Wireless Access

Reply
Contributor I
Posts: 67
Registered: ‎10-17-2012

Troubleshooting disconnection

User are getting randomly disconnected and fail to reconnect for 5-10 mins.Below is the log data

 

#show log all | include 00:1a:73:08:35:8e

Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02

what can be the reason ?

Contributor I
Posts: 67
Registered: ‎10-17-2012

Re: Troubleshooting disconnection

 #show log all | include 00:1a:73:08:35:8e

Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1 doing 802.1x
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:19:40  authmgr[1585]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station LTEAGLOBAL\20012676 00:1a:73:08:35:8e d8:c7:c8:74:44:a1, deauthenticating the station
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 21:23:03  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:44:a1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:54:56  authmgr[1585]: <132223> <ERRS> |authmgr|  EAP-ID mismatched 2:1 for station 00:1a:73:08:35:8e d8:c7:c8:74:42:c1
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02
Mar 20 22:56:19  stm[520]: <132093> <ERRS> |AP NW-L-1-(B) @172.18.11.18 stm|  WPA2 Key message 2 from Station 00:1a:73:08:35:8e d8:c7:c8:74:42:c2 NW-L-1-(B)  did not match the replay counter 01 vs 02
Mar 21 00:46:17  stm[520]: <501065> <DBUG> |AP NW-L-1-(B) @172.18.11.18 stm|  remove_stale_sta 1748: client 00:1a:73:08:35:8e not in stale hash table
Mar 21 00:46:17  stm[520]: <501093> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth success: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:17  stm[520]: <501095> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc request @ 00:46:17.800077: 00:1a:73:08:35:8e (SN 2351): AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:17  stm[520]: <501101> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc failure: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)  Reason AP is resource constrained
Mar 21 00:46:17  stm[520]: <501109> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth request: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)  auth_alg 0
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  MAC=00:1a:73:08:35:8e Send Station delete message to mobility
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  MAC=00:1a:73:08:35:8e ingress 0x1253 (tunnel 467), u_encr 64, m_encr 4112, slotport 0x1040 , type: remote, FW mode: 1, AP IP: 10.10.10.4
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  MAC=00:1a:73:08:35:8e ingress 0x12cd (tunnel 589), u_encr 64, m_encr 4112, slotport 0x1040 , type: remote, FW mode: 1, AP IP: 172.18.11.18
Mar 21 00:46:32  authmgr[1585]: <522004> <DBUG> |authmgr|  Validate client ip 172.18.11.115 mac 00:1a:73:08:35:8e user 0 apname
Mar 21 00:46:32  authmgr[1585]: <522029> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station authenticate: method=802.1x, role=LNT_Corp_EMP_Role/LNT_Corp_EMP_Role/, VLAN=1/1/0/0/0, Derivation=1/0, Value Pair=0
Mar 21 00:46:32  authmgr[1585]: <522035> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station UP: BSSID=d8:c7:c8:74:42:c1 ESSID=YiFiEA VLAN=1 AP-name=NW-L-1-(B)
Mar 21 00:46:32  authmgr[1585]: <522036> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station DN: BSSID=d8:c7:c8:74:43:61 ESSID=YiFiEA VLAN=1 AP-name=NW-L-1(Conf)-(A)
Mar 21 00:46:32  authmgr[1585]: <522044> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e Station authenticate(start): method=802.1x, role=logon/LNT_Corp_EMP_Role/, VLAN=1/1/0/0/0, Derivation=1/0, Value Pair=0
Mar 21 00:46:32  authmgr[1585]: <522049> <INFO> |authmgr|  MAC=00:1a:73:08:35:8e,IP=N/A User role updated, existing Role=logon/none, new Role=LNT_Corp_EMP_Role/none, reason=Station Authenticated with auth type: 4
Mar 21 00:46:32  mobileip[1593]: <500010> <NOTI> |mobileip|  Station 00:1a:73:08:35:8e, 0.0.0.0: Mobility trail, on switch 10.13.1.225, VLAN 1, AP NW-L-1-(B) , YiFiEA/d8:c7:c8:74:42:c1/g
Mar 21 00:46:32  mobileip[1593]: <500010> <NOTI> |mobileip|  Station 00:1a:73:08:35:8e, 255.255.255.255: Mobility trail, on switch 10.13.1.225, VLAN 1, AP NW-L-1(Conf)-(A), YiFiEA/d8:c7:c8:74:43:61/g
Mar 21 00:46:32  mobileip[1593]: <500511> <DBUG> |mobileip|  Station 00:1a:73:08:35:8e, 0.0.0.0: Received association on ESSID: YiFiEA Mobility service ON, HA Discovery on Association ON, Fastroaming Disabled, AP: Name NW-L-1-(B)  Group Powai BSSID d8:c7:c8:74:42:c1, phy g, VLAN 1
Mar 21 00:46:32  mobileip[1593]: <500511> <DBUG> |mobileip|  Station 00:1a:73:08:35:8e, 0.0.0.0: Received disassociation on ESSID: YiFiEA Mobility service ON, HA Discovery on Association ON, Fastroaming Disabled, AP: Name NW-L-1(Conf)-(A) Group Powai BSSID d8:c7:c8:74:43:61, phy g, VLAN 1
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  Client 00:1a:73:08:35:8e moved from AP NW-L-1(Conf)-(A) to AP NW-L-1-(B)
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  Sending STA 00:1a:73:08:35:8e message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:1, rsn_cap:8
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  Sending STA 00:1a:73:08:35:8e message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:1, rsn_cap:8
Mar 21 00:46:32  stm[1586]: <501065> <DBUG> |stm|  send_ageout_sta_ack 8157: Send ageout sta 00:1a:73:08:35:8e ack backto AP (10.10.10.4)
Mar 21 00:46:32  stm[1586]: <501080> <NOTI> |stm|  Deauth to sta: 00:1a:73:08:35:8e: Ageout AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) STA has left and is deauthenticated
Mar 21 00:46:32  stm[1586]: <501095> <NOTI> |stm|  Assoc request @ 00:46:32.305342: 00:1a:73:08:35:8e (SN 2415): AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[1586]: <501100> <NOTI> |stm|  Assoc success @ 00:46:32.312475: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[1586]: <501114> <NOTI> |stm|  Deauth from sta: 00:1a:73:08:35:8e: AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) Reason 255
Mar 21 00:46:32  stm[520]: <501065> <DBUG> |AP NW-L-1-(B) @172.18.11.18 stm|  remove_stale_sta 1748: client 00:1a:73:08:35:8e not in stale hash table
Mar 21 00:46:32  stm[520]: <501093> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth success: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[520]: <501095> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc request @ 00:46:32.268399: 00:1a:73:08:35:8e (SN 2415): AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[520]: <501100> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Assoc success @ 00:46:32.270205: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)
Mar 21 00:46:32  stm[520]: <501109> <NOTI> |AP NW-L-1-(B) @172.18.11.18 stm|  Auth request: 00:1a:73:08:35:8e: AP 172.18.11.18-d8:c7:c8:74:42:c1-NW-L-1-(B)  auth_alg 0
Mar 21 00:46:32  stm[584]: <501000> <DBUG> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Station 00:1a:73:08:35:8e: Clearing state
Mar 21 00:46:32  stm[584]: <501065> <DBUG> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  remove_stale_sta 1758: sta 00:1a:73:08:35:8e is freed and removed from stale_sta_hash_table
Mar 21 00:46:32  stm[584]: <501065> <DBUG> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  store_stale_sta 1664: sta 00:1a:73:08:35:8e saved to stale_sta_hash_table
Mar 21 00:46:32  stm[584]: <501080> <NOTI> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Deauth to sta: 00:1a:73:08:35:8e: Ageout AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) Denied: AP Ageout
Mar 21 00:46:32  stm[584]: <501105> <NOTI> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Deauth from sta: 00:1a:73:08:35:8e: AP10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) Reason STA has left and is deauthenticated
Mar 21 00:46:32  stm[584]: <501106> <NOTI> |AP NW-L-1(Conf)-(A)@10.10.10.4 stm|  Deauth to sta: 00:1a:73:08:35:8e: Ageout AP 10.10.10.4-d8:c7:c8:74:43:61-NW-L-1(Conf)-(A) handle_sapcp

further logs. need urgent help

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Troubleshooting disconnection

Long shot here, but ran into something similar a few months back at a customer.     Can you show the role and policies the users are in once they are connected?

 

show rights <rolename>

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 67
Registered: ‎10-17-2012

Re: Troubleshooting disconnection

Thanks for the reply, but dont have access to controller now as I am at home. Will provide the necessary information when i reach office tomorrow. Any thing that you can share from your experience related to this issue

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Troubleshooting disconnection

Sure, it may be completely unrelated and have nothing to do with your situation, but will share just in case.

 

In their case, when the client would initially connect successfully, then during reauthentication (they had changed the reauth interval), it would authenticate, however the client would then try to renew its IP.  This is where the policies came into play.  They had misconfigured a policy on the role such that they client could not renew its IP.   As such the logs showed client disconnects (similar to yours).  Then when the session aged out of the user table (5 mins by default) the client could then authenticate and get an IP (now that they did not have a session in the table with an associated role that was misconfigured).

 

This particular case was somewhat unique, but had the same symptoms.    I didn't want to have you chasing it down unless we were sure it was the same thing.    

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 67
Registered: ‎10-17-2012

Re: Troubleshooting disconnection

details as requested :

 

(ESE_Ahme) #show rights LNT_Corp_EMP_Role

Derived Role = 'LNT_Corp_EMP_Role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 71/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 LNT_Corp_EMP_Policy

LNT_Corp_EMP_Policy
-------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
------------- ------
1 any any any permit Low
4

Expired Policies (due to time constraints) = 0

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Troubleshooting disconnection

[ Edited ]

Well, doesn't look to be the same problem; figured it was a long shot.

 

Is this something that happens to moe than one user?

Has it been going on long; or did it just start for some reason?

Does it happen in the areas?

 

You can also try the show auth-tracebuf command to try and get more info about a specific user.

 

Your logs had a message of the following.   Does this AP happen to be overloaded in some way?

Reason AP is resource constrained
------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Troubleshooting disconnection

I have a very similar issue in our environment.  TAC can't figure it out.  I'm wondering if it's client/chipset related.  What wireless chipset is in the clients that are having this issue?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Contributor I
Posts: 67
Registered: ‎10-17-2012

Re: Troubleshooting disconnection

Yes, it happens to more than one user

It has been going for long. Suddenly the user gets disconnected and gets a message Limited or no connectivity.

Yes you can say it happens in a particular area

 

Contributor I
Posts: 67
Registered: ‎10-17-2012

Re: Troubleshooting disconnection

The DHCP pool is also not full.

Search Airheads
Showing results for 
Search instead for 
Did you mean: