Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor II

Key message did not match the replay counter error message

Hi,

I have got a weird problem that seems completely random and wondered if anyone else has come across this.

I have a client that is attempting to connect to a secured SSID running 802.1x (EAP TLS) using WPA2 as the encryption.

When I tried it a couple of days ago the device would not associate, then for some reason today it did - well for a while anyway. I rebooted the client device and now it wont connect and I get the following message in the logs:-

authmgr: <132093> |authmgr| WPA2 Key message 2 from Station 00:22:19:e7:82:b2 00:0b:86:e3:db:03 JONS_LAST_CHANCE_2_00:0b:86:c6:3d:b0 did not match the replay counter 0219 vs 0220

Has anyone seeen this before??
Aruba Employee

Key message did not match the replay counter error message

There is a final 4-way handshake that occurs before the machine is on
the network. Based on this message, it does not appear to be completing
it.

What NIC and driver are you running? I would suggest that you try to
use a later driver first.

Can you provide the output of "show auth-tracebuf mac "

-michael
Occasional Contributor II

Re: Key message did not match the replay counter error message

Hi Michael,

OK here's the tricky part that I purposely did not mention in the first post.....
I'm using a Cisco 1242 access point running in universal bridge mode :-)
Now you see why I failed to mention this before..... I know that this can work as the very same access point is working fine on a different controller, and as I mentioned it was working fine for about an hour, and then for no reason it stopped. I can still connect to the same SSID/network from normal clients without an issue...
I'm stumped as to why it would stop working randomly

Cheers
Andrew
Occasional Contributor II

Re: Key message did not match the replay counter error message

It's gone all quiet - just as I suspected :)
I will get the guys to hook it again and I'll get some show auth stuff.
Aruba Employee

Key message did not match the replay counter error message

Hi Andrew,

Can you give me an illustration of the topology you have described
below? I am failing to understand how the Cisco 1242 bridge is fitting
into the picture ..

-michael
Occasional Contributor II

Re: Key message did not match the replay counter error message

Hi Michael,

Basically the Cisco 1242 is going to have clients connected to it's ethernet port, and they will use the AP as a bridge to get to the Aruba network.

Consider plugging your PC into the ethernet port of the Cisco AP, the Cisco AP has the relevant SSID configured, and is setup in UNIVERSAL bridge mode (ie it can connect to non-Cisco AP's - it is just seen as a client from Aruba's perspective), and it connects to the Aruba AP.

There was a lot of talk about this never being able to work, but in later versions of Cisco IOS it does work - as we have proved.. just not for very long - we were happily connected for about an hour or so, and then it dropped off. We did turn off opportunistic caching as this does cause an issue apparently.

trace auth - maybe need to look at the certificate on the Cisco AP??
Jun 25 16:12:54 station-up * 00:19:d2:73:14:fa 00:0b:86:e3:db:04 - - wpa2 aes
Jun 25 16:12:54 eap-id-req <- 00:19:d2:73:14:fa 00:0b:86:e3:db:04 1 5
Jun 25 16:12:54 eap-start -> 00:19:d2:73:14:fa 00:0b:86:e3:db:04 - -
Jun 25 16:12:54 eap-id-req <- 00:19:d2:73:14:fa 00:0b:86:e3:db:04 1 5
Jun 25 16:12:55 station-down * 00:19:d2:73:14:fa 00:0b:86:e3:db:04

Hope that helps

Andrew
Aruba Employee

Re: Key message did not match the replay counter error message

Hi Andrew,

I looked up the mac address and the oui belongs to Intel. I was expecting a Cisco OUI instead since it really is behaving as a wireless client. Typcially when I see handshake errors, there is a chance that a newer driver may fix it. I don't have a Cisco AP to validate this.

On a different note, this type of functionality is similar to our mesh capabilities. The Aruba solution consists of: a) mesh portal and b) mesh point.

The mesh portal is the gateway between the wireless mesh network and the enterprise wired LAN. The mesh point use one of its wireless interfaces to carry traffic and reach the controller.

In your topology, the PC would connect to a mesh point. Both mesh portal and mesh point would also have the ability to advertise an ESSID.

The enhanced mesh functionality will be part of AOS 3.4. Indoor mesh is now part of the base OS (starting with 3.4).

-michael
Occasional Contributor II

Re: Key message did not match the replay counter error message

Cheers for the response Michael, I'll run some more tests as I had to reply on a 3rd party to get that info.
I can't use anything other than the Cisco AP, as this solution is actually on an aircraft, so it has to be compatible with all WLAN infrastructures at airports across the world - don't ask..... I am going to up the logging level and take a closer look this week.
Occasional Contributor II

Re: Key message did not match the replay counter error message

We found a work-around for this issue. If you ever come across, tick the PMKID checkbox, and things kick back into life. Basically the Cisco box doesn't like being sent key2 when it reconnects to the network. Aruba is smart enough to know it has seen the Cisco AP, so doesn't start the auth process from scratch. Enabling PMKID check essentially restarts the auth process from a level Cisco can deal with - back to the begininning. The auth of the device does take longer (7 seconds) as the first auth fails, but at least it is able to connect.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: