Wireless Access

 View Only
  • 1.  AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 01, 2024 01:32 PM

    We migrated our school network from a Mobility Master/AOS 8.x setup, which had worked well for years, to Aruba Central/AOS 10 this summer, and so far, the results have been disastrous. Our 802.1x SSID clients, in particular, are experiencing persistent connection issues. For instance, today, the APs in two classrooms stopped accepting client connection requests and were flooded with 'EAP timeout from clients' error messages. However, when the same clients moved to a different AP, they were able to connect without any issues.

    To illustrate, one of the APs that is functioning properly shows only 128 'EAP timeout' error messages in Central, while another AP, in the adjacent classroom, of the same model (AP-515), shows 13,270 'EAP timeout' error messages !!!!

    What could cause such strange issues ?



  • 2.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 01, 2024 04:51 PM

    What version of AOS 10?  What is your RADIUS server?  Where on the network is the RADIUS server in relation to the AP?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 01, 2024 06:25 PM

    We have AOS 10.7, Radius server is NPS (Windows 2022) and the NPS server is in a different VLAN than the AP. Those vlan are routed through a Cisco 4500X core switch.

    What is strange is that if I reboot the AP the problem goes away and comes back in a few weeks. For example I rebooted those AP around 13:30 today and since the reboot I have 0 "EAP Timeout from client".




  • 4.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 01, 2024 06:40 PM

    I would recommend opening a case with TAC so that they can grab the tech-support and logs to see what is going on.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 01, 2024 06:42 PM

    I fear opening a case with TAC and spending hours on it because I'm not able to reproduce the issue ... 




  • 6.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 01, 2024 09:47 PM

    Case is the only way to get to the bottom of this unfortunately. So many things could be a factor. 

    Aruba TAC can install a script on the AP that will loop commands and grab relevant info (does not require a reboot).

    I suggest doing this and getting the case escalated. 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------



  • 7.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 02, 2024 03:32 AM
    Edited by mkk Oct 02, 2024 03:32 AM

    EAP-Timeouts can have many reasons but the mean reason is that clearpass send couple of radius challanges and the doen't get a radius response from the client. This could also happen when UDP trafiic becomes fragmented. 

    I have a customer with EAP-TLS timeouts that likes to be simular with your issue.

    Setup:

    • Aruba AP-615 firmware 10.6.0.3
    • SSID in Bridge Mode (no gateways)
    • ClearPass EAP-TLS
    • LDAP 636 to on-premise AD
    • WiFi-Design is good

    In my situations i see that a client have eap-timeouts but 5min later can authenticate successfull on same AP. In the access-track logging i see that the authentication is failed due a bad mschap username or authentication inforamtion (0x000006d). MSCHAP response is incorrect. But a couple of timeouts later the same client/ap is authenticated successful.



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 8.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP
    Best Answer

    Posted Oct 02, 2024 04:10 AM
    Edited by Greg_W 17 days ago

    Hi.


    There are several options to catch the events. You can create alarms in Central to notify you when such events occur..

    You can use a script to check in Central if specific event was detected and run it via scheduler for example daily. I wrote a python module that can select APs where specific event is logged in defined timeframe and can run diagnostic commands and save results in log files. You can check it on github link https://github.com/GorazdKikelj/pycentral-log 

    This way you can automate event detection and log collection.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 9.  RE: AOS 10/AP-515: Some AP flooded by "EAP timeout from clients" error message and clients unable to connect to those AP

    Posted Oct 02, 2024 07:36 AM

    Thank you for the suggestion, I was not aware of this Aruba Central feature !