Hold queue on AP interface

On an autonomous 1131 AP, I'm working with someone else's config and trying to understand why a hold queue would be placed on this interface and if it is helpful or detrimental for this AP to have it enabled.
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
Any recommendations either way--keep it--remove it?

this link answers my question
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080094791.shtml

Similar Messages

QoS - Interface Hold Queue

Hi,
In IOS 12000 router, interface can configure to increase the hold-queue.
Once upgrade to IOX , the command is no longer available.
I am facing the interface input drops, in IOS I can increased the input hold-queue to solve the problem.
But in IOX, no such command available. How can increased the interface hold-queue ?
In IOS:
interface GigabitEthernet2/0/7
hold-queue 1500 in
hold-queue 1500 out

Hi Chon,
I am afraid, but this feature is not yet supported in IOX. I hope it is feasible to somehow shape the traffic before that box.
FYI, we have launched the dedicated IOX forum -
https://supportforums.cisco.com/community/netpro/service-providers/ios-xr?view=discussions
so be our guest!
Cheers,
Ivan.

Quick UCM/Unity 7.x Hold Queue Question

I was wondering if it was possible to create an automated "hold queue" in either UCM or Unity? Specifically, we would like to have a call automatically placed in a queue if no one picks it up in a given amount of time. We would prefer to have some kind of greeting also played to notify the callers they are being placed in the queue. The other challenge would be notifying the individuals fielding the calls that there were calls in the queue.
Can this be done natively in UCM or Unity or is this advanced functionality I would only get in say Contact Center?
Will rate posts.
Thanks!

Hi
Realistically this is the kind of thing you need Contact Center for I'm afraid.
You can do *some* of this with Call Handlers in Unity / Unity Connection - but this basically goes as far as playing a message to callers, and then sending the call somewhere else (for example back around a hunt group).
A relatively common implementation that I've done for customers is to:
1. Route the call into a hunt group.
2. If the call isn't picked up by the hunt group it diverts to a Unity Connection Call Handler.
3. The caller is then played a message, and given the choice of continuing to hold (call is sent back to the hunt pilot) or leave a VM (call is transferred to a VM box).
Queuing it isn't, but it does some of what you are after.
It's nowhere near as sophisticated as what you get with Contact Centre. If you want real queuing, with real stats with real agent availability, then UCCX is the way to go.
HTH. Barry

Messages remain in "HOLD" Queue in J2EE engine

Hi
Message in the Java stack are in the "HOLD" status. .and if i try to resend the same , they still remain in the HOLD status..
What could be the pblm in this case?
Regards
XA

Hi,
I hope you are referring HOLDING status and you have EOIO.
This status comes when the first message in the AE queue is in error ststus
In the runtime work bench message monitoring, run the query to get all SYSTEM ERROR STATUS message for EOIO and cancel all of them.
Then you should be able to resend this HOLDING STATSU message.
To know which queue, please configure the following columns in configure table column option.
Sequential Number
Serialization Context
Correlation ID
In the output you can see these details .
Thanks
Rajesh

Assigning a dedicated queue for a Interface

Hi Experts,
I have a proxy to Database scenario. I am sending data in chunks via proxy. I want the chunks to be inserted in to the database in the same order becuse in last chunk i am calling some additional Stored proc which will unlock the database after insertion so i want to do the following.
1) I want to dedicate a separate queue which will contain all the messages from the Outbound Proxy (sending data to Database.)
2) That queue should not contain messages from any other sender interface so that i can simply delete the queue and trigger the proxy again.
Please suggest
Thanks
Vijay

Hi,
Check this prioritize messages in XI Using Queues
How to prioritize messages in XI
Regards
Seshagiri

Dedicated Queue for Async Interface.

Hi,
I have a requirement , where a message from interface should always go through same Queue .
How to Achive this .
Please suggets ...
Regards
PS

Hi,
Please refer below blogs,
How to prioritize messages in XI
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/59e837d3-0201-0010-c096-dc1869733413?QuickLink=index&overridelayout=true
regards,
ganesh.

MII Queue for ME Interfaces

All,
I am not sure whether this question will fit under MII forum. If not, please ignore it.
All data communication between ECC and ME is executed via MII SAPMEINT package and error/logs are managed in MII Queue Monitor.
My question is,
Is it possible to leverage MII Queue Monitor function to other custom interfaces that we plan to build between legacy and ME system via MII.
If yes, then how difficult would be. I thought it would be feasible to use MII queue monitor function to track the error logs for this custom interfaces if the efforts are minimum.
Thanks
Mahesh

I am pretty sure that the Queue Monitor is purpose built for ME specifically for the SAPMEINT interface. I think you will find more people familiar with it on the ME forum.
But having said that, have you looked at the user exits for the interface? There is some customization capability built into most of the ME interfaces using MII. You may find that there is enough flexibility there to accomodate your Legacy interfaces. I know that there are some built-in, but sadly have not worked with them directly.
Regards,
Mike

EZVPN public internet split tunnel with dialer interface

I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.
So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html
And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site. I also have a home server on the network that is reached so I can definitly reach into the network at home which is the test for the corporate network I am trying to reach.
Its a cisco 870 router and here is the config
Router#sh run
Building configuration...
Current configuration : 4617 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 *************************
enable password *************************
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.111
ip dhcp pool myDhcp
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4
default-router 192.168.1.1
ip cef
ip inspect name myfw http
ip inspect name myfw https
ip inspect name myfw pop3
ip inspect name myfw esmtp
ip inspect name myfw imap
ip inspect name myfw ssh
ip inspect name myfw dns
ip inspect name myfw ftp
ip inspect name myfw icmp
ip inspect name myfw h323
ip inspect name myfw udp
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw vdolive
ip inspect name myfw streamworks
ip inspect name myfw rcmd
ip inspect name myfw isakmp
ip inspect name myfw tcp
ip name-server 139.130.4.4
username ************************* privilege 15 password 0 *************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group HomeFull
key *************************
dns 8.8.8.8 8.8.8.4
pool SDM_POOL_1
include-local-lan
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group HomeFull
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 1740
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto ctcp port 10000
archive
log config
hidekeys
interface Loopback10
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description TimsInternet
ip flow ingress
ip policy route-map VPN-Client
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 3
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Virtual-Template3 type tunnel
ip unnumbered Dialer3
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect myfw in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1372
no ip mroute-cache
hold-queue 100 out
interface Dialer0
no ip address
interface Dialer3
ip address negotiated
ip access-group blockall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip policy route-map VPN-Client
no ip mroute-cache
dialer pool 3
dialer-group 1
no cdp enable
ppp chap hostname *************************@direct.telstra.net
ppp chap password 0 *************************
ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 101 interface Dialer3 overload
ip access-list extended VPN-OUT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended blockall
remark CCP_ACL Category=17
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit tcp any any eq 10000
deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map VPN-Client permit 10
match ip address VPN-OUT
set ip next-hop 10.0.0.2
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
scheduler max-task-time 5000
end
Router#exit
Connection closed by foreign host.

Thanks for the response.
Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client. The policy route map makes the L10 the next hop and it has NAT.

No dialer command under ISDN BRI interface

Hi all,
I have a 2901 router voice bundle with 4 ISDN BRI ports and would like to have them bundled under Dialer1 interface. Unfortunately it doesn't give me option for Dialer command under BRI interface as expected.
router(config-if)#int bri0/0/0
router(config-if)#dia
router(config-if)#dia
^
% Invalid input detected at '^' marker.
router(config-if)#dialer
^
% Invalid input detected at '^' marker.
router(config-if)#
I assume it's down to the UC license installed on the device but not sure. Does the ISDN BRI interface behave in different way under this license?
Pasting portion of "show ver" as well.
Cisco CISCO2901/K9 (revision 1.0) with 479232K/45056K bytes of memory.
Processor board ID
2 Gigabit Ethernet interfaces
4 ISDN Basic Rate interfaces
1 terminal line
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO2901/K9
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc uck9 Permanent uck9
data None None None
Configuration register is 0x2102

Hi,
Snippet of "sh ver" with IOS version is below:
router#show ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 14:59 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
router uptime is 2 days, 21 hours, 47 minutes
System returned to ROM by reload at 16:48:03 UTC Mon Aug 18 2014
System restarted at 16:50:01 UTC Mon Aug 18 2014
System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M5.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
The output of trying to type dialer command is in the initial post, I'm also pasting all available commands under bri0/0/0.
router(config-if)#int bri0/0/0
router(config-if)#?
Interface configuration commands:
aaa Authentication, Authorization and Accounting.
access-expression Build a bridge boolean access expression
arp Set arp type (arpa, probe, snap), timeout, log
options or packet priority
authentication Auth Manager Interface Configuration Commands
autodetect Autodetect Encapsulations on Serial interface
bandwidth Set bandwidth informational parameter
bgp-policy Apply policy propagated by bgp community string
bridge-group Transparent bridging interface parameters
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
clns CLNS interface subcommands
clock Configure serial interface clock
cwmp Configure CPE WAN Management Protocol(CWMP) on this
interface
dampening Enable event dampening
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
dot1q dot1q interface configuration commands
dot1x Interface Config Commands for IEEE 802.1X
down-when-looped Force looped serial interface down
encapsulation Set encapsulation type for an interface
ethernet Ethernet interface parameters
exit Exit from interface configuration mode
flow-sampler Attach flow sampler to the interface
full-duplex Configure full-duplex operational mode
h323-gateway Configure H323 Gateway
half-duplex Configure half-duplex and related commands
help Description of the interactive help system
history Interface history histograms - 60 second, 60 minute
and 72 hour
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
iphc-profile Configure IPHC profile
ipv6 IPv6 interface subcommands
isdn ISDN Interface configuration commands
isis IS-IS commands
iso-igrp ISO-IGRP interface subcommands
keepalive Enable keepalive
line-power Provide power on the line.
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
loopback Configure internal loopback on an interface
mab MAC Authentication Bypass Interface Config Commands
mac-address Manually set interface MAC address
macro Command macro
metadata Metadata Application
mop DEC MOP server commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
network-clock-priority Configure clock source priority
no Negate a command or set its defaults
ntp Configure NTP
ospfv3 OSPFv3 interface commands
pulse-time Force DTR low during resets
rate-limit Rate Limit
redundancy RG redundancy interface config
routing Per-interface routing configuration
sdllc Configure SDLC to LLC2 translation
serial serial interface commands
service-policy Configure CPL Service Policy
shutdown Shutdown the selected interface
smds Modify SMDS parameters
snapshot Configure snapshot support on the interface
snmp Modify SNMP interface parameters
source Get config from another source
tarp TARP interface subcommands
timeout Define timeout values for this interface
topology Configure routing topology on the interface
transmit-interface Assign a transmit interface to a receive-only
interface
trunk-group Configure interface to be in a trunk group
tx-ring-limit Configure PA level transmit ring limit
vpdn Virtual Private Dialup Network
vrf VPN Routing/Forwarding parameters on the interface
waas WAN Optimization
router(config-if)#

Cisco 877w -Configuration of subinterfaces and main interface within the same bridge group is not permitted

Hi,
I have another problem - after upgrade ios wirelles connection not work.
After reload i have :
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
STP: Unable to get the port parameters.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
SETUP: new interface NVI0 placed in "shutdown" state
my old configuration work propertly in the old software, but after update i have notificatio.
Old thread:
https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
my current sh run:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname cisco
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s.
aaa new-model
aaa session-id common
dot11 syslog
dot11 ssid ciscowifi
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 050D031D26595D0617
dot11 wpa handshake timeout 500
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.56.1
ip dhcp pool CLIENT
import all
network 192.168.56.0 255.255.255.0
default-router 192.168.56.1
dns-server 8.8.8.8 194.204.159.1 194.204.152.34
lease 0 2
ip cef
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
username marek password 7 00121A0908500A
archive
log config
hidekeys
ip tcp path-mtu-discovery
bridge irb
interface ATM0
description Polaczenie ADSL do ISP$ES_WAN$
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
hold-queue 224 in
interface FastEthernet0
description Edzia
interface FastEthernet1
description dom
interface FastEthernet2
description Dziadek
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip redirects
ip local-proxy-arp
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers tkip
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid ciscowifi
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country AU indoor
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
description ciscowifi
encapsulation dot1Q 1 native
no cdp enable
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
description Interfejs dzwoniacy
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
interface BVI1
description Polaczenie dla sieci LAN
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22
logging trap debugging
logging 192.168.56.10
access-list 100 permit ip 192.168.56.0 0.0.0.255 any
access-list 100 deny ip any any
no cdp run
snmp-server community ciskacz RO
snmp-server chassis-id ciskacz
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input ssh
scheduler max-task-time 5000
end
please help - thanks!

Hello Marek,
I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
Remove the Dot11Radio0.1 subinterface entirely
In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
In the dot11 ssid ciscowifi section, remove the vlan 1 command
After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
Best regards,
Peter

Problema Interface Dot11Radio0 is reset

    Porfavor pido puedan ayudarme urgente, ya he configurado casí todas laas posibilidades y no encuentro el problema. sobre Dot11Radio0 is reset, line protocol is down
   aaa new-model
aaa authentication fail-message ^CCCCCCCC!!!!!!!Fallo en login. Cinco fallas con
s
ecutivas revoca su usuario !!!!!!^C
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa session-id common
dot11 ssid vlan9001
   vlan 901
   authentication open
   infrastructure-ssid
username Cisco password 7 123A0C041104
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid vlan9001
antenna gain 10
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0
station-role non-root
infrastructure-client
interface Dot11Radio0.304
encapsulation dot1Q 304
no ip route-cache
no snmp trap link-status
bridge-group 2
bridge-group 2 spanning-disabled
interface Dot11Radio0.901
encapsulation dot1Q 901 native
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.304
encapsulation dot1Q 304
no ip route-cache
no snmp trap link-status
bridge-group 2
bridge-group 2 spanning-disabled
interface FastEthernet0.901
encapsulation dot1Q 901 native
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.41.74.193 255.255.255.0
no ip route-cache
ip default-gateway 10.41.74.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee

Configuraación del ROOT, pero el problema es el non-root.
dot11 ssid vlan9001
   vlan 901
   authentication open
   infrastructure-ssid
username Cisco password 7 047802150C2E
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid vlan9001
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel least-congested 2412 2422 2462
station-role root
infrastructure-client
interface Dot11Radio0.304
encapsulation dot1Q 304
no ip route-cache
bridge-group 2
interface Dot11Radio0.901
encapsulation dot1Q 901 native
no ip route-cache
bridge-group 1
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.304
encapsulation dot1Q 304
no ip route-cache
bridge-group 2
interface FastEthernet0.901
encapsulation dot1Q 901 native
no ip route-cache
bridge-group 1
interface BVI1
ip address 10.41.74.194 255.255.255.0
no ip route-cache
ip default-gateway 10.41.74.254

How do I configure a cisco 1131 AP to use WPA2 enterprise and authenticate to Active Directory

I have a Win2008 server set up as a radius server (192.168.32.71) and a stand alone AP (192.168.201.9) The AP is config is below:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$IdUV$UvE2IJTNzHX6mW6Mmh3At0
ip subnet-zero
ip domain name TKGCORP.local
ip name-server 192.168.32.71
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius rad_eap1
server 192.168.201.9 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid ka_test
   vlan 201
   authentication open eap eap_methods1
   authentication network-eap eap_methods1
   guest-mode
power inline negotiation prestandard source
username Cisco password 7 112A1016141D
username tkgadmin privilege 15 password 7 022D167B06551D60
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 201 mode ciphers aes-ccm tkip
encryption key 1 size 128bit 7 673B0AA56FCB4E630D8E4856427E transmit-key
encryption mode wep mandatory
broadcast-key change 150
ssid ka_test
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption key 1 size 128bit 7 B711059074E30B1E1D4E3EC038BB transmit-key
encryption mode wep mandatory
broadcast-key change 150
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
interface BVI1
ip address 192.168.201.9 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.201.9 key 7 010703174F
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 0835495D1D
radius-server host 192.168.201.9 auth-port 1812 acct-port 1813 key 7 0010161510
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end

Sorry for the late reply Steve. The link you provided was extremely helpful here is what my config looks like now:
ersion 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$7vHS$YWCMbrlAgDUayKlOHhMlF1
ip subnet-zero
ip domain name TKGCORP.local
ip name-server 192.168.32.71
aaa new-model
aaa group server radius rad_eap
server 192.168.32.71 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid wap_test
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   guest-mode
   infrastructure-ssid optional
power inline negotiation prestandard source
username Cisco password 7 047802150C2E
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid wap_test
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 192.168.201.9 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 071B245F5A
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end
I get a login screen but it will not let me connect, on my radius server I have it set to allow a group that my username is in. Here are some debugs from when I try to connect to the AP:
ap#debug aaa authentication
AAA Authentication debugging is on
ap#
*Mar 2 01:11:53.284: AAA/BIND(00000006): Bind i/f
*Mar 2 01:11:53.355: AAA/AUTHEN/PPP (00000006): Pick method list 'eap_methods'
*Mar 2 01:11:54.556: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
*Mar 2 01:11:55.280: AAA/BIND(00000007): Bind i/f
*Mar 2 01:11:55.404: AAA/AUTHEN/PPP (00000007): Pick method list 'eap_methods'
*Mar 2 01:11:56.349: AAA/BIND(00000008): Bind i/f
*Mar 2 01:11:56.525: AAA/AUTHEN/PPP (00000008): Pick method list 'eap_methods'
*Mar 2 01:11:57.300: AAA/BIND(00000009): Bind i/f
*Mar 2 01:11:58.070: AAA/BIND(0000000A): Bind i/f
*Mar 2 01:11:58.812: AAA/BIND(0000000B): Bind i/f
*Mar 2 01:12:15.470: AAA/AUTHEN/PPP (0000000B): Pick method list 'eap_methods'
*Mar 2 01:12:15.492: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
ap#undebug all
All possible debugging has been turned off

Problem with VPN client on Cisco 1801

Hi,
I have configured a new router for a customer.
All works fine but i have a strange issue with the VPN client.
When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
This is the log form the VPN client:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1      14:37:59.133 04/08/13 Sev=Info/6          GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2      14:38:01.321 04/08/13 Sev=Info/4          CM/0x63100002
Begin connection process
3      14:38:01.335 04/08/13 Sev=Info/4          CM/0x63100004
Establish secure connection
4      14:38:01.335 04/08/13 Sev=Info/4          CM/0x63100024
Attempt connection with server "asgardvpn.dyndns.info"
5      14:38:02.380 04/08/13 Sev=Info/6          IKE/0x6300003B
Attempting to establish a connection with 79.52.36.120.
6      14:38:02.384 04/08/13 Sev=Info/4          IKE/0x63000001
Starting IKE Phase 1 Negotiation
7      14:38:02.388 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
8      14:38:02.396 04/08/13 Sev=Info/4          IPSEC/0x63700008
IPSec driver successfully started
9      14:38:02.396 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
10     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
11     14:38:02.460 04/08/13 Sev=Info/4          IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
12     14:38:02.506 04/08/13 Sev=Info/6          GUI/0x63B00012
Authentication request attributes is 6h.
13     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports DPD
15     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports DWR Code and DWR Text
16     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports XAUTH
17     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports NAT-T
18     14:38:02.465 04/08/13 Sev=Info/6          IKE/0x63000001
IOS Vendor ID Contruction successful
19     14:38:02.465 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
20     14:38:02.465 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
21     14:38:02.465 04/08/13 Sev=Info/4          IKE/0x63000083
IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194
22     14:38:02.465 04/08/13 Sev=Info/5          IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device
23     14:38:02.465 04/08/13 Sev=Info/4          CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24     14:38:02.502 04/08/13 Sev=Info/5          IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
25     14:38:02.502 04/08/13 Sev=Info/4          IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
26     14:38:02.502 04/08/13 Sev=Info/4          CM/0x63100015
Launch xAuth application
27     14:38:07.623 04/08/13 Sev=Info/4          CM/0x63100017
xAuth application returned
28     14:38:07.623 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
29     14:38:12.656 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
30     14:38:22.808 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
31     14:38:32.949 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
32     14:38:43.089 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
33     14:38:53.230 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
34     14:39:03.371 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
35     14:39:13.514 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
36     14:39:23.652 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
37     14:39:33.807 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
38     14:39:43.948 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
39     14:39:54.088 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
40     14:40:04.233 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
41     14:40:14.384 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
42     14:40:24.510 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
43     14:40:34.666 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
44     14:40:44.807 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
45     14:40:54.947 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
46     14:41:05.090 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
47     14:41:15.230 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
48     14:41:25.370 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
49     14:41:35.524 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
50     14:41:45.665 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
51     14:41:55.805 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
52     14:42:05.951 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
53     14:42:16.089 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
54     14:42:26.228 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
55     14:42:36.383 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
56     14:42:46.523 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
57     14:42:56.664 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
58     14:43:02.748 04/08/13 Sev=Info/4          IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
59     14:43:02.748 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
60     14:43:03.248 04/08/13 Sev=Info/4          IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
61     14:43:03.248 04/08/13 Sev=Info/4          CM/0x63100014
Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
62     14:43:03.248 04/08/13 Sev=Info/5          CM/0x63100025
Initializing CVPNDrv
63     14:43:03.262 04/08/13 Sev=Info/6          CM/0x63100046
Set tunnel established flag in registry to 0.
64     14:43:03.262 04/08/13 Sev=Info/4          IKE/0x63000001
IKE received signal to terminate VPN connection
65     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
66     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
67     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
68     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x6370000A
IPSec driver successfully stopped
And this is the conf from the 1801:
hostname xxx
boot-start-marker
boot-end-marker
enable secret 5 xxx
aaa new-model
aaa authentication login xauthlist local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.1.60 10.0.1.200
ip dhcp excluded-address 10.0.1.225
ip dhcp excluded-address 10.0.1.250
ip dhcp pool LAN
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.10
   dns-server 10.0.1.200 8.8.8.8
   domain-name xxx
   lease infinite
ip name-server 10.0.1.200
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall udp
ip inspect name Firewall tcp
ip inspect name Firewall https
ip inspect name Firewall http
multilink bundle-name authenticated
username xxx password 0 xxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxx
key xxx
dns 10.0.1.200
wins 10.0.1.200
domain xxx
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode adsl2+
hold-queue 224 in
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address 10.0.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 0 aliceadsl
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source list 101 interface Dialer0 overload
access-list 101 remark *** ACL nonat ***
access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 150 remark *** ACL split tunnel ***
access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxx
scheduler max-task-time 5000
end
Anyone can help me ?
Sometimes the vpn can be vreated using the iPhone or iPad vpn client...

I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP?

Lan connectivity Issue on autonomous AP with throttles

          Hello,
I encounter a strange problem on several AP 1242 in version 12.4(25d)JA1 of a customer :
He has 10 autonomous AP covering a factory and is using them for laptop connectivity and TOIP with mainly 7921 Cisco Wifi Phones.
The phones are configured to use only 802.11a.
The APs loose LAN connectivity randomly and therefore the clients don't work anymore.
The AP are connected on a 2960 and a 3560 wich are in turn connected on a 3750 wich route the trafic.
After checking spanning-tree no loops are present.
When I check the counters on the AP involved I see the "trhottles" and "ignored" counters incrementing on the fa0 link of the AP impacted wich mean I think it can't handle the incoming traffic. This incoming traffic seems not to be too big however. I can see drops on the switch interface connecting the AP.
There is a lot of roaming on the AP due to people walking in the factory with their wifi phones.
Here is a view of the fa0 counters :
AP1242-LOGIST#sh int fa0
FastEthernet0 is up, line protocol is up
Hardware is PowerPCElvis Ethernet, address is 001d.a1ce.26e2 (bia 001d.a1ce.26e2)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Full-duplex, 100Mb/s, MII
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/160/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 81000 bits/sec, 53 packets/sec
5 minute output rate 29000 bits/sec, 26 packets/sec
     7447113 packets input, 674891974 bytes
     Received 286839 broadcasts, 0 runts, 0 giants, 549631 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 549631 ignored
     0 watchdog
     0 input packets with dribble condition detected
     4422100 packets output, 609868806 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     1 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Here is a small part of logs concerning roaming, i don't see errors or log indicating that something is wrong nor in the switches log :
Jun 6 12:57:27.007: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP001E4A3EE15D 001e.4a3e.e15d Associated KEY_MGMT[WPAv2 PSK]
Jun 6 12:57:42.499: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
Jun 6 12:58:02.620: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
Jun 6 12:58:03.653: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
Jun 6 12:59:15.564: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
Jun 6 12:59:15.564: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
Jun 6 12:59:41.905: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 442b.0355.ab28 Reason: Previous authentication no longer valid
Jun 6 12:59:54.728: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP442B0355AB28 442b.0355.ab28 Associated KEY_MGMT[WPAv2 PSK]
Jun 6 13:01:12.541: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
Jun 6 13:02:35.841: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001e.4a3e.d875 Reason: Previous authentication no longer valid
Jun 6 13:02:36.489: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   ec85.2f7c.c837 Associated KEY_MGMT[WPAv2 PSK]
Jun 6 13:03:29.256: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
Jun 6 13:03:29.256: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
Jun 6 13:04:32.754: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP001E4A3ED875 001e.4a3e.d875 Associated KEY_MGMT[WPAv2 PSK]
Jun 6 13:06:47.858: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001e.4a3e.e15d Reason: Previous authentication no longer valid
Jun 6 13:07:18.107: %DOT11-6-ROAMED: Station 001f.6c7a.5101 Roamed to 001d.a2bb.15b0
Jun 6 13:07:18.107: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001f.6c7a.5101 Reason: Sending station has left the BSS
Jun 6 13:07:38.109: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
Jun 6 13:07:42.031: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
Jun 6 13:07:42.031: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
Jun 6 13:07:46.489: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP001F6C7A5101 001f.6c7a.5101 Reassociated KEY_MGMT[WPAv2 PSK]
Jun 6 13:08:27.712: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
Jun 6 13:08:44.502: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
Jun 6 13:08:44.572: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Associated KEY_MGMT[WPAv2 PSK]
Jun 6 13:08:56.778: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
Jun 6 13:08:56.779: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
Jun 6 13:09:17.874: %DOT11-6-ROAMED: Station 001f.6c7a.5101 Roamed to 003a.9a92.8d70
Jun 6 13:09:17.874: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001f.6c7a.5101 Reason: Sending station has left the BSS
The AP are configured as follow :
Current configuration : 5184 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP1242-LOGIST
logging rate-limit console 9
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone gmt+1 1
clock summer-time gmt recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
dot11 vlan-name Data vlan 11
dot11 vlan-name Voix vlan 14
dot11 vlan-name Webguest vlan 5
dot11 ssid WLAN_data
   vlan 11
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 10600C0E261B173C252203797479633F371A29
dot11 ssid WLAN_voice
   vlan 14
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 080F49592A1500203B2D25567A7A7622263C0C
dot11 ssid Webguest
   vlan 5
   authentication open
   mbssid guest-mode
dot11 wpa handshake timeout 1000
dot11 arp-cache
dot11 priority-map avvid
dot11 phone
power inline negotiation prestandard source
class-map match-all _class_voice0
match ip dscp ef
class-map match-all _class_voice1
match ip dscp cs3
policy-map voice
class _class_voice0
set cos 6
class _class_voice1
set cos 3
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 11 mode ciphers aes-ccm
encryption vlan 14 mode ciphers aes-ccm
ssid WLAN_data
ssid WLAN_voice
ssid Webguest
mbssid
power client 17
channel 2472
station-role root
dot11 qos class voice local
    admission-control
    admit-traffic narrowband max-channel 75 roam-channel 6
dot11 qos class voice cell
    admission-control
no cdp enable
infrastructure-client
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
no cdp enable
bridge-group 5
bridge-group 5 subscriber-loop-control
bridge-group 5 block-unknown-source
no bridge-group 5 source-learning
no bridge-group 5 unicast-flooding
bridge-group 5 spanning-disabled
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
no cdp enable
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio0.14
encapsulation dot1Q 14
no ip route-cache
no cdp enable
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption vlan 11 mode ciphers aes-ccm
encryption vlan 14 mode ciphers aes-ccm
ssid WLAN_data
ssid WLAN_voice
ssid Webguest
no dfs band block
mbssid
channel dfs
station-role root
interface Dot11Radio1.5
encapsulation dot1Q 5
no ip route-cache
no cdp enable
bridge-group 5
bridge-group 5 subscriber-loop-control
bridge-group 5 block-unknown-source
no bridge-group 5 source-learning
no bridge-group 5 unicast-flooding
bridge-group 5 spanning-disabled
interface Dot11Radio1.11
encapsulation dot1Q 11
no ip route-cache
no cdp enable
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio1.14
encapsulation dot1Q 14
no ip route-cache
no cdp enable
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
no cdp enable
hold-queue 160 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.5
encapsulation dot1Q 5
no ip route-cache
no cdp enable
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
no cdp enable
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
interface FastEthernet0.14
encapsulation dot1Q 14
no ip route-cache
no cdp enable
bridge-group 14
no bridge-group 14 source-learning
bridge-group 14 spanning-disabled
service-policy input voice
service-policy output voice
interface BVI1
ip address 10.17.10.5 255.255.255.0
no ip route-cache
ip default-gateway 10.17.10.254
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging trap warnings
logging 10.15.51.115
no cdp run
bridge 1 route ip
line con 0
line vty 0 4
sntp server 10.15.1.50
sntp broadcast client
end
Does someone ever experienced a similar problem ?
When I shut radio interfaces they're is no more problems on the LAN. Can this be an overlapping coverage issue ?
Can someone please give me advices on how to troubleshoot this issue ?
Thank you in advance as I'm a bit stuck.
Best Regards,

     Hi Scott,
Thanks for your reply.
Do you think this can be the origin of the issue my customer encounters or is it only to be standard ? As this change will have to be made on all clients, if there is a chance it solves the problem I will do it ASAP, if not I will delay it in a less busy period :-)
Can the constant roaming associations and dissasociations overload the AP and make it stop responding on the LAN or is it only a throuhput problem ?
Thanks in advance for your answer.
Best Regards,

Multiple SSIDs on a single VLAN

I dont think its possible but I vaguely recall seeing a document stating that it is poosible to have two SSIDs on a single VLAN.
If so can they also have two different authentication methods

Hi,
Thank you very much. I got it right now. Anyway, I could broadcast only 1 SSID. I have tried âmbssidâ but it did not work. I understand VLAN is needed for mbssid. Please let me know if you have any suggestions. The following is my configuration.
ap#sh run
Building configuration...
Current configuration : 1471 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
no logging console
enable secret 5 xxxxxxxxxx
ip subnet-zero
no aaa new-model
dot11 ssid test1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 010703174F5A575D7218
dot11 ssid test2
authentication open
authentication key-management wpa
wpa-psk ascii 7 120D000406595D56797F
username xxxxx password 7 xxxxxxxxxx
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid test1
ssid test2
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 80 in
interface BVI1
ip address 192.168.2.171 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
control-plane
bridge 1 route ip
line con 0
line vty 0 4
login local
end
Thanks again,
Nitass

Hold queue on AP interface

Similar Messages

Maybe you are looking for