ArubaOS and Controllers

Reply
Contributor I
Posts: 31
Registered: ‎09-09-2010

WPA Key message - replay counter error

We have several EKG medical devices on the wireless, its a proprietary device from GE. They are all currently on WEP, and we are trying to move them to WPA.
They work fine on WEP but not authenticating at all on WPA. When I check the logs I'm seeing "WPA Key message - replay counter error" I have a ticket open with TAC..waiting to hear back from them. Just wondering if anyone has come across this WPA error message.

(Controller) #show log all | include 00:80:92:3c:42:98
Sep 8 07:17:03 stm: <501074> |stm| wifi_deauth_sta: bad data, dropping. mac: 00:80:92:3c:42:98 bssid: 00:0b:86:09:9c:25
Sep 8 09:34:36 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0a:fc:a4 AP-07-AP8 did not match the replay counter 01 vs 02
Sep 8 09:38:30 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0a:fc:a4 AP-07-AP8 did not match the replay counter 06 vs 07
Sep 8 09:50:40 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0a:fc:a4 AP-07-AP8 did not match the replay counter 01 vs 02
Sep 8 09:53:13 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0a:fc:a4 AP-07-AP8 did not match the replay counter 07 vs 08
Sep 8 09:53:19 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0a:fc:a4 AP-07-AP8 did not match the replay counter 01 vs 02
Sep 8 12:59:25 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 12:59:25 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 12:59:26 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 02 vs 03
Sep 8 12:59:26 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 02 vs 03
Sep 8 13:02:11 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 08 vs 09
Sep 8 13:02:11 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 08 vs 09
Sep 8 13:02:16 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 01 vs 02
Sep 8 13:02:16 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 01 vs 02
Sep 8 13:03:35 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 01 vs 02
Sep 8 13:03:35 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 01 vs 02
Sep 8 13:06:49 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 02 vs 03
Sep 8 13:06:49 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 02 vs 03
Sep 8 13:06:55 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 13:06:55 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 13:11:22 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 06 vs 07
Sep 8 13:11:22 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 06 vs 07
Sep 8 13:11:58 fpcli: USER:admin@10.164.28.49 COMMAND: -- command executed successfully
Sep 8 13:15:00 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 02 vs 03
Sep 8 13:15:00 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 02 vs 03
Sep 8 13:15:04 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 13:15:04 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 13:30:05 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 13:30:05 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 01 vs 02
Sep 8 13:31:34 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 01 vs 02
Sep 8 13:31:34 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 01 vs 02
Sep 8 13:32:11 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 06 vs 07
Sep 8 13:32:11 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:0c:65:44 AP-07-AP5 did not match the replay counter 06 vs 07
Sep 8 13:33:27 fpcli: USER:admin@10.164.28.49 COMMAND: -- command executed successfully
Sep 8 13:35:29 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 02 vs 03
Sep 8 13:35:29 authmgr: <132093> |authmgr| WPA Key message 2 from Station 00:80:92:3c:42:98 00:0b:86:08:a3:84 AP-07-AP4 did not match the replay counter 02 vs 03
Sep 8 13:35:29 authmgr: <522019> |authmgr| MAC=00:80:92:3c:42:98 IP=0.0.0.0 Derived role 'mobile-SSID-role' from user rules: utype=L2
Sep 8 13:35:29 authmgr: <522035> |authmgr| MAC=00:80:92:3c:42:98 Station UP: BSSID=00:0b:86:08:a3:84 ESSID=mobile-SSID VLAN=39 AP-name=AP-07-AP4
Sep 8 13:35:29 authmgr: <522036> |authmgr| MAC=00:80:92:3c:42:98 Station DN: BSSID=00:0b:86:0c:65:44 ESSID=mobile-SSID VLAN=39 AP-name=AP-07-AP5
Sep 8 13:35:29 mobileip: <500010> |mobileip| Station 00:80:92:3c:42:98, 0.0.0.0: Mobility trail, on switch 10.164.11.22, VLAN 39, AP AP-07-AP4, mobile-SSID/00:0b:86:08:a3:84/g
Sep 8 13:35:29 mobileip: <500010> |mobileip| Station 00:80:92:3c:42:98, 255.255.255.255: Mobility trail, on switch 10.164.11.22, VLAN 39, AP AP-07-AP5, mobile-SSID/00:0b:86:0c:65:44/g
Sep 8 13:35:29 mobileip: <500511> |mobileip| Station 00:80:92:3c:42:98, 0.0.0.0: Received association on ESSID: mobile-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP-07-AP4 Group Atrium BSSID 00:0b:86:08:a3:84, phy g, VLAN 39
Sep 8 13:35:29 mobileip: <500511> |mobileip| Station 00:80:92:3c:42:98, 0.0.0.0: Received disassociation on ESSID: mobile-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP-07-AP5 Group Atrium BSSID 00:0b:86:0c:65:44, phy g, VLAN 39
Sep 8 13:35:29 stm: <501065> |stm| Client 00:80:92:3c:42:98 moved from AP AP-07-AP5 to AP AP-07-AP4
Sep 8 13:35:29 stm: <501065> |stm| Sending STA 00:80:92:3c:42:98 message to Auth and Mobility Unicast Encr Static WPA Multicast Encr Static WPA,WPA2 PSK TKIP VLAN 0x27, wmm:0, rsn_cap:0
Sep 8 13:35:29 stm: <501065> |stm| Sending STA 00:80:92:3c:42:98 message to Auth and Mobility Unicast Encr Static WPA Multicast Encr Static WPA,WPA2 PSK TKIP VLAN 0x27, wmm:0, rsn_cap:0
Sep 8 13:35:29 stm: <501080> |stm| Deauth to sta: 00:80:92:3c:42:98: Ageout AP 10.156.44.240-00:0b:86:0c:65:44-AP-07-AP5 STA has left and is deauthenticated
Sep 8 13:35:29 stm: <501095> |stm| Assoc request @ 13:35:29.759445: 00:80:92:3c:42:98 (SN 24): AP 10.156.44.252-00:0b:86:08:a3:84-AP-07-AP4
Sep 8 13:35:29 stm: <501100> |stm| Assoc success @ 13:35:29.766012: 00:80:92:3c:42:98: AP 10.156.44.252-00:0b:86:08:a3:84-AP-07-AP4
Sep 8 13:35:29 stm: <501000> |AP AP-07-AP5@10.156.44.240 stm| Station 00:80:92:3c:42:98: Clearing state
Sep 8 13:35:29 stm: <501093> |AP AP-07-AP4@10.156.44.252 stm| Auth success: 00:80:92:3c:42:98: AP 10.156.44.252-00:0b:86:08:a3:84-AP-07-AP4
Sep 8 13:35:29 stm: <501095> |AP AP-07-AP4@10.156.44.252 stm| Assoc request @ 13:35:30.837877: 00:80:92:3c:42:98 (SN 24): AP 10.156.44.252-00:0b:86:08:a3:84-AP-07-AP4
Sep 8 13:35:29 stm: <501100> |AP AP-07-AP4@10.156.44.252 stm| Assoc success @ 13:35:30.840792: 00:80:92:3c:42:98: AP 10.156.44.252-00:0b:86:08:a3:84-AP-07-AP4
Sep 8 13:35:29 stm: <501105> |AP AP-07-AP5@10.156.44.240 stm| Deauth from sta: 00:80:92:3c:42:98: AP 10.156.44.240-00:0b:86:0c:65:44-AP-07-AP5 Reason STA has left and is deauthenticated
Sep 8 13:35:29 stm: <501109> |AP AP-07-AP4@10.156.44.252 stm| Auth request: 00:80:92:3c:42:98: AP 10.156.44.252-00:0b:86:08:a3:84-AP-07-AP4 auth_alg 0
MVP
Posts: 702
Registered: ‎03-25-2009

Re: WPA Key message - replay counter error

Since nobody has answered this yet..

http://support.arubanetworks.com/ArubaOSKB/tabid/111/Default.aspx
Answer id: 450

What are replay counter mismatch messages?
After successful dot1x authentication, session keys are derived from pairwise master key. When the AP transmits a key to a station by default, it expects a response back within 1000 msec. If the station does not respond, the AP increments the counter and retransmits the key.

If the AP receives a response to first message just after the retransmission of the key, a mismatch occurs in the counter.

This can be seen in the error log and in the output of the 'show auth-trace buffer' command.

Solution: increase the wpa-key-time (as explained in detail in the above referenced KB item).
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: