×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

MFP Anomaly Detected

Endorsed Question
Aug 13th, 2013
User Badges:

Hi,

I have seen this messege log on WLC 5508 running 7.5 code, but I haven´t found any information about it, I will be gratful if any body know what it means

thanks


MFP Anomaly Detected - 3 Not encrypted event(s) found as violated by the radio XX:XX:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP XX:XX:XX:XX:XX:XX in 300 seconds when observing Disassoc, Deauth. Client's last source mac XX:XX:XX:XX:XX:XX

Endorsed by Scott Fella
Saravanan Lakshmanan about 3 years 6 months ago

these're the respective defects filed for the mentioned issues.

CSCum49200 Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum62305 Traffic stops for iphone/mac OS in 7.6 in 3600/3700

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Abhishek Abhishek Wed, 08/14/2013 - 12:22
User Badges:
  • Gold, 750 points or more

Hello,


As per your query i can suggest you the following solution-


This error message is seen when frames with incorrect MIC values are detected by MFP enabled LAPs. Refer to Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example for more information on MFP. Complete one of these four steps:

  1. Check      and remove any rogue or invalid APs or clients in your network, which      generate invalid frames.
  2. Disable      the Infrastructure MFP, if MFP is not enabled on other members of the      Mobility group as LAPs can hear management frames from LAPs of other WLCs      in the group that do not have MFP enabled. Refer to Wireless      LAN Controller (WLC) Mobility Groups FAQ for more information on      Mobility Group.
  3. The      fix for this error message is available in the WLC releases 4.2.112.0 and      5.0.148.2. Upgrade the WLCs to either of these releases.
  4. As      a last option, try to reload the LAP that generates this error message.

Hope this will help you.

Joseph Rizzo Fri, 11/15/2013 - 06:14
User Badges:

Upgrade from 7.5 to 4 or 5 level code ? I am also receiving these errors, I check my rogues every morning. Also, since upgraded to 7.5, I see in unreasonable amount of rogues I have never seen before. Something is wrong with the code. I also get xomplainrts that clients randomly hang since 7.5.


08:01:47 2013

MFP Anomaly Detected - 1 Not encrypted event(s) found as violated by the radio xxxxx and detected by the dot11 interface at slot 0 of AP xxxxxx in 300 seconds when observing . Client's last source mac xxxxxx

Christian S. Fri, 01/10/2014 - 04:14
User Badges:

Same here. Upgraded from 7.4 to 7.6 (because of support for 3700 APs) and now I get "flooded" with this messages 24/7. I already disabled Infrastructure MFP and also set MFP from optional to disabled on all of my WLANs but the problem still persists. There seems to be something wrong within the code...

Scott Fella Fri, 01/10/2014 - 05:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I also see that message and I'm running v7.6. I have MFP disabled and still seeing errors from clients in that WLAN.

Have you experienced client, mainly Apple devices loose layer2/3 connectivity but still associated and in the RUN state? George and I have been testing this and we have seen it on the 3600's and the 3700's? If so, keep us posted.

Sent from Cisco Technical Support iPhone App

Christian S. Fri, 01/10/2014 - 09:53
User Badges:

Well Scott,


I only replaced one (the one in my area) of our 1260's at the moment to be sure everything runs fine with the new APs, so I only have about 20 clients (some Android, iOS, many Win7) connecte to the 3700 at the moment and nearly all of them run fine. Only one iPhone 5c which is connected to our guest WLAN, web-authenticated and in RUN state has to repeat the web-auth nearly every time it awakes. I tried with another iPhone 4 and a Galaxy S4 and none of them had any troubles. I even went home with them and the next morning they could browse the web without the need for repeating web-auth. All of these devices are associated and in RUN state, but this particular 5c always has to repeat the web-auth... I'm not sure if this has to do something with 7.6 or the 3700, but since you asked. BTW, my global idle-timeout is set to 24h, idle-timeout at WLANs advanced settings is disabled and eap-bcast-key-interval is also 24h, so this can't be the problem.


Additionally I experience loose of L2 connectivity with my own notebook with Intel 7260AC when connected at 11ac, but this seems to be a problem of this card and it's drivers as far as I found out with google... The Galaxy S4 has a stable connection to the 3700 at 11ac.


But this MFP thing is really annoying at the moment and the solution "try to reload the LAP" won't work at all - I'd have to reload all of them (but even tried one, without success)...


Regards,

Christian

Scott Fella Mon, 01/20/2014 - 06:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Christian,

George and I are working with the BU on some issue with loosing layer 2 and v7.6. I have seen issue with my iPhone, iPad and some windows machines but a MacBook Air has no issues. I would open a TAC case so maybe they can start logging something.

George has some MacBooks on the 3700 that also loose layer 2. I'm currently testing on the 3600's bit will test on the 3700 this week.

Sent from Cisco Technical Support iPhone App

Christian S. Fri, 01/24/2014 - 13:04
User Badges:

Hi Scott,


I installed many of the 3702 this week and a lot of our users are using Apple products so they should complain if something doesn't work anymore as it did before. I'll keep you updated, but as Saravanan stated that Cisco is already working on this I'd think that we would also run into these effects...


BTW, MFP is still flooding the logs...


regards,

Christian

Scott Fella Sat, 01/25/2014 - 05:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

George and I have been working with the BU on issues with v7.6 and I do see issues mainly with Apple, but also with a few Windows machines.  MFP logs..... well yes I see those to and just tend to ignore them as most likely an upgrade would or might fix that.  Give it some time for users to really complain... I have seen clients bring us in after a few months, because they find out that users are finally complaining that they have to reboot or reset their wireless every so often.  I use my iphone a lot and I notice it right away and typically have to just disable my wireless and use cellular.  Apple TV's don't seem to have issues, but that's what I have seen so far.


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

David Watkins Thu, 08/14/2014 - 00:13
User Badges:
  • Bronze, 100 points or more

Hi Scott,

Are you still seeing these issues even on the latest 7.6.120.0?  Specifically, the L2 communication loss on the Apple devices?

Thanks!

bkoch1 Tue, 09/16/2014 - 08:43
User Badges:

We were running 7.6.120 on one of our controllers, and that's when we started seeing those alarms. I've upgraded that controller to 8.0, and those messages have disappeared.

Kunal Kumar Singh Wed, 02/04/2015 - 12:45
User Badges:

I see the error message with 7.6.130 code. Here is setup detail

 

WLC2504 running 7.6.130

AP3702

 

Error message screenshot attached. 

 

 

Attachment: 
Mohit Kumar Thu, 11/27/2014 - 03:17
User Badges:

Hi,

 

I am having AP image upgrade problem .I have a 5500  WLC which has been up graded  from 7.3 to 7.6.130 ,When I run AP pre-download option then 2602 and 3602 AP image up grade is failed every time though some of 2600/3600 are working fine with 7.6.I have also tried to reboot AP`s so that they can auto upgrade their Image while contacting WLC but it did not help. have gone through cisco wirless compatibility list but nothing helped me. Please suggest any solution for this issue.

tdorsey123 Mon, 02/23/2015 - 15:39
User Badges:

Hi Mohit, If you haven't fixed this issue, often doing a factory reset on the AP can help when an AP won't preload.  Remember this wipes your high availability and IP settings off the AP so use carefully...:)

Saravanan Lakshmanan Tue, 01/21/2014 - 14:31
User Badges:
  • Cisco Employee,

these're the respective defects filed for the mentioned issues.

CSCum49200 Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum62305 Traffic stops for iphone/mac OS in 7.6 in 3600/3700

Rasika Nayanajith Tue, 01/21/2014 - 18:21
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Saravanan,


Does this first bug is internal, cannot see the detail due to no priviledes ?


Regards

Rasika

Saravanan Lakshmanan Tue, 01/21/2014 - 19:50
User Badges:
  • Cisco Employee,

Yes, it was but I made it external, will take 24hrs or so to be external visible. Anyway, both bugs addresses the same issue.

Rasika Nayanajith Tue, 01/21/2014 - 19:59
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Thanks for the update Saravanan

Rasika Nayanajith Mon, 01/27/2014 - 18:45
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Saravanan,


checked it again toady & still no visibility of  CSCum49200, still may be internal to Cisco.


Pls check that.


Rasika

Saravanan Lakshmanan Tue, 01/28/2014 - 12:12
User Badges:
  • Cisco Employee,

i checked now and able to see.


Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum49200

Description

Symptom:Sometimes MAC clients will be associated and RUN state but unable to ping the gateway

Conditions:WLC running 7.6.100.0 with three ap3600s

Workaround:none

More Info:see description

Scott Fella Tue, 01/28/2014 - 12:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Good deal.... its visable now.


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Saravanan Lakshmanan Wed, 01/29/2014 - 12:24
User Badges:
  • Cisco Employee,

adding an related defect:


CSCuj17283 WiFi clients dropping ARP  replies on TID 3 w/ ap3700 (on some switches)


Workaround:

Change WLAN QoS profile to Voice, Video or Background (not Best Effort)

Scott Fella Wed, 01/29/2014 - 12:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Thanks for the update!


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

George Stefanick Thu, 01/23/2014 - 20:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Glad to see that you guys could reproduce it ..



__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Scott Fella Fri, 01/24/2014 - 05:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

George,

I think we need to follow up with them just to see if they have another ticket created from our testing. I sent them my config so they can test as close to my environment as possible.

Sent from Cisco Technical Support iPhone App

Saravanan Lakshmanan Fri, 01/24/2014 - 12:29
User Badges:
  • Cisco Employee,

#Appreciate you guys on bringing in hot issues.

#For issue recreation, the credit goes to an BU escalation.

Joseph Rizzo Wed, 01/15/2014 - 09:21
User Badges:

I have upgraded to 7.6.100 on my 5508 and 2504's. The rogue detection is working much better and I am not getting the MFP errors anymore, I have 1250, 1040 and 1140 LWAP's. Not sure if clients continue to hang and get discontinected,but its been about a week, so no news is good news.

maerz-helpdesk Mon, 01/20/2014 - 02:19
User Badges:

Hello,


this weekend we updated the WLC from our customer to 7.6.100 and also get messages from WCS with MFP Anomaly detection.

The Customer will disable MFP under the WLAN configuration.

I hope this will help and stop these messages.

The global MFP Protection was disabled.

Scott Fella Mon, 01/20/2014 - 06:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I get those messages still and MFP is disabled on my WLAN's.

Sent from Cisco Technical Support iPhone App

Scott Fella Tue, 01/21/2014 - 15:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Thanks for the update... George and I have been working with a few guy's on your end with the issues we were seeing.


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Xiao Yi Steven FAN Sun, 03/30/2014 - 16:51
User Badges:

Guys- has this issue been resolved, i also saw the same error.. i 'm running 5508 with code 7.6, AP is 3700

 

 

Xiao Yi Steven FAN Tue, 08/05/2014 - 21:33
User Badges:

Hello Guys- further to update my issues, Cisco TAC told me this MFP related bug will be only fixed on version 8.0. but my users experience are a bit different, not sure it's also related see my debugging logs below on ipad , not sure did any of you encountering the same issue on version 7.6.110 on Wlc 5508, AP is 3700. BTW the ipad is stationary. thanks 

  1. I have reviewed the logs at around 5:30 am and following are the logs that stand out –

2014-07-09 05:30:43        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 10.62.3.248 RUN (20) Change state to START (0) last state RUN (20)

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 apfMs1xStateDec

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 apfMsRunStateDec

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Updated location for station old AP b8:38:61:1e:a1:50-0, new AP b8:38:61:1e:a1:50-1

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *pemReceiveTask: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 10.62.3.248 Removed NPU entry.

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 10.62.3.248 RUN (20) Deleted mobile LWAPP rule on AP [b8:38:61:1e:a1:50]

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 unsetting PmkIdValidatedByAp

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Setting active key cache index 0 ---> 8

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Unable to compute a valid PMKID from global PMK cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Found an entry in the global PMK cache for station cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.813: cc:78:5f:d4:ca:70 Searching for PMK in global PMK cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 Trying to compute a PMKID from MSCB PMK cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 No valid PMKID found in the MSCB PMKID cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 Searching for PMKID in MSCB PMKID cache for mobile cc:78:5f:d4:ca:70

2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.812: cc:78:5f:d4:ca:70 Received RSN IE with 1 PMKIDs from mobile cc:78:5f:d4:ca:70

 

                2014-07-09 05:30:41        Local0.Debug     10.168.53.47       CT-WLAN-35-WLC01: *apfMsConnTask_6: Jul 09 05:30:40.811: cc:78:5f:d4:ca:70 Reassociation received from mobile on BSSID b8:38:61:1e:a1:51

Based on the information contained here, around 5:30 the following events took place –

Client was in RUN state and sent a re-association to the same AP for some reason.

Upon looking for a valid PMKID cache for the client there was none found so the AP tried computing a new PMKID based on the cached PMK but was unable to do so.

The AP as it seems registered the client to move from one radio to another on the same AP thereby resulting is disconnection & re-association.

rupert.wever Thu, 04/10/2014 - 12:20
User Badges:

Running 7.6.110.0 w/ AP3700s

Disabled MFP: Still seeing the errors

Disabled WMM: Mac wireless clients in RUN state sometimes unable to ping gateway (including Windows Clients)

Has TAC indicated a possible fix?

dominik78 Tue, 06/17/2014 - 16:34
User Badges:

 

 

We were seeing the same issues while running 7.6.110 and .120 on 3700s and good number of older model APs. In our case TAC had us downgrade to 7.4 for now.

Christian S. Tue, 06/17/2014 - 21:16
User Badges:

TAC told you to downgrade to 7.4? They must be kidding, or did you throw away all of your 3700s and got a refund, because they won't work with 7.4...

dominik78 Tue, 06/17/2014 - 22:55
User Badges:

 

Correct, we only had the 3700s on a trial basis as part of a proof of concept, which is why we were able to downgrade to 7.4 after removing the 3700s. The issues went away with the downgrade (as far as we know, based on no new complaints since the downgrade).

 

bkoch1 Thu, 07/24/2014 - 12:26
User Badges:

I am seeing this as well on a controller that we've upgrade from 7.3.101 to 7.6.120.

j-sutterfield Mon, 08/04/2014 - 11:03
User Badges:

I second that.  Seeing the problem on 7.6.120 with 3702i APs.

George Stefanick Mon, 08/04/2014 - 19:32
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

What devices?

j-sutterfield Tue, 08/05/2014 - 06:31
User Badges:

In my case it's been limited to Apple devices.  iPhone, iPad and Macbook have all shown the same symptoms.  Appear to be fully connected, in RUN state according the the controller, but unable to communicate.

aleopoldie Thu, 08/14/2014 - 02:21
User Badges:

Hello guys,

 

same problem with MFP, but it's only on 1 on my SSID's, and only for clients who are using Motorola scanners 9190...

WLC : 5508 (code 7.6.120.0)

AP's : 2602

Devices impacted : Motorola 9190

 

I'm really annoyed because users who uses these motorla are starting to complain...

 

Richard Bradfield Sun, 09/14/2014 - 17:05
User Badges:
  • Silver, 250 points or more

I upgrade to 7.6.120 on my 5508 over the weekend, this morning I am seeing the above errors in the log looking at the config, I see that MFP is disabled, and also nobody is complaining so far.

reason to go to 7.6 was for AP 2702 support which we are purchasing.

questions:

can I now ignore the error message?

does 7.6.130 fix the problem?

diondohmen Mon, 09/22/2014 - 01:41
User Badges:

Hi chrbradf1,

 

i have not yet upgraded my wlc's to 7.6.130, but according to the release notes, this should have been fixed now.

Richard Bradfield Mon, 09/22/2014 - 18:18
User Badges:
  • Silver, 250 points or more

I upgraded to 7.6.130 at the weekend,  no longer get the MFP messages, so that is fixed.

 

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode