Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC 2504 v7.5.102.0 Client Association Issues. Association not consistent

Hi All,

I'm having a strange issue whereby client association to my corporate or guest wifi ssid are not consistent. Sometimes I have no issues connecting repeatedly and other times I cannot connect and receive the "Windows was unable to connect to *SSID*"

I'm unable to determine whether it is a wireless association issue or if its a authentication issue as I have troubles connecting to both my secure (WPA2, AES, 802.1x) corporate wifi or my guest (Open Auth) wifi.

Currently per day I have about 15 users using the wifi on both SSID's. The access points are right in the vicinity of the users. I have 2 LAP1142 access points on separate 802.11a/b/g/n channels and signal strenght is always high.. I'm certain its not co-channel interference or interference whatsoever. RSSI values are -60dBm and SNR 30+ dB. On average I will have 10 users on the wireless fine but one or two people are unable to connect.

I have had wireshark run and when it does not connect I do not see anything in the logs. No traffic is captured!

I cannot see the AAA capturing anything. Signal strength as stated above is high ( I have the AP on my desk!)

Sometimes I can instantly connect with no troubles and other times its not association at all. I've recently updated to version 7.5 and these issues started to occur. Previous version 7.3 had no problems at all for years!.

The logs in the WLC show

*Dot1x_NW_MsgTask_0: Nov 27 04:42:09.956: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:864 Received invalid EAPOL-key M2 msg in START  state - invalid secure bit; KeyLen 24, Key type 1, client 3c:a9:f4:4x:xx:xx

Does anyone have an idea what could this issue could be?

Many thanks

7 REPLIES
New Member

WLC 2504 v7.5.102.0 Client Association Issues. Association not c

Nobody?

New Member

WLC 2504 v7.5.102.0 Client Association Issues. Association not c

Thanks for your reply Sandeep. Been working on it all afternoon with debugging.

To answer your question, sometimes I can connect and sometimes I cannot. This afternoon I haven't been able to connect much at all. 2 out of 20 times perhaps. Other users I can see are connected to the two access points in this office. This isn't just happening on my laptop but several laptops. Same symptom.

Heres the dot1x output I have captured from the debug of a FAILED association attempt.

(Cisco Controller) >show debug

MAC Addr 1.................................. 3C:A9:F4:36:1C:48

Debug Flags Enabled:

  dot1x aaa enabled.

  dot1x packet enabled.

  dot1x events enabled.

  dot1x states enabled.

(Cisco Controller) >*DHCP Socket Task: Nov 27 07:44:49.842: 3c:a9:f4:36:1c:48 apfMsRunStateInc

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Processing RSN IE type 48, length 22 for mobile 3c:a9:f4:36:1c:48

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Received RSN IE with 0 PMKIDs from mobile 3c:a9:f4:36:1c:48

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Found an cache entry for BSSID 20:bb:c0:c9:26:92 in PMKID cache at index 0 of station 3c:a9:f4:36:1c:48

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Removing BSSID 20:bb:c0:c9:26:92 from PMKID cache of station 3c:a9:f4:36:1c:48

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Resetting MSCB PMK Cache Entry 0 for station 3c:a9:f4:36:1c:48

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Setting active key cache index 0 ---> 8

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 unsetting PmkIdValidatedByAp

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 apfMsRunStateDec

*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 apfMs1xStateDec

*dot1xMsgTask: Nov 27 07:45:15.287: 3c:a9:f4:36:1c:48 Disable re-auth, use PMK lifetime.

*dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 dot1x - moving mobile 3c:a9:f4:36:1c:48 into Connecting state

*dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 Sending EAP-Request/Identity to mobile 3c:a9:f4:36:1c:48 (EAP Id 1)

*dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 Sending 802.11 EAPOL message  to mobile 3c:a9:f4:36:1c:48 WLAN 3, AP WLAN 3

*dot1xMsgTask: Nov 27 07:45:15.288: 00000000: 02 00 00 3c 01 01 00 3c  01 00 6e 65 74 77 6f 72  ...<...<..networ

*dot1xMsgTask: Nov 27 07:45:15.288: 00000010: 6b 69 64 3d 54 50 49 2d  57 49 46 49 2c 6e 61 73  kid=PI-WIFI,nas

*dot1xMsgTask: Nov 27 07:45:15.288: 00000020: 69 64 3d 4d 2d 54 50 49  2d 51 4c 44 2d 44 43 30  id=M-PI-QLD-DC0

*dot1xMsgTask: Nov 27 07:45:15.288: 00000030: 30 31 2d 57 43 30 31 2c  70 6f 72 74 69 64 3d 31  01-WC01,portid=1

*dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Failure sending WPA EAPOL-Key due to invalid state 0 to mobile 3c:a9:f4:36:1c:48

*dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Unable to send WPA key to mobile 3c:a9:f4:36:1c:48

(Cisco Controller) >*dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Unable to update broadcast key to mobile 3C:A9:F4:36:1C:48

*osapiBsnTimer: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 802.1x 'txWhen' Timer expired for station 3c:a9:f4:36:1c:48 and for message = M0

*dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 dot1x - moving mobile 3c:a9:f4:36:1c:48 into Connecting state

*dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 Sending EAP-Request/Identity to mobile 3c:a9:f4:36:1c:48 (EAP Id 2)

*dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 Sending 802.11 EAPOL message  to mobile 3c:a9:f4:36:1c:48 WLAN 3, AP WLAN 3

*dot1xMsgTask: Nov 27 07:45:45.126: 00000000: 02 00 00 3c 01 02 00 3c  01 00 6e 65 74 77 6f 72  ...<...<..networ

*dot1xMsgTask: Nov 27 07:45:45.126: 00000010: 6b 69 64 3d 54 50 49 2d  57 49 46 49 2c 6e 61 73  kid=PI-WIFI,nas

*dot1xMsgTask: Nov 27 07:45:45.126: 00000020: 69 64 3d 4d 2d 54 50 49  2d 51 4c 44 2d 44 43 30  id=M-PI-QLD-DC0

I can see that the WLC has tried to send a EAP-Request/Identity request to the client but no response back. I just don't understand why it works at times and why it doesn't.

It has the same issues on my guest network which is open authentication. Nothing has changed in regards to configuration and it has been working for years. Only thing that changed was a version upgrade to 7.5 three weeks ago.

Here is the debug output of the client MAC when attempting to association to the GUEST network.

(Cisco Controller) >debug client 3C:A9:F4:36:1C:48

(Cisco Controller) >*apfProbeThread: Nov 27 07:53:48.059: aggregated probe IE: TIMESTAMP

*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Adding mobile on LWAPP AP 20:bb:c0:c9:26:90(0)

*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Association received from mobile on BSSID 20:bb:c0:c9:26:91

*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Global 200 Clients are allowed to AP radio

*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Max Client Trap Threshold: 0  cur: 5

*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Re-applying interface policy for client

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 In processSsidIE:4565 setting Central switched to TRUE

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 In processSsidIE:4568 apVapId = 2 and Split Acl Id = 65535

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying site-specific Local Bridging override for station 3c:a9:f4:36:1c:48 - vapId 2, site 'default-group', interface 'guest'

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying Local Bridging Interface Policy for station 3c:a9:f4:36:1c:48 - vlan 650, interface id 12, interface 'guest'

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 processSsidIE  statusCode is 0 and status is 0

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 processSsidIE  ssid_done_flag is 0 finish_flag is 0

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 suppRates  statusCode is 0 and gotSuppRatesElement is 1

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Initializing policy

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Not Using WMM Compliance code qosCap 00

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 20:bb:c0:c9:26:90 vapId 2 apVapId 2 flex-acl-name:

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfMsAssoStateInc

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 3c:a9:f4:36:1c:48 on AP 20:bb:c0:c9:26:90 from Idle to Associated

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfPemAddUser2:session timeout forstation 3c:a9:f4:36:1c:48 - Session Tout 65535, apfMsTimeOut '65535' and sessionTimerRunning flag is  0

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Scheduling deletion of Mobile Station:  (callerId: 49) in 65535 seconds

*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Func: apfPemAddUser2, Ms Timeout = 65535, Session Timeout = 65535

*apfMsConnTask_4: Nov 27 07:58:02.023: 3c:a9:f4:36:1c:48 Sending Assoc Response to station on BSSID 20:bb:c0:c9:26:91 (status 0) ApVapId 2 Slot 0

*apfMsConnTask_4: Nov 27 07:58:02.023: 3c:a9:f4:36:1c:48 apfProcessAssocReq (apf_80211.c:7957) Changing state for mobile 3c:a9:f4:36:1c:48 on AP 20:bb:c0:c9:26:90 from Associated to Associated

*apfMsConnTask_4: Nov 27 07:58:02.026: 3c:a9:f4:36:1c:48 Updating AID for REAP AP Client 20:bb:c0:c9:26:90 - AID ===> 4

*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED

*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5716, Adding TMP rule

*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 20:bb:c0:c9:26:90, slot 0, interface = 1, QOS = 0

  IPv4 ACL ID = 255, IPv

*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 650, Local Bridging intf id = 12

*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*pemReceiveTask: Nov 27 07:58:04.999: 3c:a9:f4:36:1c:48 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

*pemReceiveTask: Nov 27 07:58:04.999: 3c:a9:f4:36:1c:48 Sent an XID frame

*IPv6_Msg_Task: Nov 27 07:58:05.000: 3c:a9:f4:36:1c:48 Pushing IPv6 Vlan Intf ID 12: fe80:0000:0000:0000:f0a7:e03b:151a:3af8 , and MAC: 3C:A9:F4:36:1C:48 , Binding to Data Plane. SUCCESS !! dhcpv6bitmap 0

*IPv6_Msg_Task: Nov 27 07:58:05.000: 3c:a9:f4:36:1c:48 Link Local address fe80::f0a7:e03b:151a:3af8 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A

(Cisco Controller) >

VIP Purple

Re: WLC 2504 v7.5.102.0 Client Association Issues. Association n

HI Wilton,

What security are you using on your WLAN ?

AES and TKIP both enabled ?

Solution:

Either u should use WPA2/AES or WPA/TKIP not together.

Also check this post: https://supportforums.cisco.com/thread/2252003

Regards

Dont forget to rate helpful posts.

.

New Member

Re: WLC 2504 v7.5.102.0 Client Association Issues. Association n

Corporate WIFI only uses WPA2/AES.

Its happening on my guest network too... i guess more debugging today!

Hall of Fame Super Silver

Re: WLC 2504 v7.5.102.0 Client Association Issues. Association n

Post your show WLAN for both SSID's.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: WLC 2504 v7.5.102.0 Client Association Issues. Association n


*Dot1x_NW_MsgTask_0: Nov 27 04:42:09.956: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:864 Received invalid EAPOL-key M2 msg in START  state - invalid secure bit; KeyLen 24, Key type 1, client 3c:a9:f4:4x:xx:xx


This error stats: The client tried to send a key, when the PEM state on the WLC was START.  More than likely the client thought it could roam, but the WLC thought differently.

question:

1. Only this client have problem or many others??

2. If only one then please update the driver of the device.

Can you please post the log from WLC.

To find out the exact cause please paste the output of this command.

debug client

Regards

Dont forget to rate helpful posts.

New Member

WLC 2504 v7.5.102.0 Client Association Issues. Association not c

disable wmm featured on QoS

WLANS --> Select SSID --> QoS --> wmm policy disabled

Regards,

Habibi

Regards, Habibi
1971
Views
3
Helpful
7
Replies