an experiment of changing Radio Policy on a WLAN for SSID, to which only Apple users are connecting. I had chosen "802.11a only", then "802.11a/g" only, but finally I left "All" as it was before.   "

And now I am faced this problem :

But now Apple devices choose only radio 802.11g or 802.11a to connect to, although they could choose 802.11n before my experiments! " Now all that devices have only 54 Mbps as a Current Tx RateSet. They need 144 Mbps, which they had before, while connecting with radio 802.11n

Any ideas?

Scott Fella Wed, 03/21/2012 - 03:59

I don't know... maybe the iPads only connect on the 2.4ghz when using 802.11N.  Since you only see 144mbps, I'm guessing that the iPads only connect on the 2.4ghz.  If you have the 5ghz setup for 802.11n and you have 40mhz channel width, then the highest you will see on a laptop is 300mbps.  To achieve 300mbps, you need to either have an open authentication or use wpa2/aes.  Also WMM needs to be enabled on the SSID.

18091988n Wed, 03/21/2012 - 04:13

not only iPads, but MacBooks, iPhones. but they don'y want to connect, using 802.11n, only 802.11g and 802.11a. How to make them connect, using 802.11n when Radio Policy is selected "All" for that WLAN??? doesn't matter 2.4 or 5 Ghz

Scott Fella Wed, 03/21/2012 - 04:16

The WLC can't force them to use 802.11N, it's really up to the client devices.  As long as you configure the WLC to support 802.11n, then you have really done your part, itsup to Apple to figure that out:)

18091988n Wed, 03/21/2012 - 04:21

:))))) I like this idea ))

thanks much for numerous help in this sometimes weird wireless world ))

Scott Fella Wed, 03/21/2012 - 06:42

Natalia,

One thing you can try is to use band select on the WLAN SSID Advanced Tab. You will have to set you radio policies to 'ALL'. This might help, but some iOS devices may still connect only on 2.4ghz.

Thanks,

Scott Fella

Sent from my iPhone

18091988n Thu, 03/22/2012 - 08:15

You know, what is the answer?

iPads are culpable!!!

to make them connect to our LAPs we were forced to leave only WPA2 policy + TKIP encryption in WLAN Security Layer 2 parameters. Weird that we didn't mention the change of speed before. So, if we enable ALL methods of encryption on a WLAN - we get 144 Mbps and Apple devices, connected to LAP, using 802.11n! woohoo!

But we still need that iPads, so we should be grateful for 54 Mbps

Scott Fella Thu, 03/22/2012 - 08:47

From what I know, is that... default, WPA uses TKIP and WPA uses AES.  So when you setup a device that only gives you options for:

WPA-Personal --> WPA-TKIP

WPA2-Personal --> WPA2-AES

WPA-Enterprise --> WPA-TKIP

WPA2-Enterprise --> WPA2-AES

It uses the default encryption for the WPA(2).  IF you set your WLAN SSID for WPA2-AES with WMM enabled and 40 mhz channel width, what speeds doyou get on your 802.11N capable laptop or mac book?  You should see 300mbps, assuming you are near an AP:)  The iPad 2 & 3 you should see more than 54mbps, but not the iPad first gen.

18091988n Fri, 03/23/2012 - 06:06

I will learn about the expansion of the channel width to 40 MHz and will try to do that. Will let you know what I get)

Scott Fella Fri, 03/23/2012 - 06:14

Sounds good. You have to disable the 5ghz first to make the change.

Thanks,

Scott Fella

Sent from my iPhone

18091988n Wed, 04/11/2012 - 06:49

well, we've made a channel bonding today, also have made an aggregation of frames(A-MPDU) for the traffic, left only WPA2-AES on a WLAN SSID and got 300Mbps while connecting on the 5Ghz!

But we can't leave WPA2-AES, we need only WPA2-TKIP  because of an unknown reason, of which iPads can't connect to converted AIR-AP1141N-E-K9 with c1140-rcvk9w8-tar.124-21a.JA2 and send Decrypt errors to WLC, however there is no problems with connection to AIR-LAP1142N-E-K9 with the same IOS, when only WPA2-AES left in WLAN configuration.

Will be figuring this out somehow..

Actions

Login or Register to take actions

This Discussion

Posted February 15, 2012 at 4:29 AM
Stats:
Replies:24 Avg. Rating:5
Views:1834 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard