Scanners are deauthenticating randomely

Unanswered Question
Jul 29th, 2013
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hello Everyone,

I have around 12 production machine connected ro wireless bridge and these bridge are connected to Cisco APs.


Problem:


1. these machine are disconnecting after radnodem intervel.


2. I am Not able to see DHCP lease IP address in Controller>Internal DHCP server>DHCP Allocated Lease.



Can anyone help in this.



Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
George Stefanick Mon, 07/29/2013 - 07:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Can you post the WLAN config that these devices connect to ?


There are a number of timers you should be aware of.


Session timeout is found under the ADVANCE tab of the WLAN. This is set to 1800 seconds by default. There is also a user idle timeout that is under the CONTROLLER tab and this is set to 300 seconds.


Also make sure client load balance is disabled.


These are typical trouble makers.


__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Sandeep Choudhary Tue, 07/30/2013 - 00:27
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Geoge,


I unchecked the Enable Session Timeout , user idle timeout is 300seconds(as u said it by default).

Client Load balance is disabled.



Regards

Sandeep

Scott Fella Tue, 07/30/2013 - 03:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Post your show WLAN

Sent from Cisco Technical Support iPhone App

Sandeep Choudhary Tue, 07/30/2013 - 04:25
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Scott,

Here is the output of sh wlan 1:


(Cisco Controller) >show wlan 1



WLAN Identifier.................................. 1

Profile Name..................................... BDE

Network Name (SSID).............................. BDE

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control


  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 14

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ bde

Multicast Interface.............................. Not Configured


--More or (q)uit current module or to abort

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver (best effort)

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Global Servers


--More or (q)uit current module or to abort

   Accounting.................................... Global Servers

   Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security


   802.11 Authentication:........................ Open System

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Enabled

         TKIP Cipher............................. Enabled

         AES Cipher.............................. Enabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Disabled

         PSK..................................... Enabled

         CCKM.................................... Disabled

         FT(802.11r)............................. Disabled

         FT-PSK(802.11r)......................... Disabled

FT Reassociation Timeout......................... 20

FT Over-The-Air mode............................. Enabled


--More or (q)uit current module or to abort

FT Over-The-Ds mode.............................. Enabled

CCKM tsf Tolerance............................... 1000

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   H-REAP Local Switching........................ Disabled

   H-REAP Local Authentication................... Disabled

   H-REAP Learn IP Address....................... Enabled

   Client MFP.................................... Optional

   Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled


Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------





Regards

Scott Fella Tue, 07/30/2013 - 04:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You need to use either WPA v1 with TKIP or WPA v2 with AES. Don't use both and don't mix and match. Sonic your scanners support WPA v2 with AES, make sure you set your WLAN to that only. If they don't support it, then use WPA v1 with TKIP.

Sent from Cisco Technical Support iPhone App

Sandeep Choudhary Tue, 07/30/2013 - 04:51
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Thanks for quick reply.

Ok I changed it to WPA1/tkip ..let me monitor it for few hours.

I will let u know the result of these



Regards

Sandeep Choudhary Tue, 07/30/2013 - 05:05
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

But Can you please tell me: Why I am not able to see the DHCP Allocated Lease in WLC.


Regards

Scott Fella Tue, 07/30/2013 - 05:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well... the clients need to be connected properly first and then also as long as the WLC is the only dhcp server, then any address that the WLC issues will show up on the dhcp lease.


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Abhishek Abhishek Tue, 07/30/2013 - 14:39
User Badges:
  • Gold, 750 points or more

Hello,


As per your query i can suggest you the following solution-


An access point may not log events related to client association and deauthentication during a client roam. The reassociation event will be missing in the logs on the access point to which the client roamed and the deauthentication event will be missing in the logs on the access point from which the client roamed. The behavior may be seen for a period of several minutes.


Hope this will help you.

Sandeep Choudhary Tue, 07/30/2013 - 22:59
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

HI Abhishek,

All client are stationary


There is no roaming issue but all the scanner are connected to wireless bridge(WET200).


Regards

Actions

This Discussion