Mobility Anchor connection drops during authentication

hegedusi · ‎01-15-2014

Hi,

I have a strange situation, hopefully someone can help. I have a WLAN setup with foreign - anchor controllers and MAC address authentication using central RADIUS server. In some cases for some clients the foreign export cannot build up because during the 802.11 process the foreign disconnects the client due to a session timer expires. Some clients can connect, others experience this issue. Sometimes client can get IP address via the anchor DHCP proxy but then foreign disconnects it with expiring message. (foreign sw version 6.0.202, anchor sw version 6.0.188 but we have same situation with other foreign which has 7.4.110 version)

Debug shows the following (suspicious part is in red):

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Reassociation received from mobile on AP e8:04:62:f6:bf:00

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying site-specific IPv6 override for station 60:c5:47:99:b0:a6 - vapId 3, site 'default-group', interface 'management'

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying IPv6 Interface Policy for station 60:c5:47:99:b0:a6 - vlan 850, interface id 0, interface 'management'

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 STA - rates (6): 24 164 48 72 96 108 0 0 0 0 0 0 0 0 0 0

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [e8:04:62:f6:cd:d0]

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Updated location for station old AP e8:04:62:f6:cd:d0-0, new AP e8:04:62:f6:bf:00-0

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 apfProcessAssocReq (apf_80211.c:4270) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Probe to AAA Pending

*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds

*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 2

*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6

*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile

*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Initializing policy

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP e8:04:62:f6:bf:00 vapId 3 apVapId 3

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from AAA Pending to Associated

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 49) in 7200 seconds

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Sending Assoc Response to station on BSSID e8:04:62:f6:bf:00 (status 0) Vap Id 3 Slot 0

*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfProcessRadiusAssocResp (apf_80211.c:1956) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Associated

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Applying post-handoff policy for station 60:c5:47:99:b0:a6 - valid mask 0xb00

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 QOS Level: -1, DSCP: -1, dot1p: -1, Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Session: 7200, User session: 7201, User elapsed 104 Interface: (null) ACL: N/A

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 16

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 55) in 7200 seconds

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED

*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)

*Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4245

*Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Adding Fast Path rule type = Airespace AP Client on AP e8:04:62:f6:bf:00, slot 0, interface = 29, QOS = 0 ACL Id = 255, Jumbo Frames = NO, 802.1

*Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)

*Jan 15 12:07:01.332: 60:c5:47:99:b0:a6 Set bi-dir guest tunnel for 60:c5:47:99:b0:a6 as in Export Foreign role

*Jan 15 12:07:01.335: 60:c5:47:99:b0:a6 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4

*Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete

*Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMmProcessDeleteMobile (apf_mm.c:531) Expiring Mobile!

*Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Disassociated

*Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Disassociated to Idle

*Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [e8:04:62:f6:bf:00]

*Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 Deleting mobile on AP e8:04:62:f6:bf:00(0)

*Jan 15 12:07:11.894: 60:c5:47:99:b0:a6 0.0.0.0 Removed NPU entry.

*Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Adding mobile on LWAPP AP 68:bd:ab:48:80:f0(0)

*Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds

*Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 apfProcessProbeReq (apf_80211.c:4761) Changing state for mobile 60:c5:47:99:b0:a6 on AP 68:bd:ab:48:80:f0 from Idle to Probe

Question: Why is that 10 sec timer still ticking at that phase when client already reached RUN state?

On a foreign wlc with sw 7.4.110 using anchor with sw 6.0.188 the situation is even worse, all clients have this issue and cannot connect.

Thanks

Hege

Saravanan Lakshmanan · ‎01-15-2014

do you have different dhcp addr assign/requirement settings between foreign and anchor.

hegedusi · ‎01-16-2014

Hi,

Yes, that was the first thing to check. We don't use the DHCP required option (unchecked on both sides). The only difference between acnhor and foreign configuration is that in foreign L2 macfiltering is enabled and radius servers are specified while on anchor it is not enabled and specified. I have tried it on anchor with enabling macfiltering (without radius servers specified there) but I have the same behaviour. AAA override is also enabled on both sides.

I have also increased the authentication timeout in advanced timers options from 10 sec to 40 secs but no luck, debug shows the same 10secs.

I am thinking on 2 options. 1st option is that the anchor software is too old (6.0.188) and needs to be upgraded to 7.0.240 (anchor is a 4400 wlc). 2nd option is that there might be too much delay between anchor and foreign?

On the same setup if we use guest access with web authentication on the anchor side (no MAC authentication), then eveyrthing is fine.

Thanks

Hege

Scott Fella · ‎01-16-2014

Well you might be onto something there. Try upgrading and see if that helps.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***