Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

PTK Challenge Failed

This thread has been viewed 50 times
  • 1.  PTK Challenge Failed

    Posted Dec 05, 2023 05:32 AM

    Hello Folks,

    Since last week, we encounter with "PTK Challenge Failed " in Airwave. 

    We have Mobility Master with 2 controller (1 cluster + 158 APs)

    also 

    show auth-tracebuf mac A0:C5:89:E9:A9:F8 count 10  did not display any result,

    Could you please share your experience in this regards? 

    Best,

    Ghasem 

    PTK



  • 2.  RE: PTK Challenge Failed

    EMPLOYEE
    Posted Dec 05, 2023 03:39 PM

    PTK challenge failed typically means there is a passphrase mismatch. You will need to track down that client and investigate further.

    For the auth-tracebuf on the controller, it will be empty if A0:C5:89:E9:A9:F8 hasn't recently attempted to associate and authenticate.



    ------------------------------
    Josh
    ------------------------------



  • 3.  RE: PTK Challenge Failed

    Posted Dec 06, 2023 06:41 AM

    Hi,

    Thanks for your replying.

    I have already double checked the key with clients. it was ok for most of them, I can say more than 150 clients but for some of them this issue pop up.

    I track also NPS and output is OK too, 

    I checked this materials also:

    Firewall polices,

    NPS(Win server 2019) 

    Laptop WIFI card driver, Update them 

    Any other hints ? 

    Best

    Ghasem 




  • 4.  RE: PTK Challenge Failed

    EMPLOYEE
    Posted Dec 06, 2023 10:15 AM

    We need more information to better guide you. It may be easier for you to open a TAC case and triage with them.

    You mentioned this started happening recently. Did anything change recently? Configuration changes? Client changes?

    How often are you seeing these errors in the logs? Do the logs always indicate the same client(s) or is it random client(s)?

    Are you able to reproduce a failure when you track down a client from the AirWave logs?

    It would also be helpful to know what version of AOS code? Which AP models? What does the relevant VAP/SSID configuration look like? What features are enabled (like 802.11r)? 

    Here are some additional commands to run (along with the auth-tracebuf) that may give more clues on what is going on:

    show ap remote debug mgmt-frames ap-name <ap client is connected> client-mac <mac>

    show ap client trail-info <mac>

    show log all | include <mac>



    ------------------------------
    Josh
    ------------------------------



  • 5.  RE: PTK Challenge Failed

    Posted Dec 07, 2023 02:33 AM

    Hello Josh,

    Thanks for your answer:

    I am going to answer all your questions:

    Did anything change recently? Not at all 

    Configuration changes? Not at all - Client changes? Not At all 

    How often are you seeing these errors in the logs? Normally when we have some expo in our big salon which cover by 19 AP(model 345 and one single new 535) 

    Do the logs always indicate the same client(s) or is it random client(s)? honestly is random clients

    Are you able to reproduce a failure when you track down a client from the AirWave logs? I need to dig it again,but when I pick up a client randomly I can find this issue.

     would also be helpful to know what version of AOS code?  I dont understand this question.

     Which AP models? 345 and single 535 

    What features are enabled (like 802.11r)?  802.11r and OKC are enable it for roaming.

    Thank you so much 




  • 6.  RE: PTK Challenge Failed

    EMPLOYEE
    Posted Dec 07, 2023 10:01 PM

    Which ArubaOS version are you running? (Run show switches from the Mobility Conductor)

    What security mode (opmode) is being used for the SSID clients are having issues with? Is this PSK/SAE/.1X?

    Sorry, we didn't establish which clients and respective driver versions are having issues. Can you clarify client details?

    Can you correlate if the error happens when the client roams? show ap client trail-info <mac> may be useful for that.

    Enabling and analyzing ap-debug and user-debug logs once you've found a client with the issue may give clues.



    ------------------------------
    Josh
    ------------------------------



  • 7.  RE: PTK Challenge Failed

    Posted Dec 08, 2023 02:30 AM

    Thanks again for your replying,

    Our mobility Master running os version is ArubaMM-VA, 8.6.0.9 

    our 2 controller running os version is ArubaOS 8.6.0.9_79813 Model Aruba7205

    security mode for SSID which has a issue is  Key Management: WPA2-Personal - Use static Pre- Shared Key (PSK) 

    Client Info:

     Nom                   : Wi-Fi
        Description            : Killer(R) Wi-Fi 6 AX1650s 160MHz Wireless Network Adapter (201D2W)
        GUID                   : 3e2fbf9b-371f-43d9-aa7e-325120763e44
        Adresse physique       : 68:54:5a:95:1b:90
        Type d'interface         : Primaire
        État                  : connecté
        SSID                   : xxxxxxxxxxx
        BSSID                  : 48:4a:e9:f9:xx:xx
        Type de réseau           : Infrastructure
        Type de radio             : 802.11n
        Authentification         : WPA2 - Entreprise
        Chiffrement                 : CCMP
        Mode de connexion        : Profil
        Bande                   : 2,4 GHz
        Canal                : 9
        Réception (Mbits/s)    : 144.4
        Transmission (Mbits/s)   : 144.4
        Signal                 : 91%
        Profil                : Partitio-xxxxxxxx

    and for the rest I will keep up update

    Best

    Ghasem 




  • 8.  RE: PTK Challenge Failed

    Posted Dec 08, 2023 02:35 AM

    Hi


    Should I un-check Client Match under AP Gruop -->Radio- Client Control and also
    under System--profiles-->all profiles--> Wireless LAN-->Virtual AP--SSID then un-check OKC ? or not ?
    For info: Advertise 802.11d and 802.h were activated.

    Jut for info:

     
    (MC2) [MDC] # show ap debug client-deauth-reason-counters
     
    Deauth Reason Counters
    ----------------------
    Name                                              Value
    ----                                              -----
    Denied; Association Flood Detected                67
    Unspecified Failure                               517669
    Denied; Ageout                                    147
    Prior authentication is not valid                 2561
    STA has left and is deauthenticated               74540
    Inactive Timer expired and STA was disassociated  6518
    UAC Changed                                       629
    Class 2 frames from non authenticated STA         172
    Class 3 frames from non associated STA            911
    Supplicant up failed                              84
    STA has left and is disassociated                 543536
    C-STM deauthed STA; AID mismatch                  9
    STA has roamed to another AP                      4092454
    Auth STA up failed                                62
    Requested authentication algorithm not supported  154335
    Dormant STA Del                                   6
    Station Up Message to Controller Timed Out        43
    Denied: AP Ageout                                 305
    Response to challenge failed                      59903
    AP is resource constrained                        2
    APAE Disconnect                                   775347
    Response to EAP Challenge Failed                  189140
    Key Propagation Failed                            162
    Client Match                                      7145
    AP-STM found same STA with a different AID        21
    Ptk Challenge Failed                              1854789
    Invalid PMKID                                     255
    Wlan driver excessive tx fail quick kickout       228961
    Denied; Internal Error                            5
    Denied; AP Going Down                             2881
    Sapcp Ageout (internal ageout)                    48437
    (MC2) [MDC] #



  • 9.  RE: PTK Challenge Failed

    EMPLOYEE
    Posted Dec 08, 2023 10:38 AM

    I suggest upgrading your deployment to the latest 8.10 point release. 8.6.0.9 was released in April of 2021 and since there have been a number of bugfixes introduced.

    You might consider disabling 802.11r and OKC on the affected WPA2-Personal SSID to see if that helps.



    ------------------------------
    Josh
    ------------------------------



  • 10.  RE: PTK Challenge Failed

    Posted Dec 19, 2023 04:55 AM

    Hello, 

    Thanks for your hint, Honestly, I do not know how can I convince my boss to update MM and 2 MC os. He say that try to find another solution for this issue, 

    I talk with TAC and also they propose to update OS but he is not sure this action also solve this issue as well.  

    Best,

    Ghasem

     




  • 11.  RE: PTK Challenge Failed

    MVP
    Posted Dec 20, 2023 07:14 AM

    The solution IS to upgrade. Perhaps your boss does not understand the dangers to the company on running an old, unsupported Wi-Fi system.  There are likely security vulnerabilities, opening up your corporate network & proprietary data to outside attack. That can be devastating for a company.

    Here is Aruba's end of life policy definitions https://www.arubanetworks.com/support-services/end-of-life-policy/



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 12.  RE: PTK Challenge Failed

    Posted Dec 20, 2023 07:22 AM

    Hi,

    Thanks for sharing your experience, the only thing that we are not sure is that is this action solve our issue or not? 

    anybody solves his PTK issue with updating os? 

    I try again to get green light from him. 

    Best

    Ghasem