Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

No valid PMKID found in the MSCB

Im having issues Roaming on the 2.4 802.11b/g/n network.....It works some of the time but then my mobile client get dissconnected..

5508 Code 7.4.100.0

30 APs  - AIR-CAP3602I-A-K9 


any ideas?

error log:

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Reassociation received from mobile on BSSID f8:4f:57:e3:00:a2

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Global 200 Clients are allowed to AP radio

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Max Client Trap Threshold: 0  cur: 24

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Rf profile 200 Clients are allowed to AP wlan

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Re-applying interface policy for client

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 In processSsidIE:4256 setting Central switched to FALSE

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying site-specific Local Bridging override for station 00:90:4c:52:0e:a0 - vapId 3, site 'HQ-01', interface 'management'

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Local Bridging Interface Policy for station 00:90:4c:52:0e:a0 - vlan 0, interface id 0, interface 'management'

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying site-specific override for station 00:90:4c:52:0e:a0 - vapId 3, site 'HQ-01', interface 'management'

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Re-applying interface policy for client

*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 processSsidIE  statusCode is 0 and status is 0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 processSsidIE  ssid_done_flag is 0 finish_flag is 0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 STA - rates (8): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 suppRates  statusCode is 0 and gotSuppRatesElement is 1

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 STA - rates (10): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Processing RSN IE type 48, length 38 for mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Received RSN IE with 1 PMKIDs from mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: Received PMKID:  (16)

*apfMsConnTask_3: Jan 28 14:22:53.933:      [0000] fa 18 3d af eb a4 7a 7e 9d e9 5c 80 b4 fd f1 f1

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Searching for PMKID in MSCB PMKID cache for mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 No valid PMKID found in the MSCB PMKID cache for mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Trying to compute a PMKID from MSCB PMK cache for mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: BSSID =  (6)

*apfMsConnTask_3: Jan 28 14:22:53.933:      [0000] f8 4f 57 e3 00 a0

*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: realAA =  (6)

*apfMsConnTask_3: Jan 28 14:22:53.933:      [0000] f8 4f 57 e3 00 a1

*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: PMKID =  (16)

*apfMsConnTask_3: Jan 28 14:22:53.933:      [0000] fa 18 3d af eb a4 7a 7e 9d e9 5c 80 b4 fd f1 f1

*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: AA (6)

*apfMsConnTask_3: Jan 28 14:22:53.933:      [0000] f8 4f 57 e3 00 a1

*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: SPA (6)

*apfMsConnTask_3: Jan 28 14:22:53.933:      [0000] 00 90 4c 52 0e a0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Unable to compute a valid PMKID from MSCB PMK cache for mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Searching for PMK in global PMK cache for mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Found an entry in the global PMK cache for station 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: AA (6)

*apfMsConnTask_3: Jan 28 14:22:53.933:      [0000] f8 4f 57 e3 00 a1

*apfMsConnTask_3: Jan 28 14:22:53.934: CCKM: SPA (6)

*apfMsConnTask_3: Jan 28 14:22:53.934:      [0000] 00 90 4c 52 0e a0

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Unable to compute a valid PMKID from global PMK cache for mobile 00:90:4c:52:0e:a0

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Setting active key cache index 0 ---> 8

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 unsetting PmkIdValidatedByAp

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Deleted mobile LWAPP rule on AP [dc:a5:f4:64:63:90]

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Updated location for station old AP dc:a5:f4:64:63:90-0, new AP f8:4f:57:e3:00:a0-0

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfMsRunStateDec

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfMs1xStateDec

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Change state to START (0) last state RUN (20)

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 START (0) Initializing policy

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 8021X_REQD (3) DHCP required on AP f8:4f:57:e3:00:a0 vapId 3 apVapId 2for this client

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Not Using WMM Compliance code qosCap 00

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 8021X_REQD (3) Plumbed mobile LWAPP rule on AP f8:4f:57:e3:00:a0 vapId 3 apVapId 2 flex-acl-name:

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 00:90:4c:52:0e:a0 on AP f8:4f:57:e3:00:a0 from Associated to Associated

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfPemAddUser2:session timeout forstation 00:90:4c:52:0e:a0 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_3: Jan 28 14:22:53.935: 00:90:4c:52:0e:a0 Sending Assoc Response to station on BSSID f8:4f:57:e3:00:a1 (status 0) ApVapId 2 Slot 0

*apfMsConnTask_3: Jan 28 14:22:53.935: 00:90:4c:52:0e:a0 apfProcessAssocReq (apf_80211.c:7391) Changing state for mobile 00:90:4c:52:0e:a0 on AP f8:4f:57:e3:00:a0 from Associated to Associated

*apfMsConnTask_3: Jan 28 14:22:53.937: 00:90:4c:52:0e:a0 Updating AID for REAP AP Client f8:4f:57:e3:00:a0 - AID ===> 103

*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 Disable re-auth, use PMK lifetime.

*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 dot1x - moving mobile 00:90:4c:52:0e:a0 into Connecting state

*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 Sending EAP-Request/Identity to mobile 00:90:4c:52:0e:a0 (EAP Id 1)

*apfMsConnTask_2: Jan 28 14:22:53.942: Stats update: Non Zero value

*apfMsConnTask_2: Jan 28 14:22:53.942: Stats update: Non Zero value

WLAN config

WLAN Identifier.................................. 3

Profile Name..................................... Employee

Network Name (SSID).............................. Employee

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Disabled

   DHCP ......................................... Disabled

   HTTP ......................................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 166

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 86400 seconds

User Idle Timeout................................ 28800 seconds

--More-- or (q)uit

User Idle Threshold.............................. 100 Bytes

NAS-identifier................................... BLUE-5508-01

CHD per WLAN..................................... Disabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Per-Client Rate Limits........................... Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

--More-- or (q)uit

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Disabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ 10.0.12.72 1812

   Accounting.................................... 10.0.12.72 1813

      Interim Update............................. Disabled

   Dynamic Interface............................. Disabled

   Dynamic Interface Priority.................... wlan

--More-- or (q)uit

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   FT Support.................................... Disabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Enabled

         PSK..................................... Disabled

         CCKM.................................... Enabled

         FT-1X(802.11r).......................... Disabled

         FT-PSK(802.11r)......................... Disabled

         PMF-1X(802.11w)......................... Disabled

         PMF-PSK(802.11w)........................ Disabled

      FT Reassociation Timeout................... 20

      FT Over-The-DS mode........................ Disabled

      GTK Randomization.......................... Disabled

--More-- or (q)uit

      SKC Cache Support.......................... Disabled

      CCKM TSF Tolerance......................... 1000

   WAPI.......................................... Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   FlexConnect Local Switching................... Enabled

   flexconnect Central Dhcp Flag................. Disabled

   flexconnect nat-pat Flag...................... Disabled

   flexconnect Dns Override Flag................. Disabled

   FlexConnect Vlan based Central Switching ..... Disabled

   FlexConnect Local Authentication.............. Disabled

   FlexConnect Learn IP Address.................. Enabled

   Client MFP.................................... Optional

   PMF........................................... Disabled

   PMF Association Comeback Time................. 1

   PMF SA Query RetryTimeout..................... 200

   Tkip MIC Countermeasure Hold-down Timer....... 60

--More-- or (q)uit

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled


Everyone's tags (2)
36 REPLIES
Hall of Fame Super Silver

Re: No valid PMKID found in the MSCB

Tough to say... I would set the idle timer and session timer back to default since your not using webauth.  session to 1800 and idle to 300 and maybe disable cckm and test again, unless these are phones.

Do you see errors on the radius?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: No valid PMKID found in the MSCB

Hey thanks for your input... Ive read alot of your posts and have learned alot...

Im using microsoft Radius on a 2008 MS Server. Im not seeing errors in the Radius Log.

Also, this is a Flexconnect setup with local switching and central auth.

I just enabled CCKM before my post, I disabled that and restested.. same results.  I have an Android samsung galaxy nexus.... I have tested on both 2.4 and 5 and it IS affecting both networks... just alittle more noticeable on the 2.4....

It does not affect laptops connected to the SSID...(in the logs each AP searches for the PKMID, finds it, and is able to roam with no issues) no disconnects....

I have clients that complain about random disconnects on the mobile phones.....after running debug and fixing other issues, like turning off Rogue Location Discovery Protocol, random disconnects have improved, but now this is the only issue I see. ...I have gotten complaints from Apple users and Andriod users at all of our sites...

When I walk around my phone will roam for about 2-3 maybe 4 APs then disconnect and reconnect just fine. Other times it may only roam to the 2nd AP and fail on the 3rd.

Ive tried turning everything I can Off to test....I have to be missing somthing...Ill set the session to 1800 and idle to 300 timers and retest this afternoon.


Hall of Fame Super Silver

Re: No valid PMKID found in the MSCB

One thing you need to make sure of is that the wlan to vlan mappings are correct... there have been cases that the wlan to vlan mappings change.... also make sure your AP is connected to a trunk port and the vlans are allowed in the trunk.  I had to troubleshoot an issue yesterday and this was the problem, so users would associate, but can't get anywhere because the wlan to vlan mappings were wrong or the AP was connected to an access port and not a trunk port.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: No valid PMKID found in the MSCB

Yea im all good on the VLAN mappings...everything works quite well, just random/roaming disconnects... I do have interfence issues at one building but not all and im seeing random/roaming disconnects at all locations and on the 5ghz network where interfernce is not an issue.. so im convinced its a global setting somewhere...unless its code issues..I was thinking of upgrading unless thats a bad idea..

Hall of Fame Super Silver

Re: No valid PMKID found in the MSCB

The WLAN configuration looks fine except for the things I pointed out that I would change.  Roaming with mobile devices... well it will not be like laptops for sure.  There are only a few other things you can really change.  Set DCA to 24 hours so that channels are not changing, maybe disable the lower data rates so devices don't get sticky.

If you post your show run (remove credentials), I can see how the environment is and give you more input.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: No valid PMKID found in the MSCB

Attached showrun...I have already set DCA to 24 hrs on the 2.4 network.......

Hall of Fame Super Silver

Re: No valid PMKID found in the MSCB

There are a few things I see... You have AP SSO configured, so just want to make sure your running AP SSO?  Also, for AP SSO, its best to use v7.4.110.0 or v7.4.121.0.... fixes a lot of issues with HA.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: No valid PMKID found in the MSCB

yep... I have a pair of 5508 in HA...tested working good.. I know there are some gotchas doing AP SSO.. let me know if its a good thing to run in HA...

Hall of Fame Super Silver

Re: No valid PMKID found in the MSCB

hahaha.... AP SSO is best to be ran on v7.4.110.0 or v7.4.121.0... so if you have an HA sku WLC, you can keep AP SSO or use the N+1 design.

http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_HA_Overview.html

Also I do see that the AP's see a high channel utilization.

I will review it more

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: No valid PMKID found in the MSCB

ahh. i see.. lol.. makes sense... Ill schedule an upgrade then...as far as channel utilization goes, the problem I seen doing a site survey, was our metal blinds over all the outside windows causing noise at one of our locations...I can see Interference being an issue for out one location but not all.... Maybe its time for another site survey on both 2.4 and 5......just trying my options before another site survey...

.

Hall of Fame Super Silver

No valid PMKID found in the MSCB

It might be a good idea to.  That would be my suggestion also:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

No valid PMKID found in the MSCB

Bryant,

Download the config analyzer and run your show run-config into that.... you can see suggestions and if you understand the tool, it can help you look at areas where you might be able to tweak.

https://supportforums.cisco.com/docs/DOC-1373

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

No valid PMKID found in the MSCB

I am having the same problem.  5508 running 7.0.240.  System works fine for data users, but we are testing Jabber clients for the first time and see alot of lost calls while roaming between APs.  My debug client output looks just like Bryant's.  It shows a reassociation request with a PMKID provided by the client.  Then No valid PMKID found in the MSCB PMKID cache for mobile, Unable to compute a valid PMKID from MSCB PMK cache for mobile, Found an entry in the global PMK cache for station, then Unable to compute a valid PMKID from global PMK cache for mobile.  The client is then successfully reauthenticated, but the delay impacts voice calls.  What would cause this behavior?  Debug below:

*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Received RSN IE with 1 PMKIDs from mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: Received PMKID:  (16)

*apfMsConnTask_4: Feb 10 13:35:48.910:      [0000] 20 0f 15 45 60 e7 b3 04 57 61 19 55 ac 9c 81 36

*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Searching for PMKID in MSCB PMKID cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f No valid PMKID found in the MSCB PMKID cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Trying to compute a PMKID from MSCB PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: CCKM: Find PMK in cache: BSSID =  (6)

*apfMsConnTask_4: Feb 10 13:35:48.910:      [0000] 6c 50 4d 2a b7 40

*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: Find PMK in cache: realAA =  (6)

*apfMsConnTask_4: Feb 10 13:35:48.911:      [0000] 6c 50 4d 2a b7 4e

*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: Find PMK in cache: PMKID =  (16)

*apfMsConnTask_4: Feb 10 13:35:48.911:      [0000] 20 0f 15 45 60 e7 b3 04 57 61 19 55 ac 9c 81 36

*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Unable to compute a valid PMKID from MSCB PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Searching for PMK in global PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Found an entry in the global PMK cache for station 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: AA (6)

*apfMsConnTask_4: Feb 10 13:35:48.911:      [0000] 6c 50 4d 2a b7 4e

*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: SPA (6)

*apfMsConnTask_4: Feb 10 13:35:48.911:      [0000] 88 53 95 42 e9 4f

*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Unable to compute a valid PMKID from global PMK cache for mobile 88:53:95:42:e9:4f

New Member

No valid PMKID found in the MSCB

Are you running your 5508 in HA (AP SSO)?

New Member

No valid PMKID found in the MSCB

I am not running HA

Re: No valid PMKID found in the MSCB

Apple devices do not support OKC \PMK. Expect poor performance when roaming when 802.1X is used. The device does a full 802.1X auth each time during roaming.

802.11r could fix your problem. But there are reports of issues with this as well.



Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

No valid PMKID found in the MSCB

My error was on an Android device, I do understand the OKC \PMK issues around Apple devices, I know you should have another SSID just for Apple devices. We are not there just yet. I get this error every now and then when roaming. I had an older 4400 installed before my 5508s and was running both WPA2 and 802.1X and didn't have this issue...The biggest change is that fact that my older 4400 had all APs running in Local mode, not HReap. My 5508s have all HReap or Flexconnect running.....Didnt think that would cause this as I had deployed 200 + HReap APs 802.1X without having this issue 3 years ago for another company...

New Member

No valid PMKID found in the MSCB

Also, I have traveled to my other sites and I'm having the same roaming disconnects. So its not interference/noise. Im going to be breaking the HA and upgrading code on my 5508s. I will update when Im complete.

Hall of Fame Super Silver

Re: No valid PMKID found in the MSCB

Bryant,

The poster is running a 5509 with v7.0.240.0, so no HA since it wasn't supported yet in that code. What code you running for HA?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

No valid PMKID found in the MSCB

Ah I see... Im still running 7.4.100.0....

Hall of Fame Super Silver

Re: No valid PMKID found in the MSCB

For HA AP SSO, your better off on v7.4.121.0

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Hi Bryant

Hi Bryant

I know this is a very old post, but have you fixed this issue? We are facing pretty much similar thing at the moment. Also 5508, with many FlexConnect APs (in fact, only FlexConnect APs) with locally switched VLANs and central authentication.

In our case Windows 7 x64 machines randomly disconnect (Layer 2 stays up, WLC reports SNR, RSSI, shows client as connected, but Layer 3 hangs - unable to ping default gateway from machines). This happens randomly, for multiple users, at random times and doesn't affect everyone at the same time. We see exclamation mark on the wireless signal bar initially, then all apps disconnect.

Users don't experience any roaming, it may happen on a single AP.

If machine is left intact, it usually reconnects on its own, when PMK/session timeout expires and full reauth takes place. It is also possible to manually re-connect to restore connectivity.

This is so annoying!

We tried to upgrade drivers to different versions, with no luck. It also affects multiple models (and NIC models too, all are Intel though). So, it's a mix of Intel cards with different drivers versions. Only Windows 7 x64 is a common bit. We don't have other clients in this WLAN. CCKM is turned off (no fast roaming is implemented at the moment, but in my understanding we use OKC/SKC as it's turned on by default?)

I believe I will have to raise another post on this forum.

New Member

Hi Tymofii

Hi Tymofii

were you able to solve your problems in the meantime? I have exact the same problem, but not only with Cisco FlexConnect APs, but also with Local Mode APs.

What is your setup? We have the following:

- Cisco WLC 2504 (running version 8.0.140.0, but we had the same problems with 8.2.141.0)

- Cisco Aironet 1142 Access Points

- Corporate SSID configured for WPA2/802.1x (CCKM is disabled at the moment), no 802.11r

Thanks and best regards

Dominic

New Member

Hi Dominic

Hi Dominic

We're still facing it. Although after weeks of troubleshooting we identified it's not only FlexConnect, it affects centrally switched WLANs too (as well as anchored). It's not only Windows 7 x64, it also affects Apple iPhones and iPads. We have this problem on 8.2.141.0 (FlexConnect Deployment) and 8.0.121.0 (Local APs). Our office with 1142s is struggling the most, but we also see this on 2600s (8.0.121.0) and 3700s (8.2.141.0). We have a TAC case with Cisco open, but because this bug has a random nature, it is very hard to collect data they've requested (and Cisco asks for a lot of information including OTA captures).

I am working in one of our offices this and next weeks (which is affected the most) to identify this problem and we have a massive plan to try different things. Surprisingly, it didn't happen to me last week when I was here (this office is 3700s based)... even though in our IT HQ with 1142s it was practically impossible to work on wireless for me as I was getting disconnections all the time (Limited Connectivity).

If we identify anything this week, I will update this post.

New Member

Hi Tymofii

Hi Tymofii

thanks a lot for this detailled feedback, sounds very similar to our random problem - I am troubleshooting for two days now and was not able to reproduce a problem or at least see a problem at all. But randomly, as you said, our clients get disconnected very often.

That would be great, please keep this post updated.

Best regards

Dominic

P.s: Even if you don't use 8.0.140.0 yet, be carefull with this bug here; I did not found it on Cisco's bug search, but we were able to reproduce it. We did not see this problem in 8.0.1

*apfMsConnTask_2: Jan 18 13:23:59.090: b4:b6:76:41:db:0b Processing assoc-req station:b4:b6:76:41:db:0b AP:00:e1:6d:4f:09:90-01 thread:151af020
*apfMsConnTask_2: Jan 18 13:23:59.090: b4:b6:76:41:db:0b Ignoring 802.11 assoc request from mobile pending deletion

P.s: Ev

New Member

It is indeed very hard to

It is indeed very hard to capture. It easier to see on a PC because we notice this Yellow Exclamation Mark in the right corner, but on iPad and iPhone it's not that easy to capture. I only noticed this by listening to SoundCloud and then I realized that music stopped playing even though I was still connected, I have Ping Lite utility on my iPhone, so I immediately started pinging the gateway and it was failing... this is when it became not just Windows 7 problem... and people now complain re our BYOD wireless :) Oh my

New Member

Indeed, very annoying and

Indeed, very annoying and hard to find the cause of the problem.

Last week I noticed the following "bug" with 8.0.140.0, but did not find anything about it on Cisco bug search yet:

*apfMsConnTask_2: Jan 18 13:23:59.090: b4:b6:76:41:db:0b Processing assoc-req station:b4:b6:76:41:db:0b AP:00:e1:6d:4f:09:90-01 thread:151af020
*apfMsConnTask_2: Jan 18 13:23:59.090: b4:b6:76:41:db:0b Ignoring 802.11 assoc request from mobile pending deletion

I know you don't use 8.0.140.0 yet, but be aware of this if you want to move to a so-called stable version... With 8.0.135.0 the bug did not appear.

Was just testing with my iPhone (Net Analyzer and ping tool) and was facing the issue right now, I think I will have to downgrade even further from 8.2 to 8.0.140.0 to 8.0.135.0.

New Member

Let's keep in touch here then

Let's keep in touch here then. I was planning a series of downgrades too. 3700s were introduced in 7.6, but this one is now obsolete and cannot be downloaded from Cisco, so... our only option is 8.0 as the earliest available version.

I'll try to capture what Cisco asks for first on any version... to let them do their job for the money we pay...

New Member

Hi Tymofii

Hi Tymofii

of course, thanks so far for your information. I will downgrade to 8.0.132.0 this evening and will do the same tests / debugs tomorrow.

Best regards

Dominic

1914
Views
0
Helpful
36
Replies
CreatePlease to create content