Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

association issue

I am working in a High Density environment in a school that has an AP, 1140, in every class room to accomodate 20 to 30 clients connecting in each class room.  Using PEAP as the authentication method with Windows 7 clients.  Users are reporting that they have to leave the class room to get associated.  Once associated, they can go back in the class romm and use their device just fine.

Trying to determine what would cause such a behavior. 

20 REPLIES
VIP Purple

association issue

What is the WLC software version you are running ? post "show sysinfo" of your WLC

Rasika

New Member

association issue

7.0.240

Cisco Employee

association issue

post wlan config, debug client and traplog.

New Member

Re: association issue

50 Thu Jan  9 22:03:20 2014 Client Deauthenticated: MACAddress:00:26:82:ea:31

                             :c6 Base Radio MAC:00:23:eb:dc:d1:10 Slot: 1 User

                             Name: unknown Ip Address: unknown Reason:Unspecif

                             ied  ReasonCode: 1

This is the trap log

      

Here is wlan config.  Attached is client debug

WLAN Identifier.................................. 1
Profile Name..................................... SLCSD
Network Name (SSID).............................. SLCSD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control

  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 31
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ 536wlan
Multicast Interface.............................. Not Configured

--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 192.168.73.73 1812

--More-- or (q)uit
   Accounting.................................... Global Servers
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000

--More-- or (q)uit
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Enabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Disabled
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Enabled
Load Balancing................................... Enabled

Hall of Fame Super Gold

association issue

Load Balancing................................... Enabled

Turn this off.

Cisco Employee

Re: association issue

#client going on complete reauth on roaming. Did you configure flex group.

#Check if these AP having similar config ie., wlan to vlan mapping.

*apfMsConnTask_3: Jan 09 21:34:32.093: 00:26:82:ea:31:c6 Updated location for station old AP 00:26:cb:18:2e:d0-1, new AP 00:23:eb:dc:d7:e0-1

*apfMsConnTask_5: Jan 09 21:35:49.460: 00:26:82:ea:31:c6 Updated location for station old AP 00:23:eb:dc:d7:e0-1, new AP 00:23:eb:dc:d1:10-1

#Full Authentications seen due to Client not sending PMKIDs.  When the PMKID

is sent, the WLC is able to match, and not request a full backend auth.  In cases where

the PMKID is not sent, a full auth was required:

*apfMsConnTask_5: Jan 09 21:35:49.460: 00:26:82:ea:31:c6 Received RSN IE with 0 PMKIDs from mobile 00:26:82:ea:31:c6

assume you see this issue only on win 7 clients and not on other including MAC. Try enable client caching/fast reconnect on wireless supplicant and see that helps.

If client supports CCX5 then enable cckm on WLAN.

New Member

Re: association issue

Yes, this only seems to be a win 7 issue, however my win 7 machine is fine, it is some older HP netbooks that are having issues. 

I configured a flex group today, just to see if it would make any difference.  No difference.  Infact, it appears to be worse.

fast reconnect is already enabled on the clients.  I have attached another debug file using the same client we worked with yesterday.

If we move far away enough from the AP, we finally get a connection.  One thing I do notice is that there are a lot of EAP timeouts.

Hall of Fame Super Silver

Re: association issue

Can you post your show wlan again

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
New Member

Re: association issue

This project is an attempt at High density for a 1:1 deployment in a school.  When I move into a part of the building that doesn't have quite as many APs, I have no issues.  Even though 2.4 GHz is enabled, all of these problems are occuring on 5 GHz.  I was beginning to think there may be co-channel interference issues, even on 5 GHz.

WLAN Identifier.................................. 1
Profile Name..................................... SLCSD
Network Name (SSID).............................. SLCSD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control

  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 9
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ 536wlan
Multicast Interface.............................. Not Configured

--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 192.168.73.73 1812

--More-- or (q)uit
   Accounting.................................... Global Servers
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000

--More-- or (q)uit
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Enabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Disabled
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Enabled
Load Balancing................................... Enabled

Hall of Fame Super Silver

Re: association issue

Please disable client load balancing

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: association issue

I have tried that.  It really hasn't seemed to make any difference at all.

Re: association issue

What power levels are your AP at?  Hopefully you should be down around a 3 maybe a 4.  It could be that the clients are hearing too many AP, and the one that is closest is too hot for them to hear clearly.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

association issue

Steven,

I actually found a document about High density and made a few tweaks, one of which was the TPC settings to help RRM turn down the radios.  They are at level 4 or lower.  I also made 24 mbps the manditory data rate.

Now I did find some potential sources of interference, even in the 5GHz band that I will be looking into.  The problem with the Interference is that CiscoPrime doesn't get too many radio interference alerts.  I lean toward the interference issue because these netbooks stink in a certain part of the building, but other devices are not affected, such as a full laptop or ipads.  Those HP drivers do stink!  These are older netbooks and they have the latest driver that is available.  Now, I am running somewhat older code.  7.0.240, but I am a little worried about updating in fear that I will break more of these netbooks.  We have well over 1000 of these devices in 40 locataions.

Hall of Fame Super Silver

Re: association issue

Well... even if it doesn't.... you should still disable that, because in the long run, it will.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

association issue

Hey Scott,

After a lot of tinkering, it looks like load balancing was the culprit.  When we have it off, things are much improved.  Now, what I want to understand is why. 

association issue

Load balancing attempts to have the client device join another AP, as it has reached a threshold of users, 12 IIRC.

What the AP does is send a messae type 17 to the client, but on teh 4th attempt the cleint is allowed on the AP.

The mechanism is to hopefully keep the AP from being to loaded with clients, but it is up to the client driver to accept that message type, and from what I know, most do not.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

association issue

Stephen,

I understand the mechanics behind load balancing, code 17 and when the client could possibly be denied.  What I don't understand is that clients are close enough to APs, this is a high density environment, where you would think that the client would just connect to a nearby AP after it gets the code 17, but that wasn't happening. 

I guess it could have been that the client ignored code 17.  Users would have to leave the room and go back out into the hall to connect.  Then they would be on just fine.  I have had load balancing on just fine for years, even in this high density environment and either never had the issue, or the issue has been happening the whole time, and I am only just now hearing about it.

Hall of Fame Super Gold

association issue

it is some older HP netbooks that are having issues.

Funny you should mention that ... We have heaps of HP netbooks.  One batch had trouble authenticating after I upgraded the WiSMs to 7.5.  So I recommended the wireless NIC cards' drivers be updated.  The tech said he went to the HP website and downloaded the drivers but the problem persists.  I went to the manufacturer's website and saw more advanced version of the drivers.  And this fixed the issues completely.

New Member

association issue

Ah, the manufacture of the NIC.  We will try that.  I have also considered tweaking eap timers.  The hard thing is that these nebooks have issues in a couple areas of the building.  Take them elsewhere and they work just fine.  I have gone full circle thinking that interference was the cause, then turned APs down, looking at EAP timeouts and I am back to interference.

Drivers may help, but what I can't get over is that if these same netbooks work just fine in other parts of the building.  The only "interference" source that I found is that there are like 120 dual band wifi graphing calculators.  I had no idea they had them and found them with Cisco Spectrum Expert.  I am kind of wishing that I had clean air at this site. 

I took a client debug called association2 that is posted above.  Have a look,  It shows attempts and it finally succedds when we leave the trouble area of the building.

Cisco Employee

association issue

Interference, powerlevel and softwre needs to be checked.

578
Views
0
Helpful
20
Replies
CreatePlease to create content