Solved: Clients are dicconected intermittently 10 - 20 minutes

Daniel Ordóñez Flores · ‎08-15-2013

Hello everyone I hope you can help me because I really need it.

I have two WLC 5508 and some AP's 1131 and 3602. I don't know why but my clients are lossing connection to WLAN here some logs from WLC.

[01:51:55 p.m.] Jonatan Sosa Franco: dot1xMsgTask: Aug 15 18:49:29.829: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:49:14.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:48:57.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:48:07.225: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 68:7f:74:68:2c:91

*dot1xMsgTask: Aug 15 18:46:35.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:14:bc:f4:c4

*spamApTask4: Aug 15 18:46:27.305: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database

*spamApTask4: Aug 15 18:46:26.615: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A

*apfReceiveTask: Aug 15 18:46:26.370: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg

*dot1xMsgTask: Aug 15 18:45:57.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72

*dot1xMsgTask: Aug 15 18:44:16.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47

*apfMsConnTask_3: Aug 15 18:44:13.455: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.

*dot1xMsgTask: Aug 15 18:43:33.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:43:18.222: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:43:15.021: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:6c:1c:63:36

*dot1xMsgTask: Aug 15 18:43:02.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:13:02:3d:e7:f6

*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aboted for client 00:13:02:3d:e7:f6

*dot1xMsgTask: Aug 15 18:42:26.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client f4:0b:93:a5:f5:2f

*apfMsConnTask_7: Aug 15 18:42:23.606: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: f4:0b:93:a5:f5:2f.

*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.699: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:597 Unable to send AAA message for client 00:13:02:3d:e7:f6

*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.697: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication Aboted for client 00:13:02:3d:e7:f6

*dot1xMsgTask: Aug 15 18:42:05.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M3 retransmissions exceeded for client 00:13:02:3d:e7:f6

*dot1xMsgTask: Aug 15 18:40:25.221: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 18:e7:f4:7c:3b:88

*webauthRedirect: Aug 15 18:40:06.377: %EMWEB-3-READ_ERROR: webauth_redirect.c:938 read error on server socket

*dot1xMsgTask: Aug 15 18:39:51.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:39:36.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:39:19.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:39:16.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e

*dot1xMsgTask: Aug 15 18:39:02.021: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e

*dot1xMsgTask: Aug 15 18:38:47.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e

*dot1xMsgTask: Aug 15 18:38:45.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47

*apfMsConnTask_5: Aug 15 18:38:42.748: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.

*spamApTask3: Aug 15 18:38:34.872: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database

*spamApTask3: Aug 15 18:38:34.185: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A

*apfReceiveTask: Aug 15 18:38:33.938: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg

*apfMsConnTask_6: Aug 15 18:36:23.285: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.

*Dot1x_NW_MsgTask_3: Aug 15 18:36:05.902: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:85:08:89:f3:9b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 00

*dot1xMsgTask: Aug 15 18:35:41.817: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 74:e1:b6:92:65:09

*apfMsConnTask_6: Aug 15 18:35:18.777: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.

*dot1xMsgTask: Aug 15 18:35:12.817: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 30:17:c8:43:0c:2d

*apfMsConnTask_5: Aug 15 18:34:12.772: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.

*dot1xMsgTask: Aug 15 18:33:58.217: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72

*dot1xMsgTask: Aug 15 18:33:49.217: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client c8:6f:1d:04:5d:5a

*apfMsConnTask_5: Aug 15 18:33:17.082: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.

*dot1xMsgTask: Aug 15 18:31:53.617: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72

*dot1xMsgTask: Aug 15 18:31:06.017: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 88:53:2e:0f:99:66

*spamApTask4: Aug 15 18:29:18.178: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database

*spamApTask4: Aug 15 18:29:17.491: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A

*apfReceiveTask: Aug 15 18:29:17.246: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg

Regards...

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Scott Fella · ‎09-15-2013

To make it simple... on a Windows and many other devices, you have some choices:

WPA-Personal <-- Preshared Key

WPA2-Personal <--Preshared Key

WPA-Enterprise <--802.1x

WPA2-Enterprise <--802.1x

When using either of these, your WLC needs to have WPA+WPA2. When you specify 802.1x, you can setup on the radius server to use PEAP, EAP-TLS or machine authentication. These are defined on the Radius and has to also match what you have on the client.

See below:

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

ROBERT T · ‎08-15-2013

This is not the same, but very similar to an issue I had after upgrading to 7.3, see the link below for more details.

http://www.goatnetworking.com/forum/viewtopic.php?f=8&t=1771&p=1844#p1844

Daniel Ordóñez Flores · ‎08-15-2013

I have 7.2.110 version and I have disable that options...

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Scott Fella · ‎08-15-2013

What type of clients? Can you post your show wlan

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Daniel Ordóñez Flores · ‎08-15-2013

Well they're Laptops, tablets, MAC, etc

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Daniel Ordóñez Flores · ‎08-15-2013

by the way this happened in every wlan I have 6

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Daniel Ordóñez Flores · ‎08-15-2013

Sorry Scott

Here's the information:

(Cisco Controller) >show wlan 1

WLAN Identifier.................................. 1

Profile Name..................................... Ferromex

Network Name (SSID).............................. Ferromex

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Client Profiling Status ....................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 85

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 28800 seconds

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ usuarios ferromex

--More-- or (q)uit

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

DHCP Server...................................... 10.10.40.10

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

--More-- or (q)uit

Authentication................................ 10.10.40.15 1812

Accounting.................................... Global Servers

Interim Update............................. Disabled

Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Enabled

Encryption:..................................... 104-bit WEP

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Disabled

FlexConnect Local Authentication.............. Disabled

--More-- or (q)uit

FlexConnect Learn IP Address.................. Disabled

Client MFP.................................... Optional but inactive (WPA2 not configured)

Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

802.11u........................................ Disabled

Access Network type............................ Not configured

Network Authentication type.................... Not configured

Internet service............................... Disabled

HESSID......................................... 00:00:00:00:00:00

Hotspot 2.0.................................... Disabled

--More-- or (q)uit

WAN Metrics configuration

Link status.................................. 0

Link symmetry................................ 0

Downlink speed............................... 0

Uplink speed................................. 0

Mobility Services Advertisement Protocol....... Disabled

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Scott Fella · ‎08-15-2013

You are doing leap? What does the radius server show in the logs?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Daniel Ordóñez Flores · ‎08-15-2013

I'm using PEAP

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Scott Fella · ‎08-15-2013

PEAP is using wpa + wpa2 and then 802.1x

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Daniel Ordóñez Flores · ‎08-15-2013

Well I just select 802.1x I have this screen.

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Daniel Ordóñez Flores · ‎08-15-2013

I forgot to tell you I'm using ISE for Auth

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Scott Fella · ‎08-15-2013

Same here... I don't deploy PEAP the way you have it though.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎08-15-2013

Here is PEAP

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Daniel Ordóñez Flores · ‎08-15-2013

Ok so I need to change security configuration as you do?

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**