Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Wireless Client Recovery on Win 7 and XP from Symantec Network Protection and Firewall

     

     

    Introduction

    Wireless Client Recovery on Win 7 and XP from Symantec Network Protection and Firewall.

    Symantec Mess with 802.1X 'timeoutEvt' Timer expired for station and for message = M3

    Issue 

    EAP/Eapol process is not getting completed, irrespective of A/G radio is used on the intel/Broadcom card. no issue when using wep, wpa-psk.

    WLC code - 7.0.240.0, WLC code doesn't matter.

    APs - 3502is and 1142s - All on local mode.
    wlan 3 - WPA2+802.1X PEAP + mshcapv2
    ssid is broadcasted.
    Radius server nps 2008
    Symantec antivirus software is installed on all the PCs

    using Asus, Braodcom, Intel - win7, win-xp

    Affected Hardware/Software

    • Affected OS - windows 7 and XP
    • Affected Wireless adapter - Intel(6205) and Broadcom
    • Affected Driver/Supplicant - 15.2.0.19, using Native Supplicant.

    Fix/Workaround

    Disable Symantec Network Protection and Firewall on win7 and xp. It is an Symantec issue with Win 7 and XP OS.

    Wireless client debug output

    *dot1xMsgTask: Apr 12 11:45:39.335: 84:3a:4b:7a:d5:ac Retransmit 1 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
    *osapiBsnTimer: Apr 12 11:45:44.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
    *dot1xMsgTask: Apr 12 11:45:44.336: 84:3a:4b:7a:d5:ac Retransmit 2 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
    *osapiBsnTimer: Apr 12 11:45:49.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
    *dot1xMsgTask: Apr 12 11:45:49.336: 84:3a:4b:7a:d5:ac Retransmit 3 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
    *osapiBsnTimer: Apr 12 11:45:54.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
    *dot1xMsgTask: Apr 12 11:45:54.337: 84:3a:4b:7a:d5:ac Retransmit 4 of EAPOL-Key M3 (length 155) for mobile 84:3a:4b:7a:d5:ac
    *osapiBsnTimer: Apr 12 11:45:59.336: 84:3a:4b:7a:d5:ac 802.1x 'timeoutEvt' Timer expired for station 84:3a:4b:7a:d5:ac and for message = M3
    *dot1xMsgTask: Apr 12 11:45:59.336: 84:3a:4b:7a:d5:ac Retransmit failure for EAPOL-Key M3 to mobile 84:3a:4b:7a:d5:ac, retransmit count 5, mscb deauth count 0
    *dot1xMsgTask: Apr 12 11:45:59.338: 84:3a:4b:7a:d5:ac Sent Deauthenticate to mobile on BSSID c8:f9:f9:89:15:60 slot 1(caller

    Symantec Ticket

    Symantec Ticket/Case: 04192658
    Subject: Multiple devices failing to negotiate EAPOL-key

    Note:
    There's a syndrome in 15.2 (also seen in earlier versions) that goes like this: client gets M1 from AP client sends M2 client gets M3 from AP client plumbs the new pairwise key before it sends out M4 client transmits the M4 encrypted with the new key AP drops the M4 message as a "decrypt error" WLC 'debug client' show that we are timing out on M3 retransmissions. Evidently, this is a problem between Microsoft and Symantec, not Intel specific. Workaround is to remove Symantec. This is really a bug that is probably in windows, triggered by Symantec. "Tweaking the EAP timer doesn't fix this issue"

    Regards to this issue, Cisco TAC will forward the affected Customers to Symantec and Microsoft.

    Comments
    sin
    Community Member

    I seem to have run into this problem with  8510+2602 running 7.4.100.0 and the client using Intel driver 15.2.0.19.

    Any one knows if it can be fixed with a Intel driver upgrade?

    Cisco Employee

    Please work with Symantec - Ticket/Case: 04192658

    899
    Views
    5
    Helpful
    2
    Comments