cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9975
Views
0
Helpful
4
Replies

MIC failure

stanleyworks
Level 1
Level 1

I am running WPA/TKIP and WPA2/AES.

However, the users (TKIP and AES) keep get disconnect with the error MIC failure.

I thought there is a bug on TKIP to inject a frame and cause the radio went down. so we change the "config wlan security tkip hold-down 0 <id>" the problem still there

Please help

4 Replies 4

drolemc
Level 6
Level 6

This error message is printed when ever a packet with the message header fails the MIC check. This happens very rarely whenever the packets with error get past the MAC level. Also may happen during the transition phase of the encryption key change.

http://www.cisco.com/en/US/docs/ios/12_4t/wlan/configuration/guide/wlcgerr.html

Johannes Luther
Level 4
Level 4

I guess your workaround does not work, because the client still gets disassociated. It will just reconnect, because the hold-time is set to zero. But setting the hold-time to zero won't disable the security feature (it's in the 802.11i Standard - you know).

When a MIC failure happens, the WLC has to:

- Generate a log message!

- If it's the second MIC failure within 60 seconds, the TKIP communication is shut down for seconds. After the , the AP forces the clients to do the 4-way handshake again. That forces the client to disconnect shortly.

wingchingleung
Level 1
Level 1

Try the following command in the config mode:

countermeasure tkip hold-time 0

Use the countermeasure tkip hold-time configuration interface command to configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period.

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/command/reference/cr38main.html#wpmkr2533551

I had the same problem earlier this week and that command was suggested by Cisco. It fixed that drop off problem.

stanleyworks
Level 1
Level 1

To us only way to solve this issue by disable tkip and enable AES only.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: