Wireless Access

Reply
Frequent Contributor I
Posts: 89
Registered: ‎10-27-2013

AP drops all connections with IDS messages

Hi Was hoping to get some claritty/insight as to what the below Log messages indicaste. This is friom my controller looking at events logged for my one AP.

The AP has strange behaviour where it drops sessions and packets every so often, today our Solarwinds monitoring reported it as down when alot of clients lost connectivity, some were disconnected completely and some lost the ability to transfer data keepiung the connection.

 

The log below indicates a few IDS events/behaviour and I was hoping to get some clarity on what the problem could be.

 

Is my IDS possibly set to High or to Low or should I ignore IDS..... settings.....

 

Jun 13 12:46:19  sapd[1220]: <127085> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d0): Malformed Frame - Large Duration: An AP detected that the device with MAC address e0:3e:44:04:90:37 (CHANNEL 1 with SNR 7) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:ctrl-cts, Duration:29000.

Jun 13 12:46:19  wms[1982]: <126085> <WARN> |wms| |ids| AP(9c:1c:12:0f:7d:d0@B-Block_1stFlr_Networks): Malformed Frame - Large Duration: An AP detected that the device with MAC address e0:3e:44:04:90:37 (CHANNEL 1 with SNR 7) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:ctrl-cts, Duration:29000. Associated WVE ID(s): WVE-2005-0051.

Jun 13 12:46:26  sapd[1220]: <127088> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d0): Hotspotter Attack: An AP detected that the client with MAC address e4:b3:18:32:2a:3a (BSSID 24:de:c6:ca:80:42 on CHANNEL 1 with SNR 6) may be under attack from the Hotspotter tool. The probe response was sent from AP 24:de:c6:ca:80:42 for SSID GUEST.

Jun 13 12:46:26  wms[1982]: <126088> <WARN> |wms| |ids| AP(9c:1c:12:0f:7d:d0@B-Block_1stFlr_Networks): Hotspotter Attack: An AP detected that the client with MAC address e4:b3:18:32:2a:3a (BSSID 24:de:c6:ca:80:42 on CHANNEL 1 with SNR 6) may be under attack from the Hotspotter tool. The probe response was sent from AP 24:de:c6:ca:80:42 for SSID GUEST. Associated WVE ID(s): WVE-2005-0054.

Jun 13 12:46:35  sapd[1220]: <127065> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d0): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (f0:43:47:3b:c6:f5) and access point (BSSID 9c:1c:12:0f:7d:d3), with source f0:43:47:3b:c6:f5 and receiver 00:21:d8:62:ef:a0. SNR value is 37.

Jun 13 12:52:09  sapd[1220]: <127087> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d0): Block ACK DoS Attack: An AP detected a data frame which indicates a possible Block ACK DoS Attack.  The frame from a4:17:31:f3:e3:75 to 00:21:d8:62:ef:a0 (BSSID 9c:1c:12:0f:7d:d4 on CHANNEL 1 with SNR 40) is outside the current sequence number window, and thus may be dropped. Additional Info: Victim:a4:17:31:f3:e3:75 TID:0 Retry:0 Dir:2 StartSq:241 FrameSq:240 EndSq:304 BSSID:9c:1c

Jun 13 12:52:09  wms[1982]: <126087> <WARN> |wms| |ids| AP(9c:1c:12:0f:7d:d0@B-Block_1stFlr_Networks): Block ACK DoS Attack: An AP detected a data frame which indicates a possible Block ACK DoS Attack.  The frame from a4:17:31:f3:e3:75 to 00:21:d8:62:ef:a0 (BSSID 9c:1c:12:0f:7d:d4 on CHANNEL 1 with SNR 40) is outside the current sequence number window, and thus may be dropped. Additional Info: Victim:a4:17:31:f3:e3:75 TID:0 Retry:0 Dir:2 StartSq:241 FrameSq:240 EndSq:304 BSSID:9c:1c:12:0f:7d:d4 . Associat

Jun 13 12:54:43  sapd[1220]: <127030> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d8): Invalid MAC OUI: An AP detected an invalid MAC OUI (4c:66:41:82:a9:22) being used in a frame. The Address Type in which the invalid MAC is used is SRC, and SNR value is 38. Additional Info: Src-MAC:4c:66:41:82:a9:22; Dst-MAC:9c:1c:12:0f:7d:da; BSSID:9c:1c:12:0f:7d:da; Channel:52; Frame:data-null-func; Rx: True.

Jun 13 12:54:43  wms[1982]: <126030> <WARN> |wms| |ids| AP(9c:1c:12:0f:7d:d8@B-Block_1stFlr_Networks): Invalid MAC OUI: An AP detected an invalid MAC OUI (4c:66:41:82:a9:22) being used in a frame. The Address Type in which the invalid MAC is used is SRC, and SNR value is 38. Additional Info: Src-MAC:4c:66:41:82:a9:22; Dst-MAC:9c:1c:12:0f:7d:da; BSSID:9c:1c:12:0f:7d:da; Channel:52; Frame:data-null-func; Rx: True.

Jun 13 12:54:49  sapd[1220]: <127011> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d0): Privacy Violation: An AP detected an access point (BSSID 6c:f3:7f:db:8c:b0 and SSID tcm-guest-wireless on CHANNEL 11) has bad WEP configuration.

Jun 13 12:54:49  sapd[1220]: <127028> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d0): WPA Violation: An AP detected an access point (BSSID 6c:f3:7f:db:8c:b0 and SSID tcm-guest-wireless on CHANNEL 11) has bad WPA configuration.

Jun 13 12:54:58  sapd[1220]: <127080> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d8): Malformed Frame - Assoc Request: An AP detected that the device with MAC address 00:00:00:00:00:00 (BSSID 00:00:00:00:00:00 on CHANNEL 52 with SNR 22) has sent an association request containing an empty SSID. If 00:00:00:00:00:00 uses a vulnerable wireless driver this could cause it to crash.

Jun 13 13:01:54  sapd[1220]: <127085> <WARN> |AP B-Block_1stFlr_Networks@10.254.253.123 sapd| |ids-ap| AP(9c:1c:12:0f:7d:d8): Malformed Frame - Large Duration: An AP detected that the device with MAC address 0e:84:dc:9e:04:89 (CHANNEL 52 with SNR 19) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:ctrl-cts, Duration:31000.

Jun 13 13:01:54  wms[1982]: <126085> <WARN> |wms| |ids| AP(9c:1c:12:0f:7d:d8@B-Block_1stFlr_Networks): Malformed Frame - Large Duration: An AP detected that the device with MAC address 0e:84:dc:9e:04:89 (CHANNEL 52 with SNR 19) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:ctrl-cts, Duration:31000. Associated WVE ID(s): WVE-2005-0051.
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: AP drops all connections with IDS messages

You should open a tac case in parallel with this post. An AP should not lose connectivity on the lan for any reason during normal production time.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 89
Registered: ‎10-27-2013

Re: AP drops all connections with IDS messages

Hi Collin

Yes will see to chat to TAC, however just to clarify, the AP didn't loose connectivity on the LAN it just didnt respond at all - checking the controller no reboot was observed for this AP and Uptime didn't reset.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: AP drops all connections with IDS messages

You should set the IDS to low or disabled to see if the behavior continues.  It is quite possible it has nothing to do with the IDS.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: