Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Massive wifi phones deauthentication

Hi All,

sorry if the issue has already been submitted to the community ...

We've recently implemented a new wifi "area" using Cisco 1131AG access points and a couple of Integrated Cat3750-WLC (sw 4.2.112).

This new area hosts both thin-clients and phones with wireless connectivity.

We're experiencing problems of

massive deauthentication (open space were 2 APs, 16 thin-clients, and 16 wifi-phones - Avaya 3641- are installed).

The problem affects wifi-phones only, which during the day deauthenticate and soon after - in a matter of seconds - reauthenticate themselves (frequently reassocaiting with the same AP) about every hour.

WLC log entries show the followings:

*********************** WLC Message Logs ****************************

Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0b:d0

Jul 01 15:55:19.629 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0a:bb

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:11:42

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:d4

Jul 01 15:55:19.628 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:15:6d

Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:17:ae

Jul 01 15:55:19.627 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:08:09

Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:07:2c

Jul 01 15:55:19.626 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max

EAPOL-key M5 retransmissions exceeded for client 00:90:7a:07:0d:80

***********************************************************************

together with the followings:

******************************* WLC Trap Logs

*********************************

20 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0b:d0, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

21 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0a:bb, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

22 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:11:42, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

23 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:08:d4, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

24 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:15:6d, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

25 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:17:ae, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

26 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:08:09, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

27 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:07:2c, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

28 Tue Jul 1 15:55:19 2008 Client Deauthenticated: Client MAC

Address:00:90:7a:07:0d:80, AP Base Radio MAC:00:1e:4a:54:f9:90, Slot:

0,

Reason:Unspecified, ReasonCode: 1

*******************************************************************************

Occasionally, when deauthentication occurs, a few wifi-phones "reboots" ...

Any help wuold be greatly appreciated.

Regards,

Sonia

11 REPLIES

Re: Massive wifi phones deauthentication

from http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html

"Error Message %DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M[int] retransmissions

exceeded for client [hex]:[hex]:[hex]:[hex]:[hex]:[hex]

Explanation Client authentication failed because the client did not respond to an EAPOL-key message.

Recommended Action Ensure that user credentials are correct on the client and on the AAA server. "

Do you have aggressive load balancing turned on?, if so, turn it off.

New Member

Re: Massive wifi phones deauthentication

Aggressive Load Balancing has never been turned on. We've already examined the Cisco web page you're indicating and we're a little bit confused.

Our phones are using WPA2-PSK authentication (at the moment no 802.1x has been enabled) and are permanently turned on.

Examining debug data I understand that phones authentication completes correctly (see wlc_debug_dot1x.txt). Am I right ?

Other - maybe - useful information are:

- radio policy on the WLC is 802.11b/g for the voice WLAN, and 802.11a for the data WLAN (both WLANs SSIDs are broadcasted by the same two APs);

- although configured for negotiating both the b and g standard, phones are contantly using the b standard (I would expect the a "g" choice ...)

Hope somebody has some idea ...

Regards,

Sonia

Silver

Re: Massive wifi phones deauthentication

What is the session timeout setting on the ssid advanced page?

Do you have exclusion turned on?

Do you have dhcp required enabled?

Can you send a 'show wlan summary' and 'show wlan ' for the ssid in question?

New Member

Re: Massive wifi phones deauthentication

Hi,

session timeout has been disabled a couple of weeks ago, but this change had no effect on phones' behaviour.

Exclusion is turned on with all the followings ENABLED:

Excessive 802.11 Association Failures

Excessive 802.11 Authentication Failures

Excessive 802.1X Authentication Failures

IP Theft or IP Reuse

Excessive Web Authentication Failures

and an exclusion timeout of 60 seconds. Maybe I could deactivate a few (or all) of these checks ...

"DHCP required" is enabled also.

Attached you'll find the show wlan info requested.

I'm much obliged for you time :-)

Regards,

Sonia

New Member

Re: Massive wifi phones deauthentication

Hi,

further to my investigations I examined the Bug Toolkit more in depth.

Could this issue be determined by one of the following two bugs ?

- CSCsl30758 (no CCKM, no WLAN session timeout and WPA-auth correspond exactly to our configuration ...)

- CSCso95257 (maybe an RF issue which we could investigate with a more detailed survey ?)

Thanks in advance to anybody which will give a suggestion ...

Regards,

Sonia

New Member

Re: Massive wifi phones deauthentication

What data rates do you have enabled?

New Member

Re: Massive wifi phones deauthentication

Data rates for the 802.1 b/g standard (the one in use by wifi phones) are as follows:

1 Mbps Supported

2 Mbps Supported

5.5 Mbps Supported

6 Mbps Supported

9 Mbps Supported

11 Mbps Mandatory

12 Mbps Supported

18 Mbps Supported

24 Mbps Supported

36 Mbps Supported

48 Mbps Supported

54 Mbps Supported

New Member

Re: Massive wifi phones deauthentication

Are the intervals between the disassociations steady, like every 60 minutes?

Then try to increase the reauthentication interval and observe the time between disassociations again. We had a similar problem and that was the cause.

If it is possible, disable the 1-6Mbps data rates. But watch for the thin clients, some clients like barcode-scanners need the 1Mbps data rate.

Regards,

Sebastian

New Member

Re: Massive wifi phones deauthentication

Disassociations occur about every 30 minutes; I've disabled a few weeks ago the Session Timeout parameter (WLANs --> Edit --> Advanced --> Enable Session Timeout unchecked) but this change had no effect ...

Thanks and regards,

Sonia

New Member

Re: Massive wifi phones deauthentication

Any progress on this? I am also seeing these messages.

DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M3 retransmissions exceeded for client xxxx

New Member

Re: Massive wifi phones deauthentication

The problem could be a roaming issues.

Try customizing the roaming parameters on the controller:

Under Wireless->802.11b/g/n->Client-Roaming change the Scan Threshold to -70dbM.

This is the setting we use in our WLAN and it works fine.

We configured our WLAN as recommended in the VoWLAN Design Guide:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch1.html

If these recommendations are met in your WLAN, then you should check the survey again and maybe do a spectrum analysis for 2.4GHz interferences.

2018
Views
0
Helpful
11
Replies
CreatePlease to create content