Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

MFP Anomaly Detected

Hi,

I have seen this messege log on WLC 5508 running 7.5 code, but I haven´t found any information about it, I will be gratful if any body know what it means

thanks

MFP Anomaly Detected - 3 Not encrypted event(s) found as violated by the radio XX:XX:XX:XX:XX:XX and detected by the dot11 interface at slot 0 of AP XX:XX:XX:XX:XX:XX in 300 seconds when observing Disassoc, Deauth. Client's last source mac XX:XX:XX:XX:XX:XX

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

MFP Anomaly Detected

these're the respective defects filed for the mentioned issues.

CSCum49200 Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum62305 Traffic stops for iphone/mac OS in 7.6 in 3600/3700

44 REPLIES

MFP Anomaly Detected

Hello,

As per your query i can suggest you the following solution-

This error message is seen when frames with incorrect MIC values are detected by MFP enabled LAPs. Refer to Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example for more information on MFP. Complete one of these four steps:

  1. Check      and remove any rogue or invalid APs or clients in your network, which      generate invalid frames.
  2. Disable      the Infrastructure MFP, if MFP is not enabled on other members of the      Mobility group as LAPs can hear management frames from LAPs of other WLCs      in the group that do not have MFP enabled. Refer to Wireless      LAN Controller (WLC) Mobility Groups FAQ for more information on      Mobility Group.
  3. The      fix for this error message is available in the WLC releases 4.2.112.0 and      5.0.148.2. Upgrade the WLCs to either of these releases.
  4. As      a last option, try to reload the LAP that generates this error message.

Hope this will help you.

Community Member

MFP Anomaly Detected

Upgrade from 7.5 to 4 or 5 level code ? I am also receiving these errors, I check my rogues every morning. Also, since upgraded to 7.5, I see in unreasonable amount of rogues I have never seen before. Something is wrong with the code. I also get xomplainrts that clients randomly hang since 7.5.

08:01:47 2013

MFP Anomaly Detected - 1 Not encrypted event(s) found as violated by the radio xxxxx and detected by the dot11 interface at slot 0 of AP xxxxxx in 300 seconds when observing . Client's last source mac xxxxxx

Community Member

Re: MFP Anomaly Detected

Same here. Upgraded from 7.4 to 7.6 (because of support for 3700 APs) and now I get "flooded" with this messages 24/7. I already disabled Infrastructure MFP and also set MFP from optional to disabled on all of my WLANs but the problem still persists. There seems to be something wrong within the code...

Hall of Fame Super Silver

Re: MFP Anomaly Detected

I also see that message and I'm running v7.6. I have MFP disabled and still seeing errors from clients in that WLAN.

Have you experienced client, mainly Apple devices loose layer2/3 connectivity but still associated and in the RUN state? George and I have been testing this and we have seen it on the 3600's and the 3700's? If so, keep us posted.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: MFP Anomaly Detected

Well Scott,

I only replaced one (the one in my area) of our 1260's at the moment to be sure everything runs fine with the new APs, so I only have about 20 clients (some Android, iOS, many Win7) connecte to the 3700 at the moment and nearly all of them run fine. Only one iPhone 5c which is connected to our guest WLAN, web-authenticated and in RUN state has to repeat the web-auth nearly every time it awakes. I tried with another iPhone 4 and a Galaxy S4 and none of them had any troubles. I even went home with them and the next morning they could browse the web without the need for repeating web-auth. All of these devices are associated and in RUN state, but this particular 5c always has to repeat the web-auth... I'm not sure if this has to do something with 7.6 or the 3700, but since you asked. BTW, my global idle-timeout is set to 24h, idle-timeout at WLANs advanced settings is disabled and eap-bcast-key-interval is also 24h, so this can't be the problem.

Additionally I experience loose of L2 connectivity with my own notebook with Intel 7260AC when connected at 11ac, but this seems to be a problem of this card and it's drivers as far as I found out with google... The Galaxy S4 has a stable connection to the 3700 at 11ac.

But this MFP thing is really annoying at the moment and the solution "try to reload the LAP" won't work at all - I'd have to reload all of them (but even tried one, without success)...

Regards,

Christian

Hall of Fame Super Silver

Re: MFP Anomaly Detected

Christian,

George and I are working with the BU on some issue with loosing layer 2 and v7.6. I have seen issue with my iPhone, iPad and some windows machines but a MacBook Air has no issues. I would open a TAC case so maybe they can start logging something.

George has some MacBooks on the 3700 that also loose layer 2. I'm currently testing on the 3600's bit will test on the 3700 this week.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

MFP Anomaly Detected

Hi Scott,

I installed many of the 3702 this week and a lot of our users are using Apple products so they should complain if something doesn't work anymore as it did before. I'll keep you updated, but as Saravanan stated that Cisco is already working on this I'd think that we would also run into these effects...

BTW, MFP is still flooding the logs...

regards,

Christian

Hall of Fame Super Silver

MFP Anomaly Detected

George and I have been working with the BU on issues with v7.6 and I do see issues mainly with Apple, but also with a few Windows machines.  MFP logs..... well yes I see those to and just tend to ignore them as most likely an upgrade would or might fix that.  Give it some time for users to really complain... I have seen clients bring us in after a few months, because they find out that users are finally complaining that they have to reboot or reset their wireless every so often.  I use my iphone a lot and I notice it right away and typically have to just disable my wireless and use cellular.  Apple TV's don't seem to have issues, but that's what I have seen so far.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Hi Scott,Are you still seeing

Hi Scott,

Are you still seeing these issues even on the latest 7.6.120.0?  Specifically, the L2 communication loss on the Apple devices?

Thanks!

Community Member

We were running 7.6.120 on

We were running 7.6.120 on one of our controllers, and that's when we started seeing those alarms. I've upgraded that controller to 8.0, and those messages have disappeared.

Community Member

I see the error message with

I see the error message with 7.6.130 code. Here is setup detail

 

WLC2504 running 7.6.130

AP3702

 

Error message screenshot attached. 

 

 

Thanks, Kunal Happy to help you !
Community Member

Hi, I am having AP image

Hi,

 

I am having AP image upgrade problem .I have a 5500  WLC which has been up graded  from 7.3 to 7.6.130 ,When I run AP pre-download option then 2602 and 3602 AP image up grade is failed every time though some of 2600/3600 are working fine with 7.6.I have also tried to reboot AP`s so that they can auto upgrade their Image while contacting WLC but it did not help. have gone through cisco wirless compatibility list but nothing helped me. Please suggest any solution for this issue.

Community Member

Hi Mohit, If you haven't

Hi Mohit, If you haven't fixed this issue, often doing a factory reset on the AP can help when an AP won't preload.  Remember this wipes your high availability and IP settings off the AP so use carefully...:)

Cisco Employee

MFP Anomaly Detected

these're the respective defects filed for the mentioned issues.

CSCum49200 Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum62305 Traffic stops for iphone/mac OS in 7.6 in 3600/3700

VIP Purple

MFP Anomaly Detected

Hi Saravanan,

Does this first bug is internal, cannot see the detail due to no priviledes ?

Regards

Rasika

Cisco Employee

MFP Anomaly Detected

Yes, it was but I made it external, will take 24hrs or so to be external visible. Anyway, both bugs addresses the same issue.

VIP Purple

MFP Anomaly Detected

Thanks for the update Saravanan

VIP Purple

MFP Anomaly Detected

Hi Saravanan,

checked it again toady & still no visibility of  CSCum49200, still may be internal to Cisco.

Pls check that.

Rasika

Cisco Employee

MFP Anomaly Detected

i checked now and able to see.

Mac wireless clients in RUN state sometimes unable to ping gateway

CSCum49200

Description

Symptom:Sometimes MAC clients will be associated and RUN state but unable to ping the gateway

Conditions:WLC running 7.6.100.0 with three ap3600s

Workaround:none

More Info:see description

Hall of Fame Super Silver

MFP Anomaly Detected

Good deal.... its visable now.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Cisco Employee

MFP Anomaly Detected

adding an related defect:

CSCuj17283 WiFi clients dropping ARP  replies on TID 3 w/ ap3700 (on some switches)

Workaround:

Change WLAN QoS profile to Voice, Video or Background (not Best Effort)

Hall of Fame Super Silver

MFP Anomaly Detected

Thanks for the update!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

MFP Anomaly Detected

Glad to see that you guys could reproduce it ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Hall of Fame Super Silver

Re: MFP Anomaly Detected

George,

I think we need to follow up with them just to see if they have another ticket created from our testing. I sent them my config so they can test as close to my environment as possible.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Cisco Employee

MFP Anomaly Detected

#Appreciate you guys on bringing in hot issues.

#For issue recreation, the credit goes to an BU escalation.

Community Member

Re: MFP Anomaly Detected

I have upgraded to 7.6.100 on my 5508 and 2504's. The rogue detection is working much better and I am not getting the MFP errors anymore, I have 1250, 1040 and 1140 LWAP's. Not sure if clients continue to hang and get discontinected,but its been about a week, so no news is good news.

Community Member

MFP Anomaly Detected

Hello,

this weekend we updated the WLC from our customer to 7.6.100 and also get messages from WCS with MFP Anomaly detection.

The Customer will disable MFP under the WLAN configuration.

I hope this will help and stop these messages.

The global MFP Protection was disabled.

Hall of Fame Super Silver

Re: MFP Anomaly Detected

I get those messages still and MFP is disabled on my WLAN's.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

MFP Anomaly Detected

Thanks for the update... George and I have been working with a few guy's on your end with the issues we were seeing.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
13198
Views
15
Helpful
44
Replies
CreatePlease to create content