Why do the fragmented or out of order WPA/WPA2 packets get dropped? How to identify out of order packets?

Aruba Employee
Aruba Employee

*     WPA/WPA2 clients can not send any ping packet if the ping size is bigger than 1472, that means all the fragmented packets are dropped 
*     Opensystem or static WEP is working fine 

Root Cause 
     In order to prevent simple replay attack in WPA network, a sequence counter is used in WPA standard which allows packets only to arrive in order at the receiver. That means the receiver will drop all the out of order WPA/WPA2 packets. 
     In this case, one of customer intermittent routers has routed fragmented packets to different path and cause the packets out of order when they arrive the controller and get dropped by the controller. 
     Opensystem & static WEP does not have mechanism to check if the packets arrive in order, that is why they are working in this case 

How to troubleshoot this problem 
*     Check out the datapath crypto counters. “TKIP/AESCCM Decrypt Bad Counter” refers to the out of order packets 

#show datapath crypto 

Datapath Crypto Statistics 
TKIP Encryption Failures   0 
TKIP Decryption Failures   0 
TKIP Decrypt Bad Counter   0                       
TKIP P1Key Not Ready       0 
TKIP Serialized            0 
TKIP Drops                 0 
AESCCM Encryption Failures 0 
AESCCM Decryption Failures 49660 
AESCCM Serialized          0 
AESCCM Drops               0 
AESCCM Decrypt Bad Counter 24792 
*     Get the sniffer trace on the controller and check out if the packets from the same client are in order according to the “CCMP Ext. Initialization Vector” 

Sniffer traces analysis from a real case 
*     The following 4 slides are 4 packets in order received by the controller from a WPA2 client “00:1b:9e:69:9c:e5” 
*     Look at the CCMP IV counter part, the sequence of these 4 packets are: 0X000000000D82, D81, D84, D83. The correct order should be D81, D82, D83, D84 
*     Look at the IP ID of the first two packets, the sequence is 10349, 10348 and last two packet sequence is 10375,10374. They should be 10348,10349,10374,10375. 
*     Look at the TTL, packet 1 & 3 TTL is 53 while TTL of packet 2 & 4 (the fragmented packet) is 52. It is obvious that fragmented packet has smaller TTL, that means the fragmented packets have gone through an extra hop, that is the root cause why the packets arrive the controller out of order.

Packet 1 


Packet 2



Packet 3


Packet 4



Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 02:34 PM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: