Cisco Wireless :: 5508 Max EAPOL-key M5 Retransmissions Exceeded For Client
Feb 21, 2012
I have had several complaints from around the firm where by mobile devices are being bumped off the PSK secured network (All other SSID networks are operating A-OK). Both Android and iPhone devices are being affected, the device will just loop until it reconnects, sometimes up to 20 minutes of trying to establish a connection. It will eventually connect so the key is not the issue.I've attached a debug of a device which fails to connect and then shortly after is successful.
Controller 5508 v7.0.116.0
AP 3502i IOS 12.4(23c)JA2
We're getting complaints about a specific 1131AG in the field only being intermittently accessible. WCS shows both the a and b/g interfaces randomly bouncing, sometimes the reason for the bounce is unknown other times it says it's because it lost connection to the controller. I can ssh into the WCS but the engineer who setup the AP's doesn't seem to have enabled remote access via telnet or ssh.
We are also seeing these events:
802.11a interface of AP * is down: Controller 172.17.0.10 Reason: Max retransmissions for the AP have reached.Interference threshold violation reported by '802.11b/g' interface of AP *, connected to Controller '172.17.0.10'.I know I can adjust the threshold percentage, but that would only seem to mask the issue.WCS gives this version info on the AP:
Versions <DIV style="DISPLAY: block" id=versions mcestyle="display: block;"> Software Version 6.0.202.0 Boot Version 12.3.8.0
I have two number of WLC model 5508 running IOS version 7.0.98.0. And One WLC in DMZ with the same model and IOS version. AP model is 1141. The Two WLCs are integrated with ACS. I have a SSID named EMployee. The DHCP for the users are configured in a seperate DHCP server and i have mapped this DHCP server IP to the interaface Employee.And this interface is mapped to the SSID as well.. But my client is not receiving the DHCP IP. Attached are the debug logs from the client.
There are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.
The ports are configured for 802.1x, auth order of MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).
When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated. When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.
If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.
I am using 2 anchor controllers 5508 as DHCP server. Anchor controller A is primary and anchor controller B is secondary. From time to time, client will complain "duplicate IP address error" when they try to connect guest wireless.First question: both anchor controller should have a recorder of IP address which is assigned to each PC, right?Second question: is there any way this type of issue can be avoided?
I am having some troubles with client roaming on a 5508 controller running firmware 7.3.101.0. As soon as a client roams outside the range of an AP they lose data flow and do not seem to transition to another AP for about 1 minute.This is a small network with 6 x AIRCAP3502E-N-K9 AP's (running in H-REAP mode) on the same floor and clients are a mix of HP notebooks, Mac Books, iMacs, iPads and iPhones. There are several seperate SSID's setup and the problem occurs on all. All are WPA2/AES with either a PSK or 802.1X. Both 2.4GHz and 5GHz radios are enabled with auto power and channel selection.
I have tried changing the roaming settings from default and also playing with the AP power settings to no avail.Is this normal behaviour or is there something I can do to improve the reconnection speed?
I have one 5508 with Product version 6.0.199.4 and about 7 Cisco 1140 APs.We have a next problems. Go out of the connection on the clients PC, while physically a wireless connection to the workstations is not broken, but access to network resources is lost and restored after some time (up to about one minute).The logs on the controller at the same time see the following message.
I've just installed a standard Cisco wireless install (5508, 3502i, local and flexconnect setups) all working swimmingly.
The customer has asked for a new WLAN for a particular group of staff that will route to a different gateway than the general wireless staff.
The 5508 is connected to a older Avaya L3 switch that is the customers core swtich, but it isn't capable of PBR so it routes on desitnation only and its default route is not where I need the new WLAN traffic to route to. An ASA will be connected to the Avaya switch (which is the alternate gateway I need to get the new WLAN users to). So my question is probably routing 101, but if the ASA interface, the Avaya swtich and the WLAN interface all reside in the same VLAN, can I give the wireless clients the ASA as their gateway via DHCP and successfully get their traffic to the ASA?
Is it possible to rename the default webauthentication URL from [URL] to something like [URL]. We are running on 7.0.98.0, is it possible to do http for web authentication and https for Mgmt access if we upgrade the controller software?
We configured our guest wireless with no layer 2 authetication so users can associate with an AP and get an ip adress but they can't go anywhere unless they have a valid username and password(web authentication) - does this affect the performance of an AP since there will be many people associated with each AP, is there any setting in the WLC to de associate a client from an AP if its idle for certain time.
I have an environment of Cisco 5508 Wireless Controller and 1142N Access Points. I have a problem with the ratio of concentration of clients connecting to Access points in floors.
Recently I have been turning off 802.11a on the access points and I am seeing increase in client count in a few of acces points.What is the maximum client count supported by these access points and how do i ensure they are distributed evenly on access points?
Since two months they work full time with the new Dutch Electronic Patient Dossier.We installed 3 Cisco 5508 controllers, version 7.0.230.0 last year on a HP-switched network on a layer 2 mobility domain.Cisco 1041 AP are
The personnel works woth thin clients url... The one with the double antenna.This client has a Broadcom BCM943228HM4L 802.11 a.b.g.n (2x2) adapter.
On the client they have a connected RDP session to a server with the documents.Now they are walking from one patient to another patient. The problem they experience is a very late roaming. At the beginning of the corridor, the client will associate, but is going to roam at the end of the corridor. We installed 4 AP's on each corridor, so they signal is very well, maybe to well?
I disabled client loadbalancing and band select.The lowest data rates are also disabled. Mandatory begins at 12 Mbps. I can increase this to 18 Mbps.These clients work with PSK, with both methods (WPA-TKIP and WPA2-AES) enabled.We did this because of many old and new clients.
The customer tried to find out the problem with a smartphone, same issue. Very late roaming.I can upgrade the WLC to 7.0.240.0. The only problem I have is the WCS. When upgrading to 7.2 and higher I need to have NCS.
recently I installed WLC 5508 en the central office and installed a network mesh in a remote office; central and remote office is connected with serial link as WAN, and I have dhcp server in the remote office for give ip address to all users and devices in the remote office. Additional I have 5 LAP1552 (mesh) and 2 LAP1260 in the remote office, all clients that connect to LAP1260(this don't belong to the mesh) receive ip address from dhcp server, but neither client that try to connect to the mesh (LAP1552) receive ip address from dhcp server. I don't have if I doing some thing bad. The range IP that receive the all ap's belong to the network of devices and the range ip for the users belong to network of users.
I am having trouble with a newly configured install. Basically it seems that my centrally switched guest SSID is not functioning. As you change AP groups, which should change the interface associated with the SSID and also the dhcp client address, the client is retaining the original dhcp address from whichever AP group they first associated with.
I also have a locally switch WPA2 SSID at each location which is working fine. Clients are able to change dhcp address correctly as they move between AP groups. It just doesn't seem to be working on the guest network, which is odd because it was working earlier in the install. It has only started having issues yesterday afternoon.
The interface above is assigned to the guest SSID in one of the AP group. I assume this has something to do with it but I've been over my DHCP assignments on the core switch, local switch, controller, and dhcp server and can find no issue with the configuration..
I am not sure why as I am not using DOT1X at all. The guest is a pass-thru and the WPA2 network is just WPA + WPA2 with TKIP and AES. No DOT1X anywhere on the controller...
Background: Wireless credit card machines can't stay connected to the 5508 controller 7.0.116 / 1142 ap wireless system. MAC address of one of the wireless hosts is 00:12:0e:ec:ce:97. AP servicing them is d4:a0:2a:99:34:60. Hosts are able to connect to the network after a reboot and stay connected for random periods of time but then don't come back unless you manually reload them. I have 3 in total in the same room services by the same ap.
I have the output of debug client 00:12:0e:ec:ce:97. Output showed 802.1x 'timeoutEvt' Timer expired for station 00:12:0e:ec:ce:97 so I increased the value to 4000ms on the controller but am still having the issue.
Note that the output below is the state the client stays in after receiving the timeout (802.1x 'timeoutEvt') showing subsequent attampts. The only way to get them back on is a reload of the credit card machine.
I have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
Config and debug file attached.
I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
I have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means.
Installed a new 5508 WLC last week, and finished bringing 68 new 3602i access points online in our College Dorms. We are seeing a lot of "Client De-authenticated" errors "Reason: Unspecified Reason: Code 1. Years ago I asked about error code 1. The reply from Cisco was: "The programers put the code in. It basically means we don't know what the problem is."Got a call from one of the dorms stating that students were getting knocked off the network while going to sites. If a student is wired, network is solid.Walked the dorm in question and was getting full bars of signals at all times, and was able to stream a movie from my Ultraviolet account without any break or slowdown as I moved from access point to access point. So.. my device, an iPad, was fully mobile and did not experience any disconnects.Did observe one student using a MacBook Pro. This student was constantly loosing connection to the access point. Checked the controller for the MAC of the student's computer. I did find deauthentication errors. BUT... this student's error was the computer was receiving an IP address from the DHCP that was already in use. At the computer the error message was a timeout issue.I am just learning the ropes on the 5508. Have used 3 4404s for the past six years.
User is connecting to 5508, running 7.0.116.0. Previously worked on another AP. TV (client) is set to use dhcp. As other posts have mentioned, "DHCP Addr. Assignment" checkbox is not checked for this wlan, but I also switched it to Required for this wlan but it did not make any difference. Seems to be a problem with just this client as many other clients are on this AP with no problems.
Users have to register their MAC to get on our wireless system, but there is no encyption or security enabled once the device has been registered.
I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
WLC 5508 v7.0.98 6-7 Autonomous upgraded to lightweight APs - 2 * 1231G while the rest are 1242AG 3 dynamic interfaces, 2 to Corp (diff VLANs) and 1 to Guest 4 WLANs binded to different interfaces 2 to the Corp interface Vlan X 1 to Guest 1 to Corp Vlan Y
DHCP for Corp is provided by their own Win DHCP server while controller is the DHCP server for Guest. Lease time is 1 day.
My problem now is, some clients, at random, loses their IP after being connected to the network. They get a 169.254.x.x. They connect to the Corp network OK, no browsing issues but after a while, they lose their IP address.
They can either wait for a while before getting an IP back or just simple renew their IP on their machine.
I've tried increasing the threshold values in the Local EAP to double its default values and also setting the WLAN session time out values to infinite. However, these 2 didn't work. I'm still having clients that occasionally lose their IPs at random.
I've also noted that this affects clients with WZC wireless drivers and not others e.g. Intel Proset.
I would like to be able to allow a specific client to only associate at 6mbit/s -is this possible using the wlc controller 5508? Another option would be to limit a whole w lan ssid to 6mbit/s but i can't find a way to do that either.
Other w lan ssid's on the same access points/controller need full data rates, so i guess i can't use the RF-profiling for this.
I have 2 units Cisco WLC 5508 running software version 7.0.220 with 70 over units Cisco AP 1262N and 1242AG. Some of wireless clients having problem to get the correct IP address from the DHCP server. There are 2 units of Microsoft DHCP. Both DHCP server ip have been configured on the Interface at the WLC. The core switch also being configured with ip helper. I've attached the debug output of one of the wireless client during the problem.
I have a strange issue with clients connected to a WiFi network.I have configured AP in FlexConnect mode and 2 SSID's. After a reboot of the AP the network is stable for almost 45 mins. Then each client will go UP and Down, mostly with a delay of 5 mins.
What could be the source of this. The clients are Windows CE handheld with fixed IP adres. I already configure persitent client and have play arround with APR timers as well. Thereby an Windows desktop or an iPad has less connectivity issues but even they expert pakcteloss once in severall minutes.
Session timer is turned off
The iPad for example can play music, but each 5 mins you hear a little hickup and 2 subsecond ping are loss.
I am using guest solution with two WLCs , one inside and one as anchor in DMZ.we have also NAC guest server to authenticate the guest users. inside WLC is 5508 and had been updated to latest version 7.2.103.0 last Thursday.
now we facing problem with the guest SSID , after the user authenticate, immediately disconnected and to access again he has to authenticate again and so on.
Is there any Bug with the new version because the setup was working fine before upgrading.
Branch office has 881 VPN router. Services that ignore MSS in packets don't work. Adjusting MSS has no effect since the services are ignoring that setting.works fine, but some Yahoo sites don't.Found a workaround for exceeded MSS for PIX and ASA (link below), but can't find anything for VPN routers.
Branch office has 881 VPN router. Services that ignore MSS in packets don't work. Adjusting MSS has no effect since the services are ignoring that setting. Example: www.google.com works fine, but some Yahoo sites don't.
Found a workaround for exceeded MSS for PIX and ASA (link below), but can't find anything for VPN routers.url...
Please find attached a simple BYOD/ISE document I uploaded to kick start my new Wireless setup. Its all configured on my ISE sever and Controller as per doc.My setup:
-3600 AP's -Internal 5508 Controller -DMZ 5508 Controller (acts as a DHCP server for wireless clients)
Controllers have established connectivity (mobility acnhors), as a client I can connect fine to my new SSID get a DHCP IP address back from DMZ WLC and at the moment can connect out to the Internet fine (using no WLAN Security as a test). So this part is working.I have now followed the document configured ISE, enabled AAA on the Internal WLC only and used the AAA override setting on WLAN as in the attached document.I connect to SSID expecting to be redirected to my ISE Guest Portal, nothing happens other than connecting to Internet WebPages.My question is, if I have followed this document correctly why is the Internal WLC not redirecting client requests to ISE, is this because my mobility anchors need to be re-configured, perhaps the AAA/ISE config needs to be applied to my DMZ WLC not internal WLC?
I would prefer the Internal WLC to redirect the login to ISE, doesn't make sense to traverse through the DMZ Firewall onto DMZ WLC back into the Internal Network again to the ISE to authenticate.Or am I missing something additionally to this document to make sure clients are directed to the ISE Guest portal login.
I am running WLC 5508 and WCS version 7.0.98. We are noticing with some of our handheld devices that have Sychip Wireless cards that they constantly have issues communicating. The error I see on the WCS side is shown below:
Client '00:0b:6c:2f:d0:32 (0.0.0.0)' failed to associate with interface '802.11b/g' of AP 'HO-BRSales'. The reason code is '0(null)'.
I am considering upgrading our 5508 WLCs to version 7.4.1 to take advantage of the Bonjour gateway. What I want to do is allow clients on our guest wireless network to access things like the Apple TV in our conference rooms. My intention would be to have the Apple TVs on a separate vlan. Obviously, the Bonjour gateway would allow for access between these 2 networks. The question I have is this. If I have client isolation turned on my guest wireless network, is it still possible for these devices to access Apple TVs on another network?
I have one wlc 5508 running on latest IOS 7.116, there is one wlan abc which i have disable status and disable broadcast, but randomly still i can see from wlc dashboard there is one client connected to this wlan abc. The moment i check on the client details, there is no client connected to that wlan and when return to dashboard, no more client connected to that wlan abc.
I'm on WLC 5508 . It doesn't matter if passive client feature is turned on or turned off , when you try to increase "User Idle Timeout" you can see this message:
In our network, a lot of clients gets deauthenticated. I thought it would be useful to enable "Passive-client" feature, or increase "user idle timeout" , but how these works with each other?