Wireless Access

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

wrong replay counter again

During normal operation, I started to see the following errors. The client  (iOS 5.1 and MAC OS X) can connect, gets a DHCP address, is online for maybe 30 secs then is dumped off the wireless. TAC  could not answer why this was happening. 

 

We have master-local M3 controllers. If the client connects to an AP on the local, it works fine. Just not on the master. If we reprovision the AP from the master to the local controller, the client is then able to connect. 

 

I have an open ssid with no mac auth and the client is connected fine. The issue always seems to be with the wpa2-key2. 

 

TAC and I checked all the ACLs etc and they are correct and match on both the master and local. Any thoughts? 

 

sh auth-tracebuf

 

Mar 14 09:04:14 station-up * 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - - wpa2 psk aes
Mar 14 09:04:14 station-data-ready * 60:c5:47:4f:c8:f2 00:00:00:00:00:00 172 103
Mar 14 09:04:14 wpa2-key1 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
Mar 14 09:04:14 assg-vlan-req * 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 172 103 assignment for MAC authenticated user
Mar 14 09:04:14 assg-vlan-resp * 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 103
Mar 14 09:04:14 station-data-ready * 60:c5:47:4f:c8:f2 00:00:00:00:00:00 172 103
Mar 14 09:04:14 wpa2-key1 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
Mar 14 09:04:14 wpa2-key2 -> 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117 wrong replay counter
Mar 14 09:04:14 wpa2-key1 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
Mar 14 09:04:14 wpa2-key2 -> 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 117
Mar 14 09:04:14 wpa2-key3 <- 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 151
Mar 14 09:04:14 wpa2-key4 -> 60:c5:47:4f:c8:f2 d8:c7:c8:96:d7:c0 - 95

Regards,

Josh
___________
ACMP, ACCP
Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: wrong replay counter again

Have you tried increasing the "timer wpa-key-period" under the dot1x profile? 

 

Following text is from a Knowledge Base article "Answer ID: 450"

(Aruba5000) #configure t 
Enter Configuration commands, one per line. End with CNTL/Z

 

(Aruba5000) (config) #aaa authentication dot1x test

  

(Aruba5000) (802.1X Authentication Profile "new") #timer wpa-key-period <time_in_milli_seconds>

  

Default is 1000 msec.

Range is 10 to 5000 msec.

--
HT
Aruba Employee
Posts: 19
Registered: ‎04-12-2010

Re: wrong replay counter again

When handling of the first handshake message sent by the controller takes long for the supplicant, the controller resends the message with incremented replay counter. The supplicant here could be using the first message in the handshake reply which is discarded by the controller as it has already sent a new message. Can you try setting the wpa-key-period to 2 sec in the
dot1x profile to see if the same issue is being observed? From the output, you can see key1 being sent twice and the reply being received could be for the fist message sent causing wrong replay counter message.

Search Airheads
Showing results for 
Search instead for 
Did you mean: