Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Clients are dicconected intermittently 10 - 20 minutes

Hello everyone I hope you can help me because I really need it.

I have two WLC 5508 and some AP's 1131 and 3602. I don't know why but my clients are lossing connection to WLAN here some logs from WLC.

[01:51:55 p.m.] Jonatan Sosa Franco: dot1xMsgTask: Aug 15 18:49:29.829: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:49:14.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:48:57.629: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:48:07.225: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 68:7f:74:68:2c:91

*dot1xMsgTask: Aug 15 18:46:35.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:14:bc:f4:c4

*spamApTask4: Aug 15 18:46:27.305: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database

*spamApTask4: Aug 15 18:46:26.615: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A

*apfReceiveTask: Aug 15 18:46:26.370: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg

*dot1xMsgTask: Aug 15 18:45:57.421: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72

*dot1xMsgTask: Aug 15 18:44:16.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47

*apfMsConnTask_3: Aug 15 18:44:13.455: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.

*dot1xMsgTask: Aug 15 18:43:33.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:43:18.222: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:43:15.021: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:23:6c:1c:63:36

*dot1xMsgTask: Aug 15 18:43:02.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 00:13:02:3d:e7:f6

*Dot1x_NW_MsgTask_6: Aug 15 18:42:35.732: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447  Authentication Aboted for client 00:13:02:3d:e7:f6

*dot1xMsgTask: Aug 15 18:42:26.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client f4:0b:93:a5:f5:2f

*apfMsConnTask_7: Aug 15 18:42:23.606: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: f4:0b:93:a5:f5:2f.

*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.699: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:597 Unable to send AAA message for client 00:13:02:3d:e7:f6

*Dot1x_NW_MsgTask_6: Aug 15 18:42:05.697: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447  Authentication Aboted for client 00:13:02:3d:e7:f6

*dot1xMsgTask: Aug 15 18:42:05.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M3 retransmissions exceeded for client 00:13:02:3d:e7:f6

*dot1xMsgTask: Aug 15 18:40:25.221: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 18:e7:f4:7c:3b:88

*webauthRedirect: Aug 15 18:40:06.377: %EMWEB-3-READ_ERROR: webauth_redirect.c:938 read error on server socket

*dot1xMsgTask: Aug 15 18:39:51.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:39:36.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:39:19.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 18:20:32:34:1c:42

*dot1xMsgTask: Aug 15 18:39:16.221: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e

*dot1xMsgTask: Aug 15 18:39:02.021: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e

*dot1xMsgTask: Aug 15 18:38:47.621: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client 4c:b1:99:ed:f3:5e

*dot1xMsgTask: Aug 15 18:38:45.821: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client cc:55:ad:6d:8f:47

*apfMsConnTask_5: Aug 15 18:38:42.748: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: cc:55:ad:6d:8f:47.

*spamApTask3: Aug 15 18:38:34.872: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database

*spamApTask3: Aug 15 18:38:34.185: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A

*apfReceiveTask: Aug 15 18:38:33.938: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg

*apfMsConnTask_6: Aug 15 18:36:23.285: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.

*Dot1x_NW_MsgTask_3: Aug 15 18:36:05.902: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:85:08:89:f3:9b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 00

*dot1xMsgTask: Aug 15 18:35:41.817: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 74:e1:b6:92:65:09

*apfMsConnTask_6: Aug 15 18:35:18.777: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 80:60:07:fd:d4:f0.

*dot1xMsgTask: Aug 15 18:35:12.817: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 30:17:c8:43:0c:2d

*apfMsConnTask_5: Aug 15 18:34:12.772: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.

*dot1xMsgTask: Aug 15 18:33:58.217: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72

*dot1xMsgTask: Aug 15 18:33:49.217: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client c8:6f:1d:04:5d:5a

*apfMsConnTask_5: Aug 15 18:33:17.082: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: 30:17:c8:43:0c:2d.

*dot1xMsgTask: Aug 15 18:31:53.617: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 5c:e2:f4:f7:d1:72

*dot1xMsgTask: Aug 15 18:31:06.017: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:475 Max EAP retransmissions exceeded for client 88:53:2e:0f:99:66

*spamApTask4: Aug 15 18:29:18.178: %CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:103 The system could not release exclusive access of AP entry for 84:78:ac:c0:87:30 in the database

*spamApTask4: Aug 15 18:29:17.491: %LWAPP-3-RD_ERR6: spam_lrad.c:9849 APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in country (US ), slot 80211a (1) supports -A

*apfReceiveTask: Aug 15 18:29:17.246: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:289 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg

Regards...

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Clients are dicconected intermittently 10 - 20 minutes

To make it simple... on a Windows and many other devices, you have some choices:

WPA-Personal <-- Preshared Key

WPA2-Personal <--Preshared Key

WPA-Enterprise <--802.1x

WPA2-Enterprise <--802.1x

When using either of these, your WLC needs to have WPA+WPA2.  When you specify 802.1x, you can setup on the radius server to use PEAP, EAP-TLS or machine authentication.  These are defined on the Radius and has to also match what you have on the client.

See below:

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
37 REPLIES
New Member

Clients are dicconected intermittently 10 - 20 minutes

This is not the same, but very similar to an issue I had after upgrading to 7.3, see the link below for more details.

http://www.goatnetworking.com/forum/viewtopic.php?f=8&t=1771&p=1844#p1844

Clients are dicconected intermittently 10 - 20 minutes

I have 7.2.110 version and I have disable that options...

Hall of Fame Super Silver

Clients are dicconected intermittently 10 - 20 minutes

What type of clients?  Can you post your show wlan

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Clients are dicconected intermittently 10 - 20 minutes

Well they're Laptops, tablets, MAC, etc

Clients are dicconected intermittently 10 - 20 minutes

by the way this happened in every wlan I have 6

Clients are dicconected intermittently 10 - 20 minutes

Sorry Scott

Here's the information:

(Cisco Controller) >show wlan 1

WLAN Identifier.................................. 1

Profile Name..................................... Ferromex

Network Name (SSID).............................. Ferromex

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 85

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 28800 seconds

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ usuarios ferromex

--More-- or (q)uit

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

DHCP Server...................................... 10.10.40.10

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

--More-- or (q)uit

   Authentication................................ 10.10.40.15 1812

   Accounting.................................... Global Servers

      Interim Update............................. Disabled

   Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   FT Support.................................... Disabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Enabled

        Encryption:..................................... 104-bit WEP

   Wi-Fi Protected Access (WPA/WPA2)............. Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   FlexConnect Local Switching................... Disabled

   FlexConnect Local Authentication.............. Disabled

--More-- or (q)uit

   FlexConnect Learn IP Address.................. Disabled

   Client MFP.................................... Optional but inactive (WPA2 not configured)

   Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

802.11u........................................ Disabled

  Access Network type............................ Not configured

  Network Authentication type.................... Not configured

  Internet service............................... Disabled

  HESSID......................................... 00:00:00:00:00:00

Hotspot 2.0.................................... Disabled

--More-- or (q)uit

  WAN Metrics configuration

    Link status.................................. 0

    Link symmetry................................ 0

    Downlink speed............................... 0

    Uplink speed................................. 0

Mobility Services Advertisement Protocol....... Disabled

Hall of Fame Super Silver

Re: Clients are dicconected intermittently 10 - 20 minutes

You are doing leap? What does the radius server show in the logs?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Clients are dicconected intermittently 10 - 20 minutes

I'm using PEAP

Hall of Fame Super Silver

Re: Clients are dicconected intermittently 10 - 20 minutes

PEAP is using wpa + wpa2 and then 802.1x

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Clients are dicconected intermittently 10 - 20 minutes

Well I just select 802.1x I have this screen.

Re: Clients are dicconected intermittently 10 - 20 minutes

I forgot to tell you I'm using ISE for Auth

Hall of Fame Super Silver

Re: Clients are dicconected intermittently 10 - 20 minutes

Same here... I don't deploy PEAP the way you have it though.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Clients are dicconected intermittently 10 - 20 minutes

Here is PEAP

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Clients are dicconected intermittently 10 - 20 minutes

Ok so I need to change security configuration as you do?

Hall of Fame Super Silver

Re: Clients are dicconected intermittently 10 - 20 minutes

Yes I would. This is how you setup PEAP and EAP-TLS on any radius.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Clients are dicconected intermittently 10 - 20 minutes

although I'm using ISE for Auth ?

Re: Clients are dicconected intermittently 10 - 20 minutes

Can you do a >show 802.11b on both controller and post

I noticed this:

*apfMsConnTask_7: Aug 15 18:42:23.606: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:203 Could not check supported rates. Invalid Supported Rates from station . Length :0. Mobile MAC: f4:0b:93:a5:f5:2f.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Clients are dicconected intermittently 10 - 20 minutes

ok let me get this information ASAP and I let you know George

Re: Clients are dicconected intermittently 10 - 20 minutes

Hello Scott /George

I changed PEAP way authe and still having this problem. By the way I disable the speed 1,2,5.5, 11 for 802.11b devices keep out of the WLAN.

Hall of Fame Super Silver

Re: Clients are dicconected intermittently 10 - 20 minutes

Post your show WLAN

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Clients are dicconected intermittently 10 - 20 minutes

Let me get access to the WLC and I will

Re: Clients are dicconected intermittently 10 - 20 minutes

Hello Scott/Guys

Well finally tomorrow I will able to acces to WLC and I decided to start to new configuration. And I'm going to use wpa + wpa2 auth metod.

Clients still are disconnected so I have one questions I know I can do a backup trough cli. and I can paste this configuration if it would be necessary.

Does anyone wich is this command?

Thanks

VIP Purple

Re: Clients are dicconected intermittently 10 - 20 minutes

"show run-config commands" will give you the most of config as configured

Re: Clients are dicconected intermittently 10 - 20 minutes

and when I get the output I can just paste it and It will working? or you think uploading downloading config is the best option?

VIP Purple

Re: Clients are dicconected intermittently 10 - 20 minutes

Above will give most of the configured command (without advanced configuration). If you can taka a backup via TFTP that will be everything & best if you could have that.

Here is how you could take a backup via CLI.

transfer upload datatype config

transfer upload mode tftp

transfer upload serverip x.x.x.x <-TFTP server IP  

transfer upload path .

transfer upload filename WLC-BACKUP.txt <- filename

transfer upload start

y

If you are restoring a backup always get config via TFTP & then download it to another controller

http://mrncciew.com/2013/01/25/backup-restore-wlc-configs/

HTH

Rasika

Hall of Fame Super Silver

Re: Clients are dicconected intermittently 10 - 20 minutes

The show run-config commands will give you the commands, but you can't paste them as is. They are not in the proper order so some commands will fail. If you want to start clean, then start clean without doing a restore. Don't paste the show run-config command if you don't understand the commands as it will give you more issues. Build it from scratch.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Clients are dicconected intermittently 10 - 20 minutes

Ok I'm on my way to the site I will let you know.

Thanks

New Member

Re: Clients are dicconected intermittently 10 - 20 minutes

I noticed this in your log:

*spamApTask4: Aug 15 18:29:17.491: %LWAPP-3-RD_ERR6: spam_lrad.c:9849  APs (84:78:ac:c0:87:30) regulatory domain (-N) is not supported in  country (US ), slot 80211a (1) supports -A

Is your controller in -A? I am not sure why this AP is reporting as it is from -N regulatory domain.

Re: Clients are dicconected intermittently 10 - 20 minutes

Hi Scott/Vlad

Well I checked the wlc configuration and yes the RF domain it was wrong, so  I changed it to Mexico code.

I checked the 802.1x configuration and I changed it how Scott told me. I noticed too that 3 SSID were sharing the same dynamic Interface, so we created one interface for SSID and we created DHCP server for every SSID.

Our client will check the service next week, but I'm not sure if this issues could been the problem for this desconnection.

One intersting thing was that the client told me after I changed the RF Domain the cover area was improve it.

What do you think guys?

3943
Views
0
Helpful
37
Replies