Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

wrong replay counter again

This thread has been viewed 3 times

  • 1.  wrong replay counter again

    Posted Mar 14, 2012 10:20 AM

    During normal operation, I started to see the following errors. The client  (iOS 5.1 and MAC OS X) can connect, gets a DHCP address, is online for maybe 30 secs then is dumped off the wireless. TAC  could not answer why this was happening. 

     

    We have master-local M3 controllers. If the client connects to an AP on the local, it works fine. Just not on the master. If we reprovision the AP from the master to the local controller, the client is then able to connect. 

     

    I have an open ssid with no mac auth and the client is connected fine. The issue always seems to be with the wpa2-key2. 

     

    TAC and I checked all the ACLs etc and they are correct and match on both the master and local. Any thoughts? 

     

    sh auth-tracebuf

     

    Mar 14 09:04:14 station-up * 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - - wpa2 psk aes
    Mar 14 09:04:14 station-data-ready * 60:c5:47:4f:c8:f2 00:00:00:00:00:00 172 103
    Mar 14 09:04:14 wpa2-key1 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
    Mar 14 09:04:14 assg-vlan-req * 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 172 103 assignment for MAC authenticated user
    Mar 14 09:04:14 assg-vlan-resp * 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 103
    Mar 14 09:04:14 station-data-ready * 60:c5:47:4f:c8:f2 00:00:00:00:00:00 172 103
    Mar 14 09:04:14 wpa2-key1 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
    Mar 14 09:04:14 wpa2-key2 -> 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117 wrong replay counter
    Mar 14 09:04:14 wpa2-key1 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
    Mar 14 09:04:14 wpa2-key2 -> 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
    Mar 14 09:04:14 wpa2-key3 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 151
    Mar 14 09:04:14 wpa2-key4 -> 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 95


    #AP103


  • 2.  RE: wrong replay counter again

    Posted Mar 14, 2012 10:41 AM

    Have you tried increasing the "timer wpa-key-period" under the dot1x profile? 

     

    Following text is from a Knowledge Base article "Answer ID: 450"

    (Aruba5000) #configure t 
    Enter Configuration commands, one per line. End with CNTL/Z

     

    (Aruba5000) (config) #aaa authentication dot1x test

      

    (Aruba5000) (802.1X Authentication Profile "new") #timer wpa-key-period <time_in_milli_seconds>

      

    Default is 1000 msec.

    Range is 10 to 5000 msec.



  • 3.  RE: wrong replay counter again

    Posted Mar 14, 2012 11:24 AM

    When handling of the first handshake message sent by the controller takes long for the supplicant, the controller resends the message with incremented replay counter. The supplicant here could be using the first message in the handshake reply which is discarded by the controller as it has already sent a new message. Can you try setting the wpa-key-period to 2 sec in the
    dot1x profile to see if the same issue is being observed? From the output, you can see key1 being sent twice and the reply being received could be for the fist message sent causing wrong replay counter message.