Wireless Access

 View Only
last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

This thread has been viewed 37 times
  • 1.  AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted 6 days ago

    We migrated our school network from a Mobility Master/AOS 8.x setup, which had worked well for years, to Aruba Central/AOS 10 this summer, and so far, the results have been disastrous. Our 802.1x SSID clients, in particular, are experiencing persistent connection issues. For instance, today, the APs in two classrooms stopped accepting client connection requests and were flooded with 'EAP timeout from clients' error messages. However, when the same clients moved to a different AP, they were able to connect without any issues.

    To illustrate, one of the APs that is functioning properly shows only 128 'EAP timeout' error messages in Central, while another AP, in the adjacent classroom, of the same model (AP-515), shows 13,270 'EAP timeout' error messages !!!!

    What could cause such strange issues ?



  • 2.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    EMPLOYEE
    Posted 6 days ago

    What version of AOS 10?  What is your RADIUS server?  Where on the network is the RADIUS server in relation to the AP?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted 6 days ago

    We have AOS 10.7, Radius server is NPS (Windows 2022) and the NPS server is in a different VLAN than the AP. Those vlan are routed through a Cisco 4500X core switch.

    What is strange is that if I reboot the AP the problem goes away and comes back in a few weeks. For example I rebooted those AP around 13:30 today and since the reboot I have 0 "EAP Timeout from client".




  • 4.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    EMPLOYEE
    Posted 6 days ago

    I would recommend opening a case with TAC so that they can grab the tech-support and logs to see what is going on.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted 6 days ago

    I fear opening a case with TAC and spending hours on it because I'm not able to reproduce the issue ... 




  • 6.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted 6 days ago

    Case is the only way to get to the bottom of this unfortunately. So many things could be a factor. 

    Aruba TAC can install a script on the AP that will loop commands and grab relevant info (does not require a reboot).

    I suggest doing this and getting the case escalated. 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------



  • 7.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    MVP EXPERT
    Posted 5 days ago

    EAP-Timeouts can have many reasons but the mean reason is that clearpass send couple of radius challanges and the doen't get a radius response from the client. This could also happen when UDP trafiic becomes fragmented. 

    I have a customer with EAP-TLS timeouts that likes to be simular with your issue.

    Setup:

    • Aruba AP-615 firmware 10.6.0.3
    • SSID in Bridge Mode (no gateways)
    • ClearPass EAP-TLS
    • LDAP 636 to on-premise AD
    • WiFi-Design is good

    In my situations i see that a client have eap-timeouts but 5min later can authenticate successfull on same AP. In the access-track logging i see that the authentication is failed due a bad mschap username or authentication inforamtion (0x000006d). MSCHAP response is incorrect. But a couple of timeouts later the same client/ap is authenticated successful.



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 8.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted 5 days ago

    Hi.


    There are several options to catch the events. You can create alarms in Central to notify you when such events occur..

    You can use a script to check in Central if specific event was detected and run it via scheduler for example daily. I wrote a python module that can select APs where specific event is logged in defined timeframe and can run diagnostic commands and save results in log files. You can check it on github link https://github.com/GorazdKikelj/pycentral-log 

    This way you can automate event detection and log collection.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 9.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted 5 days ago

    Thank you for the suggestion, I was not aware of this Aruba Central feature !