01-20-2015 08:33 AM
I have some client disconnection in my wifi system. I read this in the controller log:
<132093> |AP IAPfirstname.lastname@example.org stm| WPA2 Key message 2 from Station 08:d8:33:xx:xx:xx 18:64:72:xx:xx:xx IAP-225-n16 did not match the replay counter 02 vs 04
I read that it is a good idea to change the "timer wpa-key-period" parameter to bigger one.
I had set it to 1000ms and change to 2000ms.
Anyone has experience changing this parameter? Which will be a good number?
01-20-2015 08:40 AM
Why coulad I open a TAC case?
Mostly the disconnecion happens in some specific Android devices, it is possible to apply this AAA profile to some MAC address?
I will appreciate any help.
01-21-2015 06:59 PM
I always like to advise that you work with Aruba TAC when changing timers as they are often sensitive changes that can cause other issues.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
01-21-2015 08:05 PM
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
01-22-2015 12:16 AM
i'll be preparing a forum post on this soon enough (next week i hope), values over 1000ms are problematic for recent Apple devices at a minimum and you should exercise care in using anything greater than a few hundred msec.
And yes, TAC are guilty of using slapdash values - myself included and it is for this reason I recently discovered a problem with iOS8 and the usual values that we like to use on these timers (long story short, if the time is too long between eap-success and wpa2-key1, Apple device appears to start to scan and is gone by the time controller starts key exchange, which ends up seriously prolonging the exchange or failing completely)
Please reset all timers to default, ensure you have eapol rate optimsation turned on in the SSID profile, and see how the client behaves from auth trace buf under 'regular' conditions.
You can also look at enabling 'packet-capture wifi-client' and taking a look at the actual transaction (more or less mirrors the auth trace buf, but better granularity) to see what is going on.