I've seen the "MFP anomaly detected" before but never really researched it.
As for your interfaces of the APs going up and down, do you have RLDP (Rogue Location Discovery Protocal) turned on? If so, I believe that is why your interfaces are going up and down. If they are only going up and down for a brief milisecond that is likely why, I believe.
The controller may generate "MFP Anomaly Detected" alarms, which are reported as 'Invalid MIC' events. The alarms may originate from many different valid APs.
This condition does not affect the operation of the access points. These messages can be normal in the course of AP operation,etc. and Cisco typically recommends that MFP be disabled so that it does not cause client issues since this is especially seen with older clients(or clients not having the most up to date drivers).
A workaround would be to disable and then re-enable the access points identified in the messages, or you can try and disable MFP validation on some of the APs, or disable Infrastructure MFP globally.
This can be done from the WLC GUI at Security->Wireless Protection Policies>AP Authentication/MFP, or by using the WLC CLI command: config wps mfp infrastructure disable
I'm curious - you stated "and Cisco typically recommends that MFP be disabled" - where did you get that information? My understanding was that MFP should be enabled, and optional for the clients. currently running 184.108.40.206 at this particular customer.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...