Wireless Access

 View Only
Back to discussions
Expand all | Collapse all

Lots of client roaming error events in Central

This thread has been viewed 95 times

  • 1.  Lots of client roaming error events in Central

    Posted Aug 05, 2024 09:17 AM
    Edited by Keyser Aug 05, 2024 09:36 AM

    Hi

    Were running AOS 10.6.0.2 central managed on AP-635's with 7205 WLAN gateways for clients, and things seems to be working except for roaming which is very sluggish.

    We have a TON of client roamaing error events in central like these:

    - Onboarding failed for client xx:xx:xx:xx:xx:xx in Authentication/Association phase to BSSID yy:yy:yy:yy:yy:yy on channel 6 of AP hostname AP231. Reason: Pairwise master key (PMK-R0) key holder (R0KH) unreachable

     - Onboarding failed for client xx:xx:xx:xx:xx:xx in Authentication/Association phase to BSSID yy:yy:yy:yy:yy:yy on channel 6 of AP hostname AP444. Reason: Invalid fast transition element (FTE)

    - Onboarding failed for client xx:xx:xx:xx:xx:xx in Authentication/Association phase to BSSID yy:yy:yy:yy:yy:yy on channel 128- of AP hostname AP737. Reason: Association request rejected temporarily; try again later

    - Onboarding failed for client xx:xx:xx:xx:xx:xx in Authentication/Association phase to BSSID yy:yy:yy:yy:yy:yy on channel 128- of AP hostname AP208. Reason: Invalid pairwise master key identifier (PMKID)

    - Onboarding failed for client xx:xx:xx:xx:xx:xx in Deauthentication/Disassociation phase to BSSID yy:yy:yy:yy:yy:yy on channel 11 of AP hostname AP120. Reason: AP is resource constrained

    We have enabled OCK and 802.11r & k on the WPA3-Enterprise CCM-128 SSID with WPA3 Transition Enabled

    Is AOS10 still not mature for general production or is there some possible misconfiguration that can cause these thousands and thousands of errors a day (for about 300 clients)?



  • 2.  RE: Lots of client roaming error events in Central

    Posted Aug 05, 2024 09:51 AM

    How many clients per AP? What is max clients set to in the SSID profile? 


    Original Message


  • 3.  RE: Lots of client roaming error events in Central

    Posted Aug 05, 2024 09:57 AM
    Edited by Keyser Aug 05, 2024 10:12 AM

    Client limit is 128 in the SSID profile but there is only between 2 - 8 connected clients/AP in general - including the AP's where these errors are being logged. 

    EDIT: Maybe I should mention especially the "AP is ressource constrained" error comes in almost "storms". I can have one client perhaps being responsible for 200 of these Loops of entries (two loops shown below) within 10 min on an access point. A small example of a pattern that can happen hundreds of times within minutes:

    Aug 05, 2024, 14:40:15:627,"API120-001","AP","Client 802.11 De-authentication from Client","De-authentication sent from client xx:xx:xx:xx:93:12 to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 Reason: AP is resource constrained"
    Aug 05, 2024, 14:40:15:619,"API120-001","AP","Client PMK/OKC Key Add","Operation ADD for key cache entry with sequence number 54321 and TTL 28800 seconds"
    Aug 05, 2024, 14:40:15:603,"API120-001","AP","Client Radius Accounting Start","Radius Accounting start initiated from client xx:xx:xx:xx:93:12  associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 to Radius Server 10.1.100.102"
    Aug 05, 2024, 14:40:15:602,"API120-001","AP","Client Role Assigned","Role IBC WiFi assigned to client xx:xx:xx:xx:93:12 associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:602,"API120-001","AP","Client Roaming","Roam probe sent by API120-001 for Client xx:xx:xx:xx:93:12"
    Aug 05, 2024, 14:40:15:601,"API120-001","AP","Client 802.1x Radius Accept","802.1x Radius Accept received from Server 10.1.100.102 for client xx:xx:xx:xx:93:12 associated to BSSID MAC xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 "
    Aug 05, 2024, 14:40:15:601,"API120-001","AP","Client EAP Success","EAP success to client xx:xx:xx:xx:93:12 associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:306,"API120-001","AP","Client 802.11 Association Success","802.11 Association success to client xx:xx:xx:xx:93:12 from BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:305,"API120-001","AP","Client 802.11R Association Request","802.11r Association request from client xx:xx:xx:xx:93:12 to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:290,"API120-001","AP","Client 802.11 Authentication Success","802.11 Authentication success to client xx:xx:xx:xx:93:12 from BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:289,"API120-001","AP","Client 802.11 Authentication Request","802.11 Authentication request from client xx:xx:xx:xx:93:12 to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:039,"API120-001","AP","Client Radius Accounting Stop","Radius Accounting stop initiated from client xx:xx:xx:xx:93:12 associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 to Radius Server 10.1.100.102"
    Aug 05, 2024, 14:40:15:038,"API120-001","AP","Client Onboarding Event","Client Onboarding Event"
    Aug 05, 2024, 14:40:15:037,"API120-001","AP","Client 802.11 De-authentication from Client","De-authentication sent from client xx:xx:xx:xx:93:12 to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 Reason: AP is resource constrained"
    Aug 05, 2024, 14:40:15:028,"API120-001","AP","Client PMK/OKC Key Add","Operation ADD for key cache entry with sequence number 54319 and TTL 28800 seconds"
    Aug 05, 2024, 14:40:15:021,"API120-001","AP","Client Radius Accounting Start","Radius Accounting start initiated from client xx:xx:xx:xx:93:12  associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 to Radius Server 10.1.100.102"
    Aug 05, 2024, 14:40:15:020,"API120-001","AP","Client Roaming","Roam probe sent by API120-001 for Client xx:xx:xx:xx:93:12"
    Aug 05, 2024, 14:40:15:019,"API120-001","AP","Client EAP Success","EAP success to client xx:xx:xx:xx:93:12 associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:019,"API120-001","AP","Client Role Assigned","Role IBC WiFi assigned to client xx:xx:xx:xx:93:12 associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:15:018,"API120-001","AP","Client 802.1x Radius Accept","802.1x Radius Accept received from Server 10.1.100.102 for client xx:xx:xx:xx:93:12 associated to BSSID MAC xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 "
    Aug 05, 2024, 14:40:14:748,"API120-001","AP","Client 802.11 Association Success","802.11 Association success to client xx:xx:xx:xx:93:12 from BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:14:747,"API120-001","AP","Client 802.11R Association Request","802.11r Association request from client xx:xx:xx:xx:93:12 to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:14:729,"API120-001","AP","Client 802.11 Authentication Success","802.11 Authentication success to client xx:xx:xx:xx:93:12 from BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:14:728,"API120-001","AP","Client 802.11 Authentication Request","802.11 Authentication request from client xx:xx:xx:xx:93:12 to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001"
    Aug 05, 2024, 14:40:14:491,"API120-001","AP","Client Radius Accounting Stop","Radius Accounting stop initiated from client xx:xx:xx:xx:93:12 associated to BSSID xx:xx:xx:xx:9e:f2 on channel 11 of AP hostname API120-001 to Radius Server 10.1.100.102"
    Aug 05, 2024, 14:40:14:490,"API120-001","AP","Client Onboarding Event","Client Onboarding Event"


    Original Message


  • 4.  RE: Lots of client roaming error events in Central

    Posted Aug 05, 2024 11:29 AM

    I assume you have a TAC case open?


    Original Message


  • 5.  RE: Lots of client roaming error events in Central

    Posted Aug 05, 2024 02:51 PM

    Not yet no - was hoping someone in here could help as opening a TAC case and waiting for it to escalate to serious levels kinda tests my patience 😂


    Original Message


  • 6.  RE: Lots of client roaming error events in Central

    Posted Aug 09, 2024 01:32 PM

    "opening a TAC case and waiting for it to escalate to serious levels kinda tests my patience"
    I wish this statement wasn't so very true.  Working with TAC is painful.

    I have dealt with a lot of roaming issue and AOS10.  There has been tons to updates to roaming in different versions but I have found that 10.4.1.2 to be the version to finally fix our roaming issues.  I am currently running 10.4.1.3 and roaming working most of the time - still get a few issues here and there but nothing major.

    The way the PMK cache and AOS10 works is different than it use to.  Before it use to sync it to the controller or IAP virtual controller but in AOS10 the PMK is all synced to the cloud and then back down to neighboring APs.

    https://www.arubanetworks.com/techdocs/central/2.5.8/content/aos10x/aos10x-overview/aos10-kms-workflow.htm

    I think the neighboring APs were synced to the APs by this (Someone correct me here if I am wrong - this is just my guess based on hours of troubleshooting):
    show ap dtls provisioned-neighlist
    https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos10/showap-dtls-pn.htm

    You are getting "Reason: AP is resource constrained" - This is telling me the AP is getting overloaded somehow.  I am not sure why but I have a few theories:
    1. Aruba doesn't properly let the client know the PMKID is invalid and the client just keeps trying to connect and fails repeatly.
    2. There is no central PMK cache holder (Controller/IAP VC) and the PMK cache is synced to all APs.  This could be eating up a lot of resources.
    ^These are all guesses.  I haven't check packet capture logs with PMK issues in months but back in 10.4.0.x/10.5.x this was true.

    I would be curious to see the output of these commands:
    show cluster-security peers  (how many peers do you have?)
    show cluster-security stats (run this multiple times and see how fast the numbers are increasing)
    show cpu
    show memory
    show ap pmkcache  (what is your PMK cache count?)
    In your AP group -> Config -> Radios -> radio profile -> What is your ARM/WIDS Override set to?
    In your AP group -> Config -> Security -> Wireless IDS/IPS -> What is your detection levels set to?

    Last question - Is there a reason that you are on 10.6.x?  It might be work looking into downgrading to 10.4.1.3 as I have fought with PMK issues for a long time until 10.4.1.x.

    Our setup:
    Aruba CX switches - 4100i (PLC switches) /6300M (IDF/Access switches - Stacked) / 8325 (Core/AGG switches - VSX)
    Aruba APs - Mostly AP-650s with a few AP-577s.  All APs are using LAG to two switches.
    Aruba Controllers - 9240 x 4 and 9012 x 2
    Using Clearpass for all authentication (wired/wireless).
    7 Sites and about 200 Aruba devices in Central






    Original Message


  • 7.  RE: Lots of client roaming error events in Central

    Posted Aug 10, 2024 12:46 AM

    I'm interested in this thread too. I've also had problems with roaming since aos10, in this case OKC only due to 11r causing many older clients (mostly apple) to fail to connect.

    Never had problems with roaming on aos8 with controllers. Only been an issue since aos10 with gateways.

    Thanks for the link regarding KMS operation. Very useful.

    What I do know from troubleshooting roaming in the past and DTLS is there is a shared set of APs with a DTLS neighbour allow list. If the messages are outside of that allow list, they are dropped. This means groups of APs within earshot of each other do get KMS updates for that group, but not others outside of earshot.

    However, I still see most roaming causing full dot1x auths, even between radios on the same APs.

    Once I get past some of the other hurdles we have, I'll be taking another stab at this problem, as we pretty much have no seamless roaming in our network.

    I did two tac cases last year about it, but they took so long and I was so busy, I just couldn't keep working on them.

    Interested to see how this thread goes... :)


    Original Message


  • 8.  RE: Lots of client roaming error events in Central

    Posted Aug 13, 2024 09:14 AM
    You are not the first person to have roaming issues/PMK issues.  There are quite a few people that have said something about it on the forums.
     
     
     
    https://community.arubanetworks.com/discussion/aruba-central-controllerless-environment-is-not-working
     
    ^Here is a thread of someone that had tons of roaming issues.  They were on 10.5.x which is really bad with roaming.  They had some other issues but we got on a call and I helped him out.

    "What I do know from troubleshooting roaming in the past and DTLS is there is a shared set of APs with a DTLS neighbour allow list. If the messages are outside of that allow list, they are dropped. This means groups of APs within earshot of each other do get KMS updates for that group, but not others outside of earshot."

    Yeah, I have seen the same thing.  I think Aruba Central will send a "neighbor" list to the APs and that is the APs the client could potentially roam to.  The issue with this is that a user could close their laptop (or device goes to sleep) and walk to another part of the building and then have issues due to roaming failing.

    The PMK-R0 key exists on the original AP and a PMK-R1 gets synced to the other APs.  If there is no PMK-R1 on the AP it will try to contact the PMK-R0 holder (the original AP) over PAPI.  Since Aruba Central sends a "neighbor allow list ", that means not all APs can communicate in the cluster and get PMK-R1 keys and can not reach the PMK-R0 holder.

    You can see the cluster connections on the APs with this command:
    show cluster-security connections

    In 10.4.1.3 (what I am currently running) I can see all APs are in the "show ap dtls allowed-aps".  One of my sites has around 80 APs and they are all in the dtls allowed-aps list.

    I can run "show cluster-security connections" and I see around 70 connections on one of the APs.  Any peer connection I do not see I can run the below commands to get it to communicate with the cluster.  I think this is where a lot of the PMK/roaming issues are in other versions.  It tries to connect to other APs in the cluster but can not.  You can check your "show log papi-handler" to see if there is any DTLS failures.  If there is DTLS failures, check the aruba central logs and see if they are around the same time as PMK-R0 holder is unreachable.


     
    S40-AP-51-F2# show cluster-security connections | i 10.xxx.xxx.157
3f7f83eb   3fbf790e    connected  R      10.xxx.xxx.151[4434]  10.xxx.xxx.157[4434]     81957     71634  26m:11s      02m:00s     07h:16m:49s

S40-AP-51-F2# show cluster-security connections | i 10..xxx.xxx.158

S40-AP-51-F2# dtls test 10.xxx.xxx.158

S40-AP-51-F2# dtls test-ephemeral a8:5b:f7:xx:xx:xx 10..xxx.xxx.158

S40-AP-51-F2# show cluster-security connections | i 10..xxx.xxx.158
3f7f8400   5ffd5fdb    connected  I      10..xxx.xxx.151[4434]  10..xxx.xxx.158[4434]       174       174  01m:16s      58m:45s     07h:38m:46s

    Before I upgraded to 10.4.1.x I used a script to add all of my APs to the DTLS neighbor list.  I ran that every day.

     
    # Install-Module -Name Posh-SSH -Force


# Load Posh-SSH module
Import-Module Posh-SSH

# Define the devices, commands, and credentials
$devices = @(
    "10.xxx.xxx.101",
    "10.xxx.xxx.102"

)
$arubapass = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force 
$arcred = New-Object System.Management.Automation.PSCredential ("USERNAME", $arubapass)
$commands = @(
    "dtls add-neigh a8:5b:f7:xx:xx:xx 10.xxx.xxx.101",
    "dtls add-neigh a8:5b:f7:xx:xx:xx 10.xxx.xxx.102",
	"dtls test 10.xxx.xxx.101",
	"dtls test 10.xxx.xxx.102"
)

# Iterate through each device
foreach ($device in $devices) {
    # Establish SSH session
    $session = New-SSHSession -ComputerName $device -Credential $arcred -AcceptKey -Force
    $SSHStream = New-SSHShellStream -Index 0 -BufferSize 9999
    start-sleep -s 2

    foreach ($command in $commands) { 
            $SSHStream.WriteLine($command)
            start-sleep -s 1
            $SSHStream.read()
        }

    # Close the session
    Get-SSHSession | Remove-SSHSession
}










     

    Original Message


  • 9.  RE: Lots of client roaming error events in Central

    Posted Aug 13, 2024 04:52 PM

    well the show ap dlts-allowed list only contains 40 of the sites 59 AP's,, so probably the reason fot all my roaming errors  is right there.

    How the HE*** can Aruba send out so poor software that essentially renders roaming useless on sites? As I understand you guys, this is universal for 10.5.x and 10.6.x firmwares..... Unbelivable.


    Original Message


  • 10.  RE: Lots of client roaming error events in Central

    Posted Aug 13, 2024 04:44 PM

    Sorry about the late reply - been working my tail off this week. I think I may need to follow your advice and downgrade the firmware - i continue to see thousands and thousands of roaming errors in the log every day. II took this output from one of the AP's that keeps recording hundreds of "AP is ressource constrained" every day with what is a few actual client mac addresses.

    There ie 59 AP's on this site in total. So it seems the OCK and 802.1r cache neighbors list is present on most of all the sites AP's - yet i have thousands of roaming errors every day. However - the cache has 34 entries, but there is currently only 10 active clients on the site (it's nighttime)

    Let me know if you see anything interesting from this.

    ##################### Troubleshooting session for AP: API-RECEPTION #####################
    === Troubleshooting session started ===


    ===================================
    Output Time: 2024-08-13 20:32:07 UTC


    COMMAND=show cluster-security peers

    ---------------------------
    IDX        :Connection Index
    ---------------------------

    Cluster Security DTLS Peers
    ---------------------------
    Peer Address       State   Local IDX
    ------------       -----   ---------
    10.1.109.11[4434]  active  7de70a92
    10.1.109.22[4434]  active  7de70a27
    10.1.109.10[4434]  active  7de709c6
    10.1.109.5[4434]   active  7de70a3e
    10.1.109.45[4434]  active  7de709f8
    10.1.109.16[4434]  active  7de70a16
    10.1.109.4[4434]   active  7de70a38
    10.1.109.44[4434]  active  7de7096c
    10.1.109.19[4434]  active  7de709f2
    10.1.109.7[4434]   active  7de70a30
    10.1.109.47[4434]  active  7de70a08
    10.1.109.6[4434]   active  7de70a19
    10.1.109.1[4434]   active  7de70a40
    10.1.109.41[4434]  active  7de709bc
    10.1.109.52[4434]  active  7de70a75
    10.1.109.40[4434]  active  7de709c7
    10.1.109.3[4434]   active  7de70a2c
    10.1.109.43[4434]  active  7de709ca
    10.1.109.2[4434]   active  7de70a3c
    10.1.109.42[4434]  active  7de70aa1
    10.1.109.29[4434]  active  7de70a42
    10.1.109.49[4434]  active  7de70a45
    10.1.109.28[4434]  active  7de7099b
    10.1.109.48[4434]  active  7de709ad
    10.1.109.31[4434]  active  7de70aaf
    10.1.109.51[4434]  active  7de70a31
    10.1.109.30[4434]  active  7de70a87
    10.1.109.50[4434]  active  7de70a26
    10.1.109.13[4434]  active  7de70a14
    10.1.109.33[4434]  active  7de70a05
    10.1.109.24[4434]  active  7de70a2a
    10.1.109.12[4434]  init    7de70ab6
    10.1.109.32[4434]  active  7de709f6
    10.1.109.27[4434]  active  7de709c2
    10.1.109.15[4434]  active  7de7092f
    10.1.109.26[4434]  active  7de70a4b
    10.1.109.14[4434]  active  7de70a4f
    10.1.109.9[4434]   active  7de709eb
    10.1.109.20[4434]  active  7de70a28
    10.1.109.8[4434]   active  7de709d6
    10.1.109.23[4434]  active  7de70a3d
    Total peers count:41


    ===================================
    Output Time: 2024-08-13 20:32:07 UTC


    COMMAND=show cluster-security

    Cluster Security Profile
    ------------------------
    Parameter              Value
    ---------              -----
    DTLS state             Enabled
    Low assurance devices  Allow
    Non-DTLS Members       Allow
    Reboot required        No


    ===================================
    Output Time: 2024-08-13 20:32:08 UTC


    COMMAND=show ap pmkcache

    PMK Cache Table
    ---------------
    Client MAC         Key                         OKC/11r  Expiry      Role      VLAN  ESSID     ualg/malg      R1Key List (BSSID : R1name : R1Key)                                                                                                                                                                                                     Seqno  IP
    ----------         ---                         -------  ------      ----      ----  -----     ---------      -----------------------------------                                                                                                                                                                                                     -----  --
    8a:cf:10:f9:cb:38  (6): 9d ac 2e ba e5 53 ...  11r      1h:2m:48s   XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): cb e1 ed aa 86 2d  : (6): 83 81 25 69 f3 51  ;(6): 94 64 24 8d d5 30  : (6): 7d 27 6f 90 69 cb  : (6): 2b a7 1b 75 4f aa  ;(6): 94 64 24 8d d5 40  : (6): 2e 6c 2d 20 2d 75  : (6): cd 3e 63 a8 f6 22    2583   10.1.136.8
    74:4c:a1:78:55:d1  (6): 1d 11 d9 f9 0e 7f ...  11r      26m:2s      XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): c2 8f 5f 49 18 67  : (6): 1f e2 4e 8c ed cb  ;(6): 94 64 24 8d d5 30  : (6): 73 fc bc 20 08 7e  : (6): f3 48 fe 50 24 7a  ;(6): 94 64 24 8d d5 40  : (6): da 87 46 eb a0 51  : (6): 20 0f 16 85 ae ab    44722  0.0.0.0
    f0:a6:54:90:90:09  (6): 7f d9 e2 de 68 bb ...  11r      0s          XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): dc 77 16 e1 3e 33  : (6): 7c 96 9f a9 bb e7  ;(6): 94 64 24 8d d5 30  : (6): e9 c0 f6 5f 14 70  : (6): a7 32 b0 1b 5e 45  ;(6): 94 64 24 8d d5 40  : (6): 79 2a ce 91 9c 10  : (6): e4 aa 28 0d 4c 0f    120    0.0.0.0
    a0:a4:c5:aa:2a:e4  (6): a1 93 d0 38 b9 f4 ...  okc      7h:48m:6s   XXX-XXXX  2     XXX-XXXX  0 0                                                                                                                                                                                                                                                    982    0.0.0.0
    7e:4d:cf:04:24:e4  (6): f0 70 17 73 70 54 ...  11r      8m:19s      XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): db 3f e2 87 13 c7  : (6): 72 73 a2 33 45 75  ;(6): 94 64 24 8d d5 30  : (6): 16 e7 b6 b6 52 90  : (6): 7c a7 48 fb a1 89  ;(6): 94 64 24 8d d5 40  : (6): 33 9e f6 14 7a 74  : (6): 40 9a 24 36 45 c3    438    10.1.129.2
    14:7d:da:82:a8:23  (6): fd 0f f2 b3 c0 62 ...  okc      1h:13m:5s   XXX-XXXX  3     XXX-XXXX  0 0                                                                                                                                                                                                                                                    29842  0.0.0.0
    1e:6b:43:6e:b3:49  (6): e8 d3 0b a7 d4 2f ...  11r      16m:42s     XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 72 7c b3 3f 92 69  : (6): 6f f0 9d d2 bb b2  ;(6): 94 64 24 8d d5 30  : (6): f2 e7 08 a2 dd cb  : (6): 52 ea 56 a4 db d6  ;(6): 94 64 24 8d d5 40  : (6): 3e b7 c7 a8 f5 10  : (6): f1 9c d7 05 90 d7    46220  10.1.129.94
    86:a6:c6:cd:6f:8c  (6): 4f 4b 6f 83 f3 f5 ...  11r      25s         XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 08 d8 0b 57 ec 5b  : (6): 4c f1 ff ca b0 40  ;(6): 94 64 24 8d d5 30  : (6): 68 17 3f 70 25 9f  : (6): 4b dd d2 05 d0 5f  ;(6): 94 64 24 8d d5 40  : (6): 82 ab 66 c2 31 9d  : (6): 7d dc fc 00 d2 23    26545  10.1.135.250
    de:00:94:d7:b6:82  (6): 4b 0f a9 c8 b6 27 ...  11r      7h:47m:12s  XXX-XXXX  3     XXX-XXXX  524288 524288                                                                                                                                                                                                                                          36277  10.1.136.92
    c4:03:a8:88:b9:e0  (6): f6 cc 6b d9 ea 38 ...  11r      1h:20m:0s   XXX-XXXX  4     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 99 d2 7a d3 4d d1  : (6): d4 7a 60 ea fa 78  ;(6): 94 64 24 8d d5 30  : (6): b9 65 f1 11 6a bc  : (6): 74 59 02 fb 46 bb  ;(6): 94 64 24 8d d5 40  : (6): 41 ae 89 62 88 71  : (6): e9 35 59 65 7d 03    36021  0.0.0.0
    82:02:39:9d:af:bb  (6): ae ef 1f 3d d2 70 ...  11r      55m:7s      XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 86 ce a9 c1 cd ca  : (6): 3d b1 32 11 cd 92  ;(6): 94 64 24 8d d5 30  : (6): 29 ac 41 2a 2b 23  : (6): 9d 2b 74 eb 7a 3b  ;(6): 94 64 24 8d d5 40  : (6): 5a 1f 9a b8 bd d5  : (6): ac 84 cd 9c 9a 81    44727  10.1.129.10
    c2:bd:a2:4c:fa:b4  (6): c8 03 a2 94 3a bc ...  11r      7h:47m:24s  XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): bb 0d 70 61 b1 92  : (6): eb 7b 6c a4 93 55  ;(6): 94 64 24 8d d5 30  : (6): 02 ec 70 ef 4f 8c  : (6): 1b 08 af 09 3a d2  ;(6): 94 64 24 8d d5 40  : (6): 91 3e eb 54 af 4e  : (6): 85 5d c5 f0 55 4d    40636  0.0.0.0
    c4:03:a8:88:b9:cc  (6): 55 94 b5 ae c9 69 ...  11r      51m:43s     XXX-XXXX  4     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): b8 b8 c3 7b f6 73  : (6): 17 b3 2a 14 8f f5  ;(6): 94 64 24 8d d5 30  : (6): 97 e7 4d d9 a3 66  : (6): 51 d2 e0 b6 0c 17  ;(6): 94 64 24 8d d5 40  : (6): 66 83 d4 c7 4d 93  : (6): 81 77 00 1b 49 df    46225  10.1.5.71
    a0:a4:c5:aa:bf:b3  (6): 00 40 27 5f 03 a4 ...  okc      7h:47m:12s  XXX-XXXX  2     XXX-XXXX  0 0                                                                                                                                                                                                                                                    439    0.0.0.0
    1c:91:80:f3:37:89  (6): 73 d3 0b 43 9b 3c ...  11r      48m:15s     XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 02 11 64 ae 93 48  : (6): e9 71 50 32 ec 09  ;(6): 94 64 24 8d d5 30  : (6): ee b7 ac 4f 25 52  : (6): 05 0b 70 07 74 b6  ;(6): 94 64 24 8d d5 40  : (6): 19 1c 1f 1e 6f 03  : (6): f2 d0 0e 67 75 9b    45805  0.0.0.0
    30:89:4a:00:95:d3  (6): cf db 6b 39 41 2f ...  11r      41m:14s     XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 83 aa 73 f4 90 30  : (6): 5e cf 97 07 c8 87  ;(6): 94 64 24 8d d5 30  : (6): 49 26 89 71 f9 03  : (6): 4b 59 61 ff ce fb  ;(6): 94 64 24 8d d5 40  : (6): fd 60 2d 76 4b f5  : (6): b3 eb 48 be ea 76    1287   10.1.129.23
    c4:03:a8:88:b9:72  (6): 07 6b 60 e3 f8 ca ...  11r      33m:44s     XXX-XXXX  4     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 09 e7 29 4d 1e 74  : (6): d8 fd a5 52 06 f4  ;(6): 94 64 24 8d d5 30  : (6): 84 c9 d0 ab 2f 23  : (6): ad bc 8a a7 76 b1  ;(6): 94 64 24 8d d5 40  : (6): cb da 50 0c d0 59  : (6): 46 d0 93 bc f3 ae    45804  0.0.0.0
    82:d3:eb:c7:3a:a6  (6): 9b 19 21 aa f8 2e ...  11r      25m:35s     XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): b7 16 f8 8a 5f 3e  : (6): 9b dd 88 ca da a4  ;(6): 94 64 24 8d d5 30  : (6): c2 89 d4 90 dc da  : (6): ba 50 af 58 69 5a  ;(6): 94 64 24 8d d5 40  : (6): d2 19 ff f0 34 da  : (6): ed 89 e9 cf d7 88    495    10.1.129.12
    dc:46:28:d6:9d:36  (6): 8c 94 50 91 5a c2 ...  11r      13m:13s     XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 2f 30 04 79 ce 29  : (6): 81 29 3f 1c 5d 86  ;(6): 94 64 24 8d d5 30  : (6): f4 86 4a 39 c1 cd  : (6): 3a 82 4d e5 6c 1e  ;(6): 94 64 24 8d d5 40  : (6): 25 a1 28 3e 68 5b  : (6): 84 5a 1a ea 94 41    134    0.0.0.0
    c4:03:a8:aa:a5:1e  (6): 3a 35 8a 62 5c 64 ...  11r      1h:54m:13s  XXX-XXXX  4     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 95 ac 30 a8 6b 24  : (6): f1 eb 16 af 5a 21  ;(6): 94 64 24 8d d5 30  : (6): 54 a0 93 5e 61 07  : (6): 25 82 08 17 e2 45  ;(6): 94 64 24 8d d5 40  : (6): 48 1f 2d eb 0c e2  : (6): f1 48 e8 07 8a 56    36163  0.0.0.0
    36:a5:6f:3e:30:9c  (6): 49 75 c9 2e 40 8c ...  11r      7h:51m:24s  XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 8b 56 93 f9 a7 f1  : (6): 3f 14 3d fe 28 42  ;(6): 94 64 24 8d d5 30  : (6): c6 32 74 1b 30 ad  : (6): c2 cc 80 ae bb 69  ;(6): 94 64 24 8d d5 40  : (6): ad ba d8 09 ac cc  : (6): ea 3c 95 25 b2 a0    40638  0.0.0.0
    f0:18:98:56:e6:c4  (6): f6 14 d9 90 fa ea ...  okc      51m:29s     XXX-XXXX  3     XXX-XXXX  0 0                                                                                                                                                                                                                                                    36015  0.0.0.0
    5c:5f:67:a3:62:a4  (6): ff 7e 7a fd 73 b8 ...  okc      43m:53s     XXX-XXXX  3     XXX-XXXX  0 0                                                                                                                                                                                                                                                    36161  0.0.0.0
    8e:bd:3f:fb:7b:37  (6): 53 2b c1 99 68 a0 ...  11r      1m:24s      XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): fc e7 9a e5 58 73  : (6): 53 1d 50 d2 08 29  ;(6): 94 64 24 8d d5 30  : (6): 7b 71 9f ac a8 5f  : (6): b4 9f 3e b1 fd ea  ;(6): 94 64 24 8d d5 40  : (6): 85 10 5c df 58 99  : (6): 05 55 97 47 9c b9    120    10.1.136.46
    10:63:c8:60:cc:27  (6): b7 47 61 e5 e4 ab ...  11r      27m:8s      XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 45 04 59 01 16 a1  : (6): 7f ab 9c 42 42 d4  ;(6): 94 64 24 8d d5 30  : (6): c2 9d bd e7 1c b8  : (6): 1d 9b af fd bf 88  ;(6): 94 64 24 8d d5 40  : (6): 03 b4 4a fa f6 b9  : (6): a2 59 3c 15 0e ae    44724  0.0.0.0
    c6:6c:6c:fd:cd:5f  (6): af 23 9f 59 53 3b ...  11r      15m:36s     XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): cb 1e 88 08 92 c5  : (6): 6e 8c 89 bb 7b d5  ;(6): 94 64 24 8d d5 30  : (6): 2a b4 df 02 f0 f9  : (6): 8c 27 b7 4f af 13  ;(6): 94 64 24 8d d5 40  : (6): 25 07 1d 7c 4e 7d  : (6): 1b cb 03 42 0e 57    46218  10.1.129.59
    96:7f:17:4c:93:12  (6): 4f 41 88 8e 97 04 ...  11r      7h:48m:6s   XXX-XXXX  3     XXX-XXXX  524288 524288                                                                                                                                                                                                                                          36286  0.0.0.0
    5c:c5:d4:fa:93:cb  (6): a3 54 3e 33 e0 92 ...  okc      35m:5s      XXX-XXXX  3     XXX-XXXX  0 0                                                                                                                                                                                                                                                    1286   0.0.0.0
    da:99:02:19:b9:ac  (6): bb 78 b7 87 8a c5 ...  11r      12m:14s     XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): c9 26 57 07 4a 8e  : (6): 25 54 7b a3 4b b8  ;(6): 94 64 24 8d d5 30  : (6): 11 f0 73 c5 e1 fe  : (6): 3a 4d e4 45 f0 61  ;(6): 94 64 24 8d d5 40  : (6): ee 34 f8 37 d6 ec  : (6): 9d 1b a4 58 9a 7e    36011  0.0.0.0
    e0:0a:f6:7e:0b:63  (6): 06 1a ad a5 df 1d ...  11r      23m:1s      XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): cd b7 f8 8b f0 27  : (6): e3 55 fa f1 5b 8c  ;(6): 94 64 24 8d d5 30  : (6): 77 bd d9 b2 16 4b  : (6): a7 8a 77 b9 64 a3  ;(6): 94 64 24 8d d5 40  : (6): 00 c1 34 95 d1 9e  : (6): 0f 7f 2f 29 b4 a2    36013  0.0.0.0
    da:1f:c1:bd:bf:7d  (6): ff 79 9f e3 fc 02 ...  11r      7h:57m:35s  XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 73 8c 35 38 ef cd  : (6): 04 44 a0 5a b5 69  ;(6): 94 64 24 8d d5 30  : (6): bc b3 cf 46 3f 11  : (6): fa 8c 61 d1 0c ac  ;(6): 94 64 24 8d d5 40  : (6): 4a 4f 14 ea 6b 15  : (6): 9a ce fb a1 19 ab    36442  0.0.0.0
    72:95:e0:48:ef:80  (6): 46 f1 37 93 8f 50 ...  11r      1h:15m:58s  XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 11 d9 08 69 44 cd  : (6): 0a 40 b2 2d fc bc  ;(6): 94 64 24 8d d5 30  : (6): ea 2f a1 99 3b 92  : (6): 33 4c 51 e7 9b 25  ;(6): 94 64 24 8d d5 40  : (6): 21 61 c4 53 9f 63  : (6): 64 2b 57 54 c8 76    36018  0.0.0.0
    e0:b5:5f:eb:25:81  (6): 8c 8f d7 cd 0d 96 ...  okc      9m:10s      XXX-XXXX  3     XXX-XXXX  0 0                                                                                                                                                                                                                                                    36009  0.0.0.0
    bc:d0:74:70:69:d5  (6): a6 d2 53 f3 e5 1c ...  11r      1h:11m:42s  XXX-XXXX  3     XXX-XXXX  524288 524288  (6): 94 64 24 8d d5 50  : (6): 20 83 25 a3 20 56  : (6): a3 9b 92 6a d7 5f  ;(6): 94 64 24 8d d5 30  : (6): 2f 33 9b 84 96 b4  : (6): f0 5c 77 ac d7 de  ;(6): 94 64 24 8d d5 40  : (6): 65 b8 72 5f 4f c6  : (6): 2a 7d ab e9 4c 14    44711  10.1.136.69
    PMK Cache Count:34


    ===================================
    Output Time: 2024-08-13 20:32:09 UTC


    COMMAND=show cpu
     total: user   0% nice   1% system   1% idle  94% io   0% irq   0% softirq   3%
      cpu0: user   0% nice   4% system   4% idle  79% io   0% irq   0% softirq  13%
      cpu1: user   0% nice   0% system   0% idle 100% io   0% irq   0% softirq   0%
      cpu2: user   0% nice   0% system   0% idle 100% io   0% irq   0% softirq   0%
      cpu3: user   0% nice   0% system   1% idle  99% io   0% irq   0% softirq   0%


    ===================================
    Output Time: 2024-08-13 20:32:10 UTC


    COMMAND=show memory
    MemTotal:        1745588 kB
    MemFree:          340516 kB
    MemAvailable:     560916 kB
    Buffers:           30140 kB
    Cached:           226508 kB
    SwapCached:            0 kB
    Active:           245228 kB
    Inactive:         164532 kB
    Active(anon):     157108 kB
    Inactive(anon):    27272 kB
    Active(file):      88120 kB
    Inactive(file):   137260 kB
    Unevictable:           0 kB
    Mlocked:               0 kB
    SwapTotal:             0 kB
    SwapFree:              0 kB
    Dirty:                 0 kB
    Writeback:             0 kB
    AnonPages:        153136 kB
    Mapped:            69572 kB
    Shmem:             31280 kB
    Slab:              71320 kB
    SReclaimable:      14724 kB
    SUnreclaim:        56596 kB
    KernelStack:        3184 kB
    PageTables:         1544 kB
    NFS_Unstable:          0 kB
    Bounce:                0 kB
    WritebackTmp:          0 kB
    CommitLimit:      872792 kB
    Committed_AS:     257644 kB
    VmallocTotal:   263061440 kB
    VmallocUsed:           0 kB
    VmallocChunk:          0 kB
    CmaTotal:              0 kB
    CmaFree:               0 kB

    === Troubleshooting session completed ===


    Original Message


  • 11.  RE: Lots of client roaming error events in Central

    Posted Aug 10, 2024 12:52 AM

    I remember reading somewhere about the compatibility between OKC, 11R and WPA2/WPA3, but I don't remember where I read that, as well as which type is compatible with which client. I need to find that link again.

    I've had WPA3 Transition Mode issues where clients are refused association that doesn't happen in WPA2-Enterprise. There could be multiple things happening in your case blurring the troubleshooting.

    Can you test a sample of clients with a WPA2-Enterprise SSID and EAP-TLS/PEAP profile, just to rule out the roaming issue is WPA3 related?

    I've been meaning to do this, but just haven't had the time yet.


    Original Message


  • 12.  RE: Lots of client roaming error events in Central

    Posted Aug 13, 2024 09:21 AM

    "I've had WPA3 Transition Mode issues where clients are refused association that doesn't happen in WPA2-Enterprise. There could be multiple things happening in your case blurring the troubleshooting.

    Can you test a sample of clients with a WPA2-Enterprise SSID and EAP-TLS/PEAP profile, just to rule out the roaming issue is WPA3 related?"

    I have had WPA3 Transition mode issues in the past but it wasn't roaming/PMK related.  I was testing our guest SSID and when the transition would happen it would kick me off the guest network and onto our employee network.  This was because I had the employee network saved on my computer and it was the preferred network.  

    I have WAP3 with transition mode enabled on our employee network and I do not have any roaming issues right now.  The only issue I see is when the PMK expires.  I see an error for the device first thing in the morning but that is it.  After the first connection in the morning they work fine.


    Original Message


  • 13.  RE: Lots of client roaming error events in Central

    Posted Aug 13, 2024 04:57 PM

    Can i just downgrade the AP's by setting a Firmware Baseline to 10.4.1.3 in central instead of the current 10.6.0.2 baseline?

    Will it downgrade seamlessly, or do I need to take any additional measures? What about the WLAN gateways, should they remain on 10.6.0.2, or should they be downgraded as well?

    There is very little documentation on supported downgrading paths inside AOS 10 from central. It's always about downgrading to 8.x


    Original Message


  • 14.  RE: Lots of client roaming error events in Central

    Posted Aug 13, 2024 05:05 PM

    I tried disabling 802.11r, and that REALLY made a difference on the roaming error events in central. From hundreds a minute even at night time, the log is almost intirely positive now. So the main issue seems very much related to 802.11r right now. It was not a problem in our AOS8 install.

    But I'll see how it behaves tomorrow and update this post.


    Original Message


  • 15.  RE: Lots of client roaming error events in Central

    Posted Aug 15, 2024 09:25 AM

    Downgrading has worked fine for me in the past but make sure to test before running it against all your devices.

    The only thing that I know of that would cause issues in a downgrade is if you have the "Customize Management VLAN" enabled.  That is not supported in 10.4.x.

    "I tried disabling 802.11r, and that REALLY made a difference on the roaming error events in central. From hundreds a minute even at night time, the log is almost intirely positive now. So the main issue seems very much related to 802.11r right now."
    Yes, we did the same thing in the past to fix our issues.  This may be acceptable/good fix for you but clients will not be able to fast roam.  When we did this we had issues with our shipping/receiving team getting error messages on their handheld devices due to roaming taking a few seconds.  We also saw issues where ClientMatch would move a client to a new AP and that user would complain about zoom/internet being slow or laggy.  The Zoom/ClientMatch issue would happen without a user moving around at all.


    Original Message


  • 16.  RE: Lots of client roaming error events in Central

    Posted Aug 15, 2024 03:40 PM

    Just an update from today. Things seems to work "okay" - roaming is naturally slow and not VOIP usable since 802.11r is not enabled, but clients do roam quite consistently where it was very much more hit'n miss before.

    In a few days I'll probably experiment a bit with downgrades.

    Pretty hard to understand how released firmwares this late in AOS 10 can have intire family generations where roaming just does not work properly. 
    Cannot avoid being a little worried that HPE has cra** in the bed with this, and we will see what we are used to see with HPE aquisitions: They ruin a perfectly good product, and then we have to purchase somthing new (Juniper I assume is the next generation?)


    Original Message


Related Content