Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wifi clients get disconnected in WLC - LAP solution

Hello all,

I would like to know what are all possible reasons for wireless clients to get disconnected from LAP (to WLC) solution. We have WAN (MPLS) between LAP and WLC and on the remote site (where we only have LAP, since WLC is in central site) we have clients disconnecting

This is the error that we see in the traplog:

Decrypt errors occurred for client XX:XX:XX:XX:XX:XX:XX using WPA key on 802.11b/g interface of AP XX:XX:XX:XX:XX:XX:XX

Can anyone tell me what can be wrong? Can packet loss cause this? Packet loss of which packets? Data packets or some other packets? Or can network delay produce this? I know we have fragmentation and maybe it can be that fragments are failing somewhere. But I would like to know what should happen in order for this message to be displayed and client to be disconnected




Re: Wifi clients get disconnected in WLC - LAP solution

This mostly occurs due to incompatibilty on the client side. Try these steps in order to fix this issue:

Check if the client is Wi-Fi certified for WPA2 and check the configuration of the client for WPA2.

Check the data sheet in order to see if the client Utility supports WPA2. Install any patch released by the vendor to support WPA2. If you use Windows Utility, make sure that you have installed the WPA2 patch from Microsoft in order to support WPA2.

Upgrade the client's Driver and Firmware.

Turn off Aironet extensions on the WLAN.

New Member

Re: Wifi clients get disconnected in WLC - LAP solution


I find out the answer couple of days ago. I totally forgot about this post :)).

Finally, problem was in fragmented packets that were lost in defragmentation in the devices in the middle (between Cisco WLC and LAPs)

I found out very annoying fact that Cisco WLC is not supporting ICMP redirect messages. In my scenario, some switch was returning ICMP redirect to every client on network where WLC resides. But since WLC doesn't support ICMP redirects, it keep sending fragments to this switch and eventually we had a lot of duplicated fragments going through our firewalls.

Those duplicated fragments were eventually start dropping and after this, we started having a lot of errors such this one, and also errors in log showing reply attacks and clients unable to authenticate.

As soon as the network was redesign to aviod ICMP redirects to ever happen (moved other firewalls on separate LANs so only switch was the only gateway for WLC), this problem stopped