Wireless Access

User are getting randomly disconnected and fail to reconnect for 5-10 mins.Below is the log data

 

#show log all | include 00:1a:73:08:35:8e

Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02

what can be the reason ?

 #show log all | include 00:1a:73:08:35:8e

Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02
Mar 21 00:46:17  stm[520]: <501065> <DBUG> |AP NW-L-1-(B) @172.18.11.18 stm|  remove_stale_sta 1748: client 00:1a:73:08:35:8e not in stale hash table
Mar 21 00:46:17  stm[520]: <501093> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth success: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:17  stm[520]: <501095> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc request @ 00:46:17.800077: 00:1a:73:08:35:8e (SN 2351): AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:17  stm[520]: <501101> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc failure: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)  Reason AP is resource constrained
Mar 21 00:46:17  stm[520]: <501109> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth request: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)  auth_alg 0
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  MAC=00:1a:73:08:35:8e Send Station delete message to mobility
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  MAC=00:1a:73:08:35:8e ingress 0x1253 (tunnel 467), u_encr 64, m_encr 4112, slotport 0x1040 , type: remote, FW mode: 1, AP IP: 10.10.10.4
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  MAC=00:1a:73:08:35:8e ingress 0x12cd (tunnel 589), u_encr 64, m_encr 4112, slotport 0x1040 , type: remote, FW mode: 1, AP IP: 172.18.11.18
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  Validate client ip 172.18.11.115 mac 00:1a:73:08:35:8e user 0 apname
Mar 21 00:46:32  authmgr[1585]: <522029> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station authenticate: method=802.1x, role=LNT_Corp_EMP_Role/LNT_Corp_EMP_Role/, VLAN=1/1/0/0/0, Derivation=1/0, Value Pair=0
Mar 21 00:46:32  authmgr[1585]: <522035> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station UP: BSSID=d8:c7:c8:74:42:c1 ESSID=YiFiEA VLAN=1 AP-name=NW-L-1-(B)
Mar 21 00:46:32  authmgr[1585]: <522036> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station DN: BSSID=d8:c7:c8:74:43:61 ESSID=YiFiEA VLAN=1 AP-name=NW-L-1(Conf)-(A)
Mar 21 00:46:32  authmgr[1585]: <522044> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station authenticate(start): method=802.1x, role=logon/LNT_Corp_EMP_Role/, VLAN=1/1/0/0/0, Derivation=1/0, Value Pair=0
Mar 21 00:46:32  authmgr[1585]: <522049> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e,IP=N/A User role updated, existing Role=logon/none, new Role=LNT_Corp_EMP_Role/none, reason=Station Authenticated with auth type: 4
Mar 21 00:46:32  mobileip[1593]: <500010> <NOTI> |mobileip|  Station 00:1a:73:08:35:8e, 0.0.0.0: Mobility trail, on switch 10.13.1.225, VLAN 1, AP NW-L-1-(B) , YiFiEA/d8:c7:c8:74:42:c1/g
Mar 21 00:46:32  mobileip[1593]: <500010> <NOTI> |mobileip|  Station 00:1a:73:08:35:8e, 255.255.255.255: Mobility trail, on switch 10.13.1.225, VLAN 1, AP NW-L-1(Conf)-(A), YiFiEA/d8:c7:c8:74:43:61/g
Mar 21 00:46:32  mobileip[1593]: <500511> <DBUG> |mobileip|  Station 00:1a:73:08:35:8e, 0.0.0.0: Received association on ESSID: YiFiEA Mobility service ON, HA Discovery on Association ON, Fastroaming Disabled, AP: Name NW-L-1-(B)  Group Powai BSSID d8:c7:c8:74:42:c1, phy g, VLAN 1
Mar 21 00:46:32  mobileip[1593]: <500511> <DBUG> |mobileip|  Station 00:1a:73:08:35:8e, 0.0.0.0: Received disassociation on ESSID: YiFiEA Mobility service ON, HA Discovery on Association ON, Fastroaming Disabled, AP: Name NW-L-1(Conf)-(A) Group Powai BSSID d8:c7:c8:74:43:61, phy g, VLAN 1
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  Client 00:1a:73:08:35:8e moved from AP NW-L-1(Conf)-(A) to AP NW-L-1-(B)
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  Sending STA 00:1a:73:08:35:8e message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:1, rsn_cap:8
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  Sending STA 00:1a:73:08:35:8e message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:1, rsn_cap:8
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  send_ageout_sta_ack 8157: Send ageout sta 00:1a:73:08:35:8e ack backto AP (10.10.10.4)
Mar 21 00:46:32  stm[1586]: <501080> <NOTI> |stm|  Deauth to sta: 00:1a:73:08:35:8e: Ageout AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) STA has left and is deauthenticated
Mar 21 00:46:32  stm[1586]: <501095> <NOTI> |stm|  Assoc request @ 00:46:32.305342: 00:1a:73:08:35:8e (SN 2415): AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[1586]: <501100> <NOTI> |stm|  Assoc success @ 00:46:32.312475: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[1586]: <501114> <NOTI> |stm|  Deauth from sta: 00:1a:73:08:35:8e: AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) Reason 255
Mar 21 00:46:32  stm[520]: <501065> <DBUG> |AP NW-L-1-(B) @172.18.11.18 stm|  remove_stale_sta 1748: client 00:1a:73:08:35:8e not in stale hash table
Mar 21 00:46:32  stm[520]: <501093> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth success: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[520]: <501095> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc request @ 00:46:32.268399: 00:1a:73:08:35:8e (SN 2415): AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[520]: <501100> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc success @ 00:46:32.270205: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[520]: <501109> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth request: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)  auth_alg 0
Mar 21 00:46:32  stm[584]: <501000> <DBUG> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Station 00:1a:73:08:35:8e: Clearing state
Mar 21 00:46:32  stm[584]: <501065> <DBUG> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  remove_stale_sta 1758: sta 00:1a:73:08:35:8e is freed and removed from stale_sta_hash_table
Mar 21 00:46:32  stm[584]: <501065> <DBUG> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  store_stale_sta 1664: sta 00:1a:73:08:35:8e saved to stale_sta_hash_table
Mar 21 00:46:32  stm[584]: <501080> <NOTI> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Deauth to sta: 00:1a:73:08:35:8e: Ageout AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) Denied: AP Ageout
Mar 21 00:46:32  stm[584]: <501105> <NOTI> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Deauth from sta: 00:1a:73:08:35:8e: AP10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) Reason STA has left and is deauthenticated
Mar 21 00:46:32  stm[584]: <501106> <NOTI> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Deauth to sta: 00:1a:73:08:35:8e: Ageout AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) handle_sapcp

further logs. need urgent help

Long shot here, but ran into something similar a few months back at a customer.     Can you show the role and policies the users are in once they are connected?

 

show rights <rolename>

 

 

Thanks for the reply, but dont have access to controller now as I am at home. Will provide the necessary information when i reach office tomorrow. Any thing that you can share from your experience related to this issue

 

Sure, it may be completely unrelated and have nothing to do with your situation, but will share just in case.

 

In their case, when the client would initially connect successfully, then during reauthentication (they had changed the reauth interval), it would authenticate, however the client would then try to renew its IP.  This is where the policies came into play.  They had misconfigured a policy on the role such that they client could not renew its IP.   As such the logs showed client disconnects (similar to yours).  Then when the session aged out of the user table (5 mins by default) the client could then authenticate and get an IP (now that they did not have a session in the table with an associated role that was misconfigured).

 

This particular case was somewhat unique, but had the same symptoms.    I didn't want to have you chasing it down unless we were sure it was the same thing.    

 

details as requested :

 

(ESE_Ahme) #show rights LNT_Corp_EMP_Role

Derived Role = 'LNT_Corp_EMP_Role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 71/0
Max Sessions = 65535

access-list List
----------------
Position Name Location
-------- ---- --------
1 LNT_Corp_EMP_Policy

LNT_Corp_EMP_Policy
-------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
------------- ------
1 any any any permit Low
4

Expired Policies (due to time constraints) = 0

Well, doesn't look to be the same problem; figured it was a long shot.

 

Is this something that happens to moe than one user?

Has it been going on long; or did it just start for some reason?

Does it happen in the areas?

 

You can also try the show auth-tracebuf command to try and get more info about a specific user.

 

Your logs had a message of the following.   Does this AP happen to be overloaded in some way?

Reason AP is resource constrained

I have a very similar issue in our environment.  TAC can't figure it out.  I'm wondering if it's client/chipset related.  What wireless chipset is in the clients that are having this issue?

Yes, it happens to more than one user

It has been going for long. Suddenly the user gets disconnected and gets a message Limited or no connectivity.

Yes you can say it happens in a particular area

 

The DHCP pool is also not full.

Are there any consistencies in the clients that get disconnected such as the type of device, model of laptop, etc?

Never took notice of that. Will check.

Were you able to figure out what was causing this?

 

In what type of devices are you seeing this behavior? And what AOS code you have installed? And Type of AP?

 

Does this happens when the user is roaming ?

 

What do you see when you run this command : show auth-tracebuf

 

Can you the gateway from the device experiencing the issue?

I haven't been able to figure out the cause.

The AOS code is 6.1.3.4 and AP model is 93.

The problem is faced by stationary users

 

Thanks

Mahesh Shirke

mahesh_shirke, please open a TAC case if this is still happening.  

 

Alot more information is required to figure out what is happening.

 

 

We experienced different types of issues with AOS 6.1.3.4 when we enabled it in just one building for two weeks using AP135s.

I can't quite remember if we experienced that same issue you are having.

but like cjoseph said you should open a TAC case