Symptoms-
In the error logs we see below messages when we have clients connect to dot1x and PSK ssid.
Jan 27 21:24:25 <authmgr 132093> <ERRS> |authmgr| WPA2 Key message 2 from Station 60:a4:4c:db:32:1d 9c:1c:12:3a:d1:e0 9c:1c:12:cb:ad:1e did not match the replay counter 02 vs 03
Jan 27 21:27:07 <authmgr 132093> <ERRS> |authmgr| WPA2 Key message 2 from Station 60:a4:4c:db:32:1d 9c:1c:12:3a:d1:e0 9c:1c:12:cb:ad:1e did not match the replay counter 01 vs 02
Jan 27 21:27:08 <authmgr 132093> <ERRS> |authmgr| WPA2 Key message 2 from Station 60:a4:4c:db:32:1d 9c:1c:12:3a:d1:e0 9c:1c:12:cb:ad:1e did not match the replay counter 02 vs 03
Jan 27 21:27:10 <authmgr 132093> <ERRS> |authmgr| WPA2 Key message 2 from Station 60:a4:4c:db:32:1d 9c:1c:12:3a:d1:e0 9c:1c:12:cb:ad:1e did not match the replay counter 03 vs 04
Jan 27 21:28:19 <authmgr 132093> <ERRS> |authmgr| WPA2 Key message 2 from Station 60:a4:4c:db:32:1d 9c:1c:12:3a:d1:e0 9c:1c:12:cb:ad:1e did not match the replay counter 01 vs 03
We dont know whether these messages are legitimate as still clients will be able to associate and authenticate to the controller.
Resolution-
When we send WPA key1/key3 to the client, we have a 1 sec timer. If this timer
expires we retry by sending another packet. Once we retry, we should accept only
responses to the retries or else there would be mic failures. To identify
that we are accepting the right(latest) response key2/key4 the protocol has a
replay counter.
So essentially what this error means is that we got a response to a
packet but we have already sent out a later version and will not accept response
to initial version. This can happen due to multiple reasons, some of them are
legitimate( like the client is really slow). Sometimes it might be a bug on the
controller and issue might be packets not prioritized properly.
We will need to co-relate aircapture, datapath packet capture for the client
and show auth-tracebuff output of a client for different timings of keys exchanges
when it is experiencing this problem, which will tell where the delay is, is
the client responding to the latest packet, is the client even getting the latest
problem etc.
This interval is configurable in dot1x profile. If there are lots of slow clients,
it may be desirable to change this timer value to 2 seconds from the default
which is 1 second which is the optimal value in most cases.
aaa authentication dot1x "default"
wpa-key-retries 5