Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

Persistent, chronic, false alarms for the past eight months

We now have two installations that utilize a unified wireless (WLC or WiSM - AIR-LAP1131AG, AIR-LAP1231G, AIR-LAP1242AG access points) that have been exhibiting the following IDS false alarms:

Disassoc Flood

AP Impersonation

We have TAC cases going back to October 2006 to address them and have upgraded to the latest/greatest version 4.0.206.0 in hopes of getting this solved.

Version 4.0.206.0 was supposed to have fixed these problems, and it did reduce some of the other false alarms (not listed). However, the two mentioned above persist.

Is anyone else out there experiencing this?

- John

5 REPLIES
New Member

Re: Persistent, chronic, false alarms for the past eight months

Yes. The controllers mistakenly treat APs as rogues and their rogue suppression as attacks. It's bug CSCse87066 (this was hidden from customer view until relatively recently.)

Note that the status says verified (and not resolved) despite also giving fixed-in releases. Just as you, we're still seeing the bug in 4.0.206.0 as well.

New Member

Re: Persistent, chronic, false alarms for the past eight months

Boy I am glad someone is seeing this in the latest code. TAC stated that I upgrade but my SE requested not to. I am also seeing this alarm all the time and it's a pain. Please post when there is a permanent fix. Did v4.0.206.0 offer anything else worth upgrading to at this time?

New Member

Re: Persistent, chronic, false alarms for the past eight months

The upgrade helped with some other assorted multicast and reporting bugs, so we did go ahead with it, and it didn't break anything new that we noticed. It didn't fix the bug it was supposed to either, but we didn't know that at the time. Overall we're still in a boat where we'll pretty much upgrade when a new version comes out, as it can't possibly be worse than the old versions.

Our account team had told us from the get go (and reiterated later last year) that the 4.x releases are bleeding edge feature releases and not recommended for production; the 3.x train was stable, but as we have a bunch of 1121-series APs we were forced to run 4.x.

Silver

Re: Persistent, chronic, false alarms for the past eight months

Thank you for confirming this behavior.

In answer to your question, upgrading to 4.0.206.0 did get rid of the "Generic Netstumbler" IDS alarm that turned out to be another false positive.

As it turns out, there have been comments from Cisco that now indicate that .206 has stability issues (nice to know that now). However, we have not experienced any of these issues at the two installations where this version is operating.

I also wanted to point out that we went ahead and opened TAC cases for each error at each customer site.

Currently, most of them have reached a status of "Release Pending". (Now as to *WHICH* release....)

If you have not opened a TAC case for these issues, taking the time to do so will help Cisco be aware of the extent to which this problem exists in the field and, hopefully, will help them prioritize the fix to this problem.

John

Silver

Re: Persistent, chronic, false alarms for the past eight months

I forgot to mention that TAC has tied two known bugs to the TAC cases that have been opened for the false "AP Impersonation" alarms:

CSCsg01470

CSCsb90622

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

- John

135
Views
4
Helpful
5
Replies