Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC Clients not connecting: Association identifier for client is already in use

Hi there

I have a virtual wireless lan controller running on 7.6.130 

I have 3 SSID's running 2 using WPA2-AES with PSK and 1 using 802.1x EAP-TLS auth

I am finding that some of my users cannot connect to the 802.1x SSID and in my logs I see the following errors 

#LWAPP-3-INVALID_AID2: spam_api.c:1465 Association identifier 1 for client 5c:f9:38:a7:ca:da is already in use by 90:b2:1f:bb:64:c9

#LWAPP-3-INVALID_AID2: spam_api.c:1465 Association identifier 1 for client 5c:f9:38:a7:ca:da is already in use by 90:b2:1f:bb:64:c9

#LWAPP-3-INVALID_AID2: spam_api.c:1465 Association identifier 1 for client 5c:f9:38:a7:ca:da is already in use by 90:b2:1f:bb:64:c9

 

So it is pretty clear that the WLC is blocking access to SSID and complains that the association ID is in use by another mac address

When I look at the mac address I see that it is a client that is connected to one of my WPA2-AES PSK SSID's 

I am not sure why this is happening but I need to resolve this before I roll out the use of a wireless lan controller 

Kind Regards

I do also see alot of this in my logs 

 

#APF-3-AID_UPDATE_FAILED: apf_80211.c:6571 Error updating Association ID for REAP AP Client5c:a4:8a:92:e9:00 - AID 1

 

  • Security and Network Management
Everyone's tags (1)
19 REPLIES
VIP Purple

Seems like you are hitting on

Seems like you are hitting on CSCtn52995 bug. Try with upgrade the software to known fixed version.

Symptom:
HREAP - Reached max limit on the association ID for AP
or
Messages similar to the following in the msglog:

*apfMsConnTask_6: May 29 10:15:57.758: #APF-3-AID_UPDATE_FAILED: apf_80211.c:9041 Error updating Association ID for REAP AP Client00:ac:fd:00:8f:00 - AID 41
*apfMsConnTask_6: May 29 10:15:57.758: #LWAPP-3-INVALID_AID2: spam_api.c:1357 Association identifier 41 for client 00:d2:d1:01:11:f2 is already in use by 00:d2:d1:01:10:29

At this time, clients are unable to associate on the given BSSID on the given AP.

Conditions:
0. FlexConnect AP.
1. Client 1 is associated to the controller with AID =1 on ssid x
2. Client 1 sends 802.11 Auth frame on ssid y, at this point AID = 1 is
freed at the AP. Auth frames are not honored at the controller, so
controller is not informed
3. No association frame arrives from client 1 at ssid y
4. Client 2 associates to the AP and gets AID = 1
5. AP updates the controller about client 2 and AID =1, at this point the
controller adds duplicate entries and increments the count (controller
already has client 1 AID =1).

Counter is getting incremented and reaching 256.
It is due to the network conditions at the
customer site in which the 802.11 authentication frames are sent(sometimes
on different WLAN), but is not followed by association frames.

Workaround:
N/A
 

Known Fixed Releases: (15)
10.2(1.5)
8.0(72.31)
7.6(95.14)
7.6(11.28)
7.6(93.8)
12.4(25e)JAO3
15.2(4)JB3
7.6(94.3)
7.6(93.10)
7.6(94.3)
7.6(93.10)
7.6(100.0)
10.1(112.2)
10.1(102.205)
7.4(122.11)
7.4(122.12)
8.0(100.0)
 
HTH
Rasika
**** Pls rate all useful responses ****
New Member

Hi Rasika Thank you for your

Hi Rasika

 

Thank you for your reply, I did come across this bug however since I am running 7.6.130 I would have thought that the bug has been fixed in this release based on the known fixes above?

 

Regards

 

Mohamed

New Member

Just read the release notes

Just read the release notes for 7.6.130 and under open caveats the following bug is still listed

 

Symptom : AID leaks observed on Release 7.6; problem is not seen if AP is on Release 7.4.121.0.

*apfMsConnTask_4: Jan 16 10:26:23.419: #LWAPP-3-INVALID_AID2: spam_api.c:1462 Association identifier 249 for client 60:6c:66:09:XX:XX is already in use by 50:32:75:2c:XX:XX

*spamApTask6: Jan 16 10:25:39.315: 60:6c:66:09:XXLXX Association Failed on REAP AP BSSID 1c:aa:07:6f:XX:XX(slot 0), status 17 0 Max Client Reached, recieved an AID=0

End users report connection errors after a while.

Conditions : AP in FlexConnect mode, local switching.

Workaround : None.

 

This is the exact bug affecting me, I am thinking of upgrading to version 8 now..

 

 

 

VIP Purple

Yes, you are correct. It is

Yes, you are correct. It is CSCum92822  fix is available only in 8.x.

As you know there may be other unknown bugs in these latest releases & it is always a challenge to run an environment without hitting bugs. 

Try to get 8.0MR1 (pre-release code) if possible

https://supportforums.cisco.com/document/12298741/80-mr1-beta-availability

 

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Hi Rasika Thanks again for

Hi Rasika 

Thanks again for you reply


Having upgraded to 8.0.100.0 I have noticed that clients on 802.1x EAP-TLS SSID are now not performing fast roaming.

This is paramount to us so I ran a debug on the mac address of the client in question and run 'debug mobility handoff enable' 

From the debug outputs the following is of interest, please correct if I have not explained correctly

1 - Client starts roaming to another AP

*apfMsConnTask_6: Sep 23 17:21:36.811: b8:8d:12:13:1b:3a Reassociation received from mobile on BSSID 34:a8:4e:fd:59:ee 

2 - WLC trying to find cached key and is found in PMK cache, this is so it does not need to perform full 802.1x authentication and only perform 4-Way handshake to enable fast roaming. 

 

*apfMsConnTask_6: Sep 23 17:21:36.811: b8:8d:12:13:1b:3a Unable to compute a valid PMKID from MSCB PMK cache for mobile b8:8d:12:13:1b:3a
*apfMsConnTask_6: Sep 23 17:21:36.811: b8:8d:12:13:1b:3a Searching for PMK in global PMK cache for mobile b8:8d:12:13:1b:3a
*apfMsConnTask_6: Sep 23 17:21:36.811: b8:8d:12:13:1b:3a Found an entry in the global PMK cache for station b8:8d:12:13:1b:3a

 

3 - WLC still unable to use cached key entry for client to enable fast roaming and so marks the client as not having a cached key

*apfMsConnTask_6: Sep 23 17:21:54.077: b8:8d:12:13:1b:3a Unable to compute a valid PMKID from global PMK cache for mobile b8:8d:12:13:1b:3a
*apfMsConnTask_6: Sep 23 17:21:54.077: b8:8d:12:13:1b:3a Setting active key cache index 8 ---> 8
*apfMsConnTask_6: Sep 23 17:21:54.077: b8:8d:12:13:1b:3a unsetting PmkIdValidatedByAp

 

4 - So client now performs full EAP-TLS auth and this can be seen by following debug outputs 

*spamApTask2: Sep 23 17:21:54.079: b8:8d:12:13:1b:3a Sent 1x initiate message to multi thread task for mobile b8:8d:12:13:1b:3a
*Dot1x_NW_MsgTask_2: Sep 23 17:21:54.079: b8:8d:12:13:1b:3a Sending EAP-Request/Identity to mobile b8:8d:12:13:1b:3a (EAP Id 1)
*Dot1x_NW_MsgTask_2: Sep 23 17:21:54.391: b8:8d:12:13:1b:3a  8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)

5 - Because of this my client loses its VPN connection and does not perform fast roaming 

In the pre release cod you mention I do see the following two bugs

 

CSCuq55372 8.0 - WLC crash with Flex AP and Local Switching Enabled
CSCup43052 WLC crashes after starting client roaming

The last one could probably relate to what I am seeing...

 

Kind Regards

 

Mohamed 

 

 

VIP Purple

Hi Mohamed,Your

Hi Mohamed,

Your representation is correct & client is doing full re-auth when roaming in your scenario (which should not be the case). Refer this document which analyse all possible fast roaming options in a Cisco WLC

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html

What type of client are these ? By any chance are they supporting 802.11r FT ? If so you could enable 802.11r fast roaming on your SSID.

I think you should log a TAC case as 8.0.100.0 is fresh code & may have undetected bugs like what you have found.

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Hi Rasika Thanks for your

Hi Rasika 

Thanks for your prompt reply

These are Mac OS X devices running mainly on 10.9, not sure if 802.11r is supported. 

Because I am using FlexConnect with locally swtiched I understand that I am using the following roaming option also based on debug outputs above

"FlexConnect with WPA2 PMKID Caching / Sticky Key Caching" 

Is there a better option to choose in my scenario? 

I am currently evaluating the virtual WLC so have not purchased full license yet.. 

 

Just to add I have Fast Transition enabled on my WLAN which was working fine under 7.6 and now not working in 8.0 

 

Regards

 

Mohamed 

 

 

VIP Purple

I do not think Mac OS X

I do not think Mac OS X support fast roaming. Here is the list available in apple page for the 802.11r/k supporting devices

http://support.apple.com/kb/HT5535

SKC has very limited capability (key cache upto 8 AP only) so it is not recommended for large scale deployment.

Regarding FT works in 7.6 & not in 8.0 (may be specific to this FlexConnect setup)  so you have more than one reason to reach TAC on this.

 

HTH

Rasika

**** Pls rate all useful responses ***

New Member

Hi Rasika How do I check

Hi Rasika

 

How do I check which type of Fast Secure Roaming I am using?

Kind Regards

Mohamed

3568
Views
16
Helpful
19
Replies