Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

OKC/PMKID/Replay Counter related?

This thread has been viewed 0 times

  • 1.  OKC/PMKID/Replay Counter related?

    Posted Mar 21, 2014 06:39 PM

    Hi all, 

     

    Have an issue with a student and their MBP (F5:21) running 10.9.2. Student's laptop just stays in his room for the most part, but when stationary, will drop the connection to the APs sometimes. Turned on debugging on his MAC. Got word that the laptop dropped at 7:48 pm last night, so here are the logs for around then:

    Mar 20 19:47:40 :501095:  <NOTI> |stm|  Assoc request @ 19:47:40.196297: XX:XX:XX:XX:f5:21 (SN 910): AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:40 :501100:  <NOTI> |stm|  Assoc success @ 19:47:40.198238: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:40 :522035:  <INFO> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station UP: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:47:40 :522077:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21 ingress 0x0x10207 (tunnel 519), u_encr 32, m_encr 32, slotport 0x0x2140 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Mar 20 19:47:40 :522078:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21, wired: 0, vlan:44 ingress:0x0x10207 (tunnel 519), ingress:0x0x10207 new_aaa_prof: student-wpa2-aaa_prof, stored profile: student-wpa2-aaa_prof stored wired: 0 stored essid: student-wpa2, stored-ingress: 0x0x101c7
Mar 20 19:47:40 :522247:  <DBUG> |authmgr|  User idle timer removed for user with  MAC XX:XX:XX:XX:f5:21.
Mar 20 19:47:40 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 0 derivation_type Reset VLANs for Station up index 20.
Mar 20 19:47:40 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Default VLAN.
Mar 20 19:47:40 :501109:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Auth request: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B auth_alg 0
Mar 20 19:47:40 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Default VLAN index 21.
Mar 20 19:47:40 :501093:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Auth success: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:40 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Current VLAN updated.
Mar 20 19:47:40 :501095:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Assoc request @ 19:47:40.192585: XX:XX:XX:XX:f5:21 (SN 910): AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:40 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Current VLAN updated index 22.
Mar 20 19:47:40 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC XX:XX:XX:XX:f5:21.
Mar 20 19:47:40 :522254:  <DBUG> |authmgr|  VDR - mac XX:XX:XX:XX:f5:21 rolename Student fwdmode 0 derivation_type Initial Role Contained vp not present.
Mar 20 19:47:40 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 0 derivation_type Reset Role Based VLANs index 23.
Mar 20 19:47:40 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:XX:XX:XX:XX:f5:21, pmkid_present:False, pmkid:N/A
Mar 20 19:47:40 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Current VLAN updated.
Mar 20 19:47:40 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Current VLAN updated index 24.
Mar 20 19:47:40 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated XX:XX:XX:XX:f5:21 mob 0 inform 1 remote 0 wired 0 defvlan 44 exportedvlan 0 curvlan 44.
Mar 20 19:47:40 :522243:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station Updated Update MMS: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:47:40 :501100:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Assoc success @ 19:47:40.196307: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:43 :501106:  <NOTI> |stm|  Deauth to sta: XX:XX:XX:XX:f5:21: Ageout AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B wifi_deauth_sta
Mar 20 19:47:43 :522036:  <INFO> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station DN: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:47:43 :522234:  <DBUG> |authmgr|  Setting idle timer for user XX:XX:XX:XX:f5:21 to 15300 seconds (idle timeout: 15300 ageout: 0).
Mar 20 19:47:43 :501080:  <NOTI> |stm|  Deauth to sta: XX:XX:XX:XX:f5:21: Ageout AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B Ptk Challenge Failed
Mar 20 19:47:43 :501000:  <DBUG> |stm|  Station XX:XX:XX:XX:f5:21: Clearing state
Mar 20 19:47:43 :501105:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Deauth from sta: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B Reason Ptk Challenge Failed
Mar 20 19:47:43 :501000:  <DBUG> |AP Rho_233_B@172.17.42.181 stm|  Station XX:XX:XX:XX:f5:21: Clearing state
Mar 20 19:47:43 :501095:  <NOTI> |stm|  Assoc request @ 19:47:43.245100: XX:XX:XX:XX:f5:21 (SN 931): AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:43 :501100:  <NOTI> |stm|  Assoc success @ 19:47:43.246749: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:43 :522035:  <INFO> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station UP: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:47:43 :522077:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21 ingress 0x0x10207 (tunnel 519), u_encr 32, m_encr 32, slotport 0x0x2140 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Mar 20 19:47:43 :522078:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21, wired: 0, vlan:44 ingress:0x0x10207 (tunnel 519), ingress:0x0x10207 new_aaa_prof: student-wpa2-aaa_prof, stored profile: student-wpa2-aaa_prof stored wired: 0 stored essid: student-wpa2, stored-ingress: 0x0x10207
Mar 20 19:47:43 :522247:  <DBUG> |authmgr|  User idle timer removed for user with  MAC XX:XX:XX:XX:f5:21.
Mar 20 19:47:43 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 0 derivation_type Reset VLANs for Station up index 25.
Mar 20 19:47:43 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Default VLAN.
Mar 20 19:47:43 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Default VLAN index 26.
Mar 20 19:47:43 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Current VLAN updated.
Mar 20 19:47:43 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Current VLAN updated index 27.
Mar 20 19:47:43 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC XX:XX:XX:XX:f5:21.
Mar 20 19:47:43 :522254:  <DBUG> |authmgr|  VDR - mac XX:XX:XX:XX:f5:21 rolename Student fwdmode 0 derivation_type Initial Role Contained vp not present.
Mar 20 19:47:43 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 0 derivation_type Reset Role Based VLANs index 28.
Mar 20 19:47:43 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:XX:XX:XX:XX:f5:21, pmkid_present:False, pmkid:N/A
Mar 20 19:47:43 :501109:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Auth request: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B auth_alg 0
Mar 20 19:47:43 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Current VLAN updated.
Mar 20 19:47:43 :501093:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Auth success: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:43 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Current VLAN updated index 29.
Mar 20 19:47:43 :501095:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Assoc request @ 19:47:43.190999: XX:XX:XX:XX:f5:21 (SN 931): AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:43 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated XX:XX:XX:XX:f5:21 mob 0 inform 1 remote 0 wired 0 defvlan 44 exportedvlan 0 curvlan 44.
Mar 20 19:47:43 :501100:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Assoc success @ 19:47:43.198548: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:47:43 :522243:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station Updated Update MMS: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:48:09 :501109:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Auth request: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B auth_alg 0
Mar 20 19:48:09 :501093:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Auth success: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:48:09 :501095:  <NOTI> |stm|  Assoc request @ 19:48:09.032769: XX:XX:XX:XX:f5:21 (SN 1020): AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:48:09 :501095:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Assoc request @ 19:48:08.981122: XX:XX:XX:XX:f5:21 (SN 1020): AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:48:09 :501100:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Assoc success @ 19:48:08.982359: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:48:09 :501100:  <NOTI> |stm|  Assoc success @ 19:48:09.035022: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B
Mar 20 19:48:09 :522035:  <INFO> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station UP: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:48:09 :522077:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21 ingress 0x0x10207 (tunnel 519), u_encr 32, m_encr 32, slotport 0x0x2140 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Mar 20 19:48:09 :522078:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21, wired: 0, vlan:44 ingress:0x0x10207 (tunnel 519), ingress:0x0x10207 new_aaa_prof: student-wpa2-aaa_prof, stored profile: student-wpa2-aaa_prof stored wired: 0 stored essid: student-wpa2, stored-ingress: 0x0x10207
Mar 20 19:48:09 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 0 derivation_type Reset VLANs for Station up index 30.
Mar 20 19:48:09 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Default VLAN.
Mar 20 19:48:09 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Default VLAN index 31.
Mar 20 19:48:09 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Current VLAN updated.
Mar 20 19:48:09 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Current VLAN updated index 0.
Mar 20 19:48:09 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC XX:XX:XX:XX:f5:21.
Mar 20 19:48:09 :522254:  <DBUG> |authmgr|  VDR - mac XX:XX:XX:XX:f5:21 rolename Student fwdmode 0 derivation_type Initial Role Contained vp not present.
Mar 20 19:48:09 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 0 derivation_type Reset Role Based VLANs index 1.
Mar 20 19:48:09 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:XX:XX:XX:XX:f5:21, pmkid_present:False, pmkid:N/A
Mar 20 19:48:09 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for XX:XX:XX:XX:f5:21 vlan 44 fwdmode 0 derivation_type Current VLAN updated.
Mar 20 19:48:09 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user XX:XX:XX:XX:f5:21 vlan 44 derivation_type Current VLAN updated index 2.
Mar 20 19:48:09 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated XX:XX:XX:XX:f5:21 mob 0 inform 1 remote 0 wired 0 defvlan 44 exportedvlan 0 curvlan 44.
Mar 20 19:48:09 :522243:  <DBUG> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station Updated Update MMS: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:48:12 :501106:  <NOTI> |stm|  Deauth to sta: XX:XX:XX:XX:f5:21: Ageout AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B wifi_deauth_sta
Mar 20 19:48:12 :522036:  <INFO> |authmgr|  MAC=XX:XX:XX:XX:f5:21 Station DN: BSSID=6c:f3:7f:96:c3:1a ESSID=student-wpa2 VLAN=44 AP-name=Rho_233_B
Mar 20 19:48:12 :522234:  <DBUG> |authmgr|  Setting idle timer for user XX:XX:XX:XX:f5:21 to 15300 seconds (idle timeout: 15300 ageout: 0).
Mar 20 19:48:12 :501080:  <NOTI> |stm|  Deauth to sta: XX:XX:XX:XX:f5:21: Ageout AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B Ptk Challenge Failed
Mar 20 19:48:12 :501000:  <DBUG> |stm|  Station XX:XX:XX:XX:f5:21: Clearing state
Mar 20 19:48:12 :501105:  <NOTI> |AP Rho_233_B@172.17.42.181 stm|  Deauth from sta: XX:XX:XX:XX:f5:21: AP 172.17.42.181-6c:f3:7f:96:c3:1a-Rho_233_B Reason Ptk Challenge Failed
Mar 20 19:48:12 :501000:  <DBUG> |AP Rho_233_B@172.17.42.181 stm|  Station XX:XX:XX:XX:f5:21: Clearing state
===

     I know there's a lot there, but I don't know what's pertinent to the issue and what isn't. 

     

    I also saw this in AirWave:

    Mar 20 18:48:26 2014 WC-1 authmgr[1755]: <132093> <ERRS> <WC-1
172.17.40.11> WPA2 Key message 2 from Station 28:cf:e9:56:f5:21
6c:f3:7f:96:c8:94 Rho_135_A did not match the replay counter 01 vs 02

Mar 20 18:48:27 2014 WC-1 authmgr[1755]: <132093> <ERRS> <WC-1
172.17.40.11> WPA2 Key message 2 from Station 28:cf:e9:56:f5:21
6c:f3:7f:96:c8:94 Rho_135_A did not match the replay counter 02 vs 03

    I know it says 18:48, but it said 7:48 pm for the time in Device Events. We have OKC and Validate PMKID enabled, with IDS DOS set to default, and ARP and IP Spoofing disabled. We also have changed the Interval between WPA/WPA2 key messages to 3000 ms, up from 1000 ms. 

     

    Any ideas as to why he's dropping would be greatly appreciated.



  • 2.  RE: OKC/PMKID/Replay Counter related?

    Posted Mar 21, 2014 06:47 PM
    faulty wireless card?


  • 3.  RE: OKC/PMKID/Replay Counter related?

    EMPLOYEE
    Posted Mar 22, 2014 09:52 AM

    What encryption is in use here?

    What version of ArubaOS?

    What model access points?

     

    The error message is a generic that indicates a failed authentication.



  • 4.  RE: OKC/PMKID/Replay Counter related?

    Posted Mar 24, 2014 12:09 PM
    • wpa2-psk-aes
    • 6.3.1.3
    • AP-105 (we also have AP-135 as well, but in this particular location, the student only has AP-105s in their area)


  • 5.  RE: OKC/PMKID/Replay Counter related?

    EMPLOYEE
    Posted Mar 24, 2014 12:53 PM

    Is there any way to see how many users were on that access point at that time?

    In addition, what is the utilization on that access point for 2.4ghz band and 5ghz band?

    What is the noise for both of those bands for that access point at that time?

     



  • 6.  RE: OKC/PMKID/Replay Counter related?

    Posted Mar 25, 2014 11:31 AM

    Please see attached screenshots.

     

    I was able to pull historical through AirWave for the usage and clients for around the time these logs were taken. I was not able to see a way to pull utilization for the two bands at that time, and I didn't see a place for noise at that point in time - just the current noise floor.

     

    Let me know if there's a better way of obtaining the information you need.



  • 7.  RE: OKC/PMKID/Replay Counter related?

    EMPLOYEE
    Posted Mar 29, 2014 10:13 AM

    amoreno,

     

    You should open a TAC case, because there is plenty of personal information that is needed to explain this, but you probably will not be able to display that here...



  • 8.  RE: OKC/PMKID/Replay Counter related?

    Posted Mar 31, 2014 02:46 PM

    okay, will do. 

     

    thank you



  • 9.  RE: OKC/PMKID/Replay Counter related?

    Posted Apr 16, 2014 03:31 PM

    I am seeing a similar issue with stationary devices disconnecting...messages in user-debug are very similar.  Was there any resolution.  I am planning to open a TAC case but thought I would ask....Thanks...Randy