Thanks for your hint, Honestly, I do not know how can I convince my boss to update MM and 2 MC os. He say that try to find another solution for this issue,
I talk with TAC and also they propose to update OS but he is not sure this action also solve this issue as well.
Original Message:
Sent: Dec 08, 2023 10:37 AM
From: JS90
Subject: PTK Challenge Failed
I suggest upgrading your deployment to the latest 8.10 point release. 8.6.0.9 was released in April of 2021 and since there have been a number of bugfixes introduced.
You might consider disabling 802.11r and OKC on the affected WPA2-Personal SSID to see if that helps.
------------------------------
Josh
Original Message:
Sent: Dec 08, 2023 02:35 AM
From: gh.as
Subject: PTK Challenge Failed
Hi
Should I un-check Client Match under AP Gruop -->Radio- Client Control and also
under System--profiles-->all profiles--> Wireless LAN-->Virtual AP--SSID then un-check OKC ? or not ?
For info: Advertise 802.11d and 802.h were activated.
Jut for info:
(MC2) [MDC] # show ap debug client-deauth-reason-counters
Deauth Reason Counters
----------------------
Name Value
---- -----
Denied; Association Flood Detected 67
Unspecified Failure 517669
Denied; Ageout 147
Prior authentication is not valid 2561
STA has left and is deauthenticated 74540
Inactive Timer expired and STA was disassociated 6518
UAC Changed 629
Class 2 frames from non authenticated STA 172
Class 3 frames from non associated STA 911
Supplicant up failed 84
STA has left and is disassociated 543536
C-STM deauthed STA; AID mismatch 9
STA has roamed to another AP 4092454
Auth STA up failed 62
Requested authentication algorithm not supported 154335
Dormant STA Del 6
Station Up Message to Controller Timed Out 43
Denied: AP Ageout 305
Response to challenge failed 59903
AP is resource constrained 2
APAE Disconnect 775347
Response to EAP Challenge Failed 189140
Key Propagation Failed 162
Client Match 7145
AP-STM found same STA with a different AID 21
Ptk Challenge Failed 1854789
Invalid PMKID 255
Wlan driver excessive tx fail quick kickout 228961
Denied; Internal Error 5
Denied; AP Going Down 2881
Sapcp Ageout (internal ageout) 48437
(MC2) [MDC] #
Original Message:
Sent: Dec 07, 2023 10:01 PM
From: JS90
Subject: PTK Challenge Failed
Which ArubaOS version are you running? (Run show switches from the Mobility Conductor)
What security mode (opmode) is being used for the SSID clients are having issues with? Is this PSK/SAE/.1X?
Sorry, we didn't establish which clients and respective driver versions are having issues. Can you clarify client details?
Can you correlate if the error happens when the client roams? show ap client trail-info <mac> may be useful for that.
Enabling and analyzing ap-debug and user-debug logs once you've found a client with the issue may give clues.
------------------------------
Josh
Original Message:
Sent: Dec 07, 2023 02:32 AM
From: gh.as
Subject: PTK Challenge Failed
Hello Josh,
Thanks for your answer:
I am going to answer all your questions:
Did anything change recently? Not at all
Configuration changes? Not at all - Client changes? Not At all
How often are you seeing these errors in the logs? Normally when we have some expo in our big salon which cover by 19 AP(model 345 and one single new 535)
Do the logs always indicate the same client(s) or is it random client(s)? honestly is random clients
Are you able to reproduce a failure when you track down a client from the AirWave logs? I need to dig it again,but when I pick up a client randomly I can find this issue.
would also be helpful to know what version of AOS code? I dont understand this question.
Which AP models? 345 and single 535
What features are enabled (like 802.11r)? 802.11r and OKC are enable it for roaming.
Thank you so much
Original Message:
Sent: Dec 06, 2023 10:15 AM
From: JS90
Subject: PTK Challenge Failed
We need more information to better guide you. It may be easier for you to open a TAC case and triage with them.
You mentioned this started happening recently. Did anything change recently? Configuration changes? Client changes?
How often are you seeing these errors in the logs? Do the logs always indicate the same client(s) or is it random client(s)?
Are you able to reproduce a failure when you track down a client from the AirWave logs?
It would also be helpful to know what version of AOS code? Which AP models? What does the relevant VAP/SSID configuration look like? What features are enabled (like 802.11r)?
Here are some additional commands to run (along with the auth-tracebuf
) that may give more clues on what is going on:
show ap remote debug mgmt-frames ap-name <ap client is connected> client-mac <mac>
show ap client trail-info <mac>
show log all | include <mac>
------------------------------
Josh
Original Message:
Sent: Dec 06, 2023 06:41 AM
From: gh.as
Subject: PTK Challenge Failed
Hi,
Thanks for your replying.
I have already double checked the key with clients. it was ok for most of them, I can say more than 150 clients but for some of them this issue pop up.
I track also NPS and output is OK too,
I checked this materials also:
Firewall polices,
NPS(Win server 2019)
Laptop WIFI card driver, Update them
Any other hints ?
Best
Ghasem
Original Message:
Sent: Dec 05, 2023 03:38 PM
From: JS90
Subject: PTK Challenge Failed
PTK challenge failed typically means there is a passphrase mismatch. You will need to track down that client and investigate further.
For the auth-tracebuf on the controller, it will be empty if A0:C5:89:E9:A9:F8 hasn't recently attempted to associate and authenticate.
------------------------------
Josh
Original Message:
Sent: Dec 05, 2023 05:32 AM
From: gh.as
Subject: PTK Challenge Failed
Hello Folks,
Since last week, we encounter with "PTK Challenge Failed " in Airwave.
We have Mobility Master with 2 controller (1 cluster + 158 APs)
also
show auth-tracebuf mac A0:C5:89:E9:A9:F8 count 10 did not display any result,
Could you please share your experience in this regards?
Best,
Ghasem