Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Weird client deauth on an open split-tunnel network

Jump to Best Answer
  • 1.  Weird client deauth on an open split-tunnel network

    Posted May 03, 2019 09:32 AM
      |   view attached

    Hello community!

    We are having a weird issue with an "open" (no auth/ encrypt) network in split-tunnel mode.

     

    Basically, clients get deauthenticated randomly and sometimes the same client could be connecting and getting deauth continuously for like almost an hour.

     

    Our infrastructure consists of a 7210 (Aos 8.4.0.1) and a bunch of 365 RAPs.

    There are 3 RAPs per remote site and we have reports of all sites having the same issue.

    Role for users are simple:

    • DHCP to the controller
    • Everything else route src-nat

     

    This is the trail-info for one of the clients getting deauth. (it's always the same message "Denied; Ageout")

    putty_2019-05-03_09-48-48.png

     

    Enabled user-debug for some clients and this is the result after some disconnections (logs attached below).

    Pay special attention to the "age 1000 deauth_reason 31" lines because they appear every time we got a disconnection.

    We even changed that "age 1000" timeout value from the ssid to 3600 but the disconnections continued. Just this time logs shows "age 3600" instead of "1000". 

     


    Some things we tried so far:

    • If we go with tunnel mode the issue can't be reproduced (it seems that it only happens with split-tunnel)
    • Lab with a 7005 controller (factory default) and got the same behavior.
    • Upgrade to 8.4.0.2 (problem persists)
    • Downgrade to 8.3.0.6 and 8.2.2.5 (problem persists)
    • Used a 205 RAP instead of the 365 (problem persists)
    • Keeping just one RAP per site to mitigate "roaming problems"  (problem persists)
    • Disabled Client match (problem persists)
    • Tuned up and down Tx power (problem persists)
    • Created from scratch the AP group, ssid and profiles (problem persists)

    We are getting pretty much out of things to try :(

    Any help would be much appreciated.

    Thanks in advance!

    Attachment(s)



  • 2.  RE: Weird client deauth on an open split-tunnel network
    Best Answer

    Posted Oct 07, 2019 07:35 AM

    So, after multiple remote sessions with the TAC we finally got our solution for this problem.

     

    It was indeed some "bug" in the controller. 

    Bug ID is: AOS-187171

     

    chrome_2019-10-07_08-27-02.png

    TAC said the patch would be released with 8.3.0.6 but it was actually added on 8.3.0.8.

    TAC also said they'll add this to newer releases but I don't know when that will be available. 

     

    After downgrading the controller to the mentioned version all was good, no random disconnections were reported.

     

    Hope this help someone with the same symptom :D