Some clients not receiving SCEP definition updates

I have a collection for some of our application servers that is used in conjunction with an ADR to deploy the SCEP definition updates. 12 of the servers in this collection recently had the SCCM 2012 R2 client installed on them. (The collection has a total
of 23 servers in it)
I can see that these 12 servers have the Antimalware policy applied, but are not getting the SCEP updates. The summary for SCEP is: Service started without any malware protection engine; AV signatures out of date; AS signatures out
of date.
The policy application state is "Succeeded" with the recent date and time.
When I view the status of the deployment, the enforcement state is "Failed to install update(s) " with an error code of 0X87D00667 - No current or future service window exists to install software updates.
These servers are members of another collection that is used for deploying the Monthly updates. This "update" collection does have a maintenance window on it specific to software updates, with no recurrence schedule.
Do maintenance windows apply to the machine then, regardless of what collection they are in?
These 12 servers, for the Endpoint Protection client settings have the "Allow EP client installation and restarts outside MW" set to No, and the Suppress any required computer restarts after the EP client is installed set to Yes.
For the Software Updates client setting, the update scan schedule and deployment re-evaluation is set to every 7 days.
So, in looking at this, it appears that these servers will never get any SCEP updates because they are members of another collection that has a MW, even though the SCEP collection does not have a MW?
Is that correct?

I added a MW on the collection that is used for SCEP updates. I made the MW effective yesterday, but the MW hours were from 5:30am-7:30am daily (which should have started this morning, 1/30, at 5:30am).
In the updatesdeployment.log, I see the MW starting:
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event UpdatesDeploymentAgent 1/30/2015 5:30:00 AM 3004 (0x0BBC)
No current service window available to run updates assignment with time required = 1 UpdatesDeploymentAgent 1/30/2015 5:30:00 AM 3004 (0x0BBC)
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT END Event UpdatesDeploymentAgent 1/30/2015 7:30:00 AM 3312 (0x0CF0)
No current service window available to run updates assignment with time required = 1 UpdatesDeploymentAgent 1/30/2015 7:30:00 AM 3312 (0x0CF0)
Attempting to cancel any job started at non-business hours. UpdatesDeploymentAgent 1/30/2015 7:30:00 AM 3312 (0x0CF0)
However, the definitions are not installed. These 12 servers have the SCEP client, but no definitions installed.
There are 11 servers in this collection that are getting the definition updates, but the 12 servers in this collection that have recently had the SCCM client installed on it are not getting the updates. So I know that the ADR is working.
What am I missing to get these 12 servers to install/update the definitions?

Similar Messages

Client not receiving the software update FROM SCCM 2012 R2

We have SCCM 2012 R2 installed and configured for SUP.and i have synchonice the SUP with WSUS server in the same which is there in the same machine.
Now i can able to deploy the software update from SCCM 2012 R2 without any erro to the windows 7clients, but client side when i check there is no update installed in the clients , but seems there is no error in the client logs

Hi,
I'd start with running a "Software Updates Scan Cycle" from the configuration manager control panel applet and check the log file Windowsupdate.log, WUAhandler.log.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

SCEP definition update through Automate Deployment Rule

Hi all. Got a question on deploying SCEP 2012 definition updates to client PC through SCCM2012 R2 by using Automate Deployment Rule. It looks like the client PC is not receiving the definition updates immediately. The ADR seems working
fine, it completed the synchronization successfully, no error on "PatchDownloader.log" and "ruleengine.log"; deployment folder got filled up with new definition updates. However, the client is not receiving the new SCEP definition
updates immediately, although I've configured ADR to install the update as soon as possible, yet nothing happens for the past 2 hours. I ended up launch the SCEP console on the client PC and then click the "update" button manually, and this
launch the update process. I just wondering how much time we need to wait for the SCEP definition update to apply onto the client PC. Microsoft seems release 3 - 4 definition update per day, I am afraid we might not using the latest definition
update due to the time waiting issue. Thank you.

I've configured the polling interval to take place every 3 hours. I guess this contribute to the waiting time. I will keep an eye on it to see if the definition in deed installs automatically.
Yes that's one of the delay which is the major Contribution also there would be some delay for the updates when they are downloading and getting updated to the distribution points. You can check the 'Content Status' for that package to verify if it got updated.
Umair Khan
Microsoft Support Escalation Engineer
Blog: http://blogs.technet.com/umairkhan
Facebook:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

SCEP definition updates for clients in DMZ via UNC is not working.

Hello,
I have configured SCEP definition updates via UNC method for my Win 8.1 clients in DMZ and its not working.
Script is properly associated with task scheduler and downloading definition to shared folder properly.
Even running the mpcmdrun.exe -SignatureUpdate, gives the below error:
C:\Program Files\Microsoft Security Client>mpcmdrun.exe -SignatureUpdate
Signature update started . . .
ERROR: Signature Update failed with hr=80070002
CmdTool: Failed with hr = 0x80070002.
MpCmdRun: Command Line: mpcmdrun.exe -SignatureUpdate
Start Time: ‎Sun ‎Jul ‎06 ‎2014 11:05:09
Start: MpSignatureUpdate()
Update started
Search Started (UNC share) (Path: \\sccm\SCEP_UNC_DEFS\Updates\x64)...
Search Completed
Download Started...
Download Completed
Installation Started...
Installation Completed
Update completed with hr: 0x80070002
ERROR: Signature Update failed with hr=80070002
MpCmdRun: End Time: ‎Sun ‎Jul ‎06 ‎2014 11:05:17

Hi,
Please check logs on the client to see whether there are any helpful information.(ScanAgent.log, Windowsupdate.log and UpdatesHandler.log)
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Some Clients Not Updating. Reporting "Compliant." hr=8007000E Error in WindowsUpdate.log

I have a significant number (but not all) of my SCCM 2012 R2 CU3 clients not updating though my SCCM software updates. On these problem clients, I get this error in WindowsUpdate.log:
"COMAPI WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E"
Then these machines report "Compliant" even though they don't install the updates. Almost all of our workstations are Windows 7 SP1 32bit. We are running SCCM 2012 R2 CU3. My site servers are running Windows 2008 R2.
I don't see much in WUAhandler.log or scanagent.log. These client are however, getting my SCEP definition updates just fine. (I have an ADR for those.) And when you go out to Microsoft for security updates it works. I have tried all of the usual Windows
Updates repair suggestions (re-register dlls, rename software distribution folder, etc.) And I tried un-installing and re-installing the SCCM client on a problem PC, to no avail. I also tried using a Software Update Group with fewer updates (<100) and targeting
a problem system with only that SUG, to no avail.
Any assistance would be greatly appreciated. Thank you.

Hi all,
One of the bigger nuissances of this particular bug is that it's hard to identify from a central location that you've fallen victim to it. Without spot-checking client machines you'd be none-the-wiser. This most likely results in a lot of shops out their
thar are completely unaware they have a security issue with a false sense of "fully patched" security.
I've create the following guidelines to identify whether you are indeed one of the victims.
create a script configuration item.
Select All Windows 7 32 bit as the supported platform
Use String as the data type
Choose powershell as your script language of choice
Paste the following text in the discovery script:select-string-pattern'GetWARNING:
ISusInternal::GetUpdateMetadata2 failed, hr=8007000E'-path"$env:windir\windowsupdate.log"
Add the configuration item to a Configuration baseline
Deploy the configuration baseline to All Windows 7 32bit machines
The report list of assets by compliance state for a given baseline is a good report to check the results.
!!!! Any machines reporting compliant to this baseline have a serious issue as they won't install any software updates, yet report compliant on all !!!!
Good luck
Hi, Does the configuration item need any kind of compliance rule setup to make it work?

SCEP definition updates for clients in DMZ

Hello,
I do want to enable SCEP definition updates for small group of clients in DMZ (apprx 30 -40)
I have created a separate AD OU and SCCM collection for such computers.
Google shows me different ways like using Definition Update Automation Tool, WSUS, scripts, shares etc, and I am quite confused for which way to adopt.
can any one suggest me which is the best automated way?
I do have SCCM 2012 sp1 and all win 8 cleints.
Thanks in Advance

You can use whathever method you prefer. All will most likely work. As there's already Configmgr in place I'd use it to do this job. ADRs (automatic deployment rules) can be used to automate this process.
Torsten Meringer | http://www.mssccmfaq.de

SCEP Definition update from Microsoft Malware Protection Center vs WindowsUpdate?

Hi,
SCEP Definition update from Microsoft Malware Protection Center vs WindowsUpdate? What is the different?
/SaiTech

If I remember correctly - definitions for A/V and NIS will be the same from either location. I think MMPC might give you the ability to download partial, not yet released definitions for added zero-day protection. I don't remember
if you have to be part of MAPS to get that benefit, sorry.
With the integration of WSUS with SCCM 2012, I've found that using updates distributed from ConfigMgr to be sufficient. I do have those other methods available, but at lower priorities so that remote users who don't VPN as often as they should, have
a fallback until we can get PKI/HTTPS or an Azure DP, or Direct Access.
Again, I'm not 100% sure, but I do know that getting updates from SCCM's built in WSUS (via Automatic Deployment Rules), has worked really well for us, and having those extra methods enabled in your policy definitely makes for some extra fallback options.

My ipad 1 is not receiving anymore software update

MY ipad 1 is not receiving anymore software update what will I do

IOS 5.1.1 is the highest it'll go.

Not receiving e-mail updates on my BB Z10 / OS 10

I'm not receiving e-mail updates today as of the beginning of the day (July 31).
I received a message saying ACCOUNT INFO NEEDED
"Your login information for POP server (pop3.live.com) has changed or is incorrect. Please check your account settings."
My internet service provider is Sympatico. How do I fix this problem?

Hello,
You need to go into Settings > Accounts and re-validate your email account credentials. If that fails, you could try removing and re-integrating the email account to the device.
Good luck!
Occam's Razor nearly always applies when troubleshooting technology issues!
If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
Join our BBM Channels
BSCF General Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code

SCEP Definition Updates not updating

Hi!
Our topology consists in one Head Quarter Office Server and 6 Branch Office Servers.
All systems are updated, except for the systems on one Branch Office.
I have checked step by step the blog http://blogs.msdn.com/b/scstr/archive/2012/05/31/how-to-scep-amp-settings-amp-automatic-deploymnet-rule.aspx
Its everything fine, but the systems persist not updated on that branch office.
When I checked the Content Status of FEP Definition Update Deployment Package, it has a status of "In Progress".
The target server does have enought disk space to receive the content, once I created a prestaged content file and it has about 600MB.
I removed that content location and then distributed again. How can I follow the logs of that distribution?
Any suggestion on checking this problem out?
Thanks in advance.
Fabio Martins MCDST/MCSA Brasil!!!

Hi,
What's the content status of the update package? In progress?
1.You could try to increase the number of Maximum threads per package in
Software distribution component properties under
Sites ->choose your site -> Configure site components -> Software Distribution.
Reference:Packages content status stuck on “in Progress” in SCCM 2012
http://silentcrash.com/2013/08/packages-content-status-stuck-on-in-progress-in-sccm-2012/
2.You could also try to cancel the package distribution, then prestage the content.
Reference:How to Stop in progress Package Content Distribution to a DP in SCCM 2012 R2
http://anoopcnair.com/2014/02/25/stop-progress-package-content-distribution-dp-sccm-2012-r2/
(Note: Microsoft provides third-party contact information to help you find technical support. This contact
information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.)
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

SCEP Definition Updates showing as 'not required'

I've seen this posted a couple of times by other people already, but in both cases there was never any response - so I'm trying again in the hope that somebody has seen it and figured it out now...
I have set-up and ADR for SCEP 2012 definition updates and it is fully working as expected.
However - if I do a Run Summarization on the Software Updates node, all the definition updates report 100% compliance BUT report back as 'not required' for all machines. Surely these should report as 'Installed'?
Other updates are correctly showing as 'Installed' - it's just the defs delivered through the ADR process that are wrong.

Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
Personally I never look at the console for numbers, I only look at the report, the console will always be behind. The report will always reflect the current situation.
Remember that SCEP SU are released 3 or 4 times a day, as soon as a new SU is released for SCEP the old SU will be no required. Since the console only get updated once every 24 hours, IMO it is easy to see why the number within the console will show as not
required.
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ

SCEP Definition Updates from WSUS

I am currently using ConfigMgr (SUP) for all update patching including SCEP definitions (the 3 times a day scenario) but I was wondering if I can configure the clients so they just get their SCEP definitions from a stand-alone WSUS yet continue to receive
all other updates from ConfigMgr (SUP)? I've been successful with pointing the clients to Microsoft Update, Microsoft Malware Protection Center and UNC file shares by changing the Definition Update Source using a custom Antimalware Policy but
I haven't figured out how to point the SCEP client to a WSUS server? There is a setting in the Antimalware policy to set the UNC path so I was expecting to see a setting to set the WSUS URL. It's hard for me to believe the SCEP client can't be independaly
re-directed to a local WSUS since you can configure the SCEP client it to go directly to Microsoft or the Protection Center which is basically the WSUS mothership.

I understand that. I just assumed that since I can change the Definition Update Source and pull the definitions down from "Updates distributed from Microsoft Update" or "Updates distributed from Microsoft Malware Protection Center"
or "Updates distributed from UNC file shares", all which worked fine for me providing the SCEP client (using WUA) can pull definitions down from a different source
while all other updates come down normally via the SUP/WSUS, that the "Updates distributed from WSUS" option would allow a separate WSUS to work as well.
Jason: You asked "What's your end goal or reason for wanting to have separate sources?"
I would rather not discuss this via the forum so feel free to contact me at
[email protected] and we can continue this conversation and update the thread at a later time.

SCEP definition updates trying to pull from the Internet - poor behaviour

Most of our clients do NOT have the ability to just head out to the internet to get things (via proxy or otherwise) and as such, I have configured my Malware policy to use "Updates distributed from Configuration Manager" ONLY
I do NOT want it trying to get updates from ANYWHERE ELSE.
Some aren't behaving. :(
I am seeing log entries that indicate that the client is trying to go out to the Internet to get the updates.
Here is a cycle of the machine's more recent attempt:
2014-01-27 19:51:43:096 3616 e38 Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0000) ===========
2014-01-27 19:51:43:096 3616 e38 Misc   = Process: c:\Program Files\Microsoft Security Client\MpCmdRun.exe
2014-01-27 19:51:43:096 3616 e38 Misc   = Module: C:\Windows\system32\wuapi.dll
2014-01-27 19:51:43:096 3616 e38 COMAPI -------------
2014-01-27 19:51:43:096 3616 e38 COMAPI -- START -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:51:43:096 3616 e38 COMAPI ---------
2014-01-27 19:51:43:096 3616 e38 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:51:43:096 1032 e7c Agent *************
2014-01-27 19:51:43:096 1032 e7c Agent ** START ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:51:43:096 1032 e7c Agent *********
2014-01-27 19:51:43:096 1032 e7c Agent   * Online = Yes; Ignore download priority = No
2014-01-27 19:51:43:112 1032 e7c Agent   * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2014-01-27 19:51:43:112 1032 e7c Agent   * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2014-01-27 19:51:43:112 1032 e7c Agent   * Search Scope = {Machine}
2014-01-27 19:51:43:112 1032 e7c Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-01-27 19:51:43:128 1032 e7c Misc Microsoft signed: Yes
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: DownloadFileInternal failed for
http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-01-27 19:54:40:358 1032 e7c Misc Microsoft signed: Yes
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: DownloadFileInternal failed for
http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-01-27 19:57:37:619 1032 e7c Misc Microsoft signed: Yes
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>.
error 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: DownloadFileInternal failed for
http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Agent WARNING: Failed to obtain the authorization cab URLs, hr=0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Agent   * WARNING: Online service registration/service ID resolution failed, hr=0x80072EE2
2014-01-27 19:59:10:891 1032 e7c Agent   * WARNING: Exit code = 0x80072EE2
2014-01-27 19:59:10:891 1032 e7c Agent *********
2014-01-27 19:59:10:891 1032 e7c Agent ** END ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:59:10:891 1032 e7c Agent *************
2014-01-27 19:59:10:891 1032 e7c Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2014-01-27 19:59:10:906 3616 458 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:59:10:922 3616 458 COMAPI   - Updates found = 0
2014-01-27 19:59:10:922 3616 458 COMAPI   - WARNING: Exit code = 0x00000000, Result code = 0x80072EE2
2014-01-27 19:59:10:922 3616 458 COMAPI ---------
2014-01-27 19:59:10:922 3616 458 COMAPI -- END -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:59:10:922 3616 458 COMAPI -------------
2014-01-27 19:59:10:922 3616 5d0 COMAPI WARNING: Operation failed due to earlier error, hr=80072EE2
2014-01-27 19:59:10:922 3616 5d0 COMAPI FATAL: Unable to complete asynchronous search. (hr=80072EE2)
2014-01-27 19:59:15:891 1032 e7c Report REPORT EVENT: {45AA9823-28E9-4632-92BE-AF48B4BB8710} 2014-01-27 19:59:10:891-0000 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 System Center
Endpoint Protecti Failure Software Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2014-01-27 19:59:15:969 1032 e7c Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2014-01-27 19:59:15:969 1032 e7c Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Unmanaged
2014-01-27 19:59:15:969 1032 e7c Report CWERReporter finishing event handling. (00000000)
Anyone have any suggestions? I don't want the machines to EVER try to go out to the internet when they are trying to update their SCEP defs.

Stop SCEP from downloading over the internet, uncheck the following locations:
1. SCFEP Def Deployment (ADR if you have one) -
Download Setting: If software updates are not available on preferred distribution point or remote distribution point, download content from Microsoft Updates
2. Client Setting (Endpoint Protection) [check your priority if you have more than 1]
Disable Alternet Sources (such as Microsoft Windows Update, ....) for the inital definition update on client computers.
3. Asset and Compliance :Endpoint Protection, Antimalware Policies (check all that you have and priority)
Defintion Updates: If Configuration Manager is used as a source for definition update, clients will only update from alternate sources if definition is older than (hours) Set this to 720. This is the max, after this the machine will be forced
to pull from Microsoft to protect the machine.
http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

Clients not receiving DHCP IP address from HREAP centrally Switched Guest SSID

Hi All,
I am facing a problem in a newly deployed branch site where the Clients are not receiving DHCP IP address from a centrally switched Guest SSID. I see the client status is associated but the policy manager state is in DHCP_REQD.
The dhcp pool is configured on the controller itself. The local guest clients are able to get DHCP and all works fine, the issue is only with the clients in the remote site. The Hreap APs are in connected mode. Could you please suggest what could be the problem. Below is the out of the debug client.
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Adding mobile on LWAPP AP 3c:ce:73:6d:37:00(1)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Reassociation received from mobile on AP 3c:ce:73:6d:37:00
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'Guest-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific IPv6 override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying IPv6 Interface Policy for station 10:40:f3:91:7e:24 - vlan 81, interface id 13, interface 'vlan_81'
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 3c:ce:73:6d:37:00 vapId 17 apVapId 1
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 apfMsAssoStateInc
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Idle to Associated
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station: (callerId: 49) in 28800 seconds
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sending Assoc Response to station on BSSID 3c:ce:73:6d:37:00 (status 0) ApVapId 1 Slot 1
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfProcessAssocReq (apf_80211.c:4672) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Associated
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4183, Adding TMP rule
*apfReceiveTask: May 24 11:35:53.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 3c:ce:73:6d:37:00, slot 1, interface = 13, QOS = 3
ACL Id = 255, Jumbo F
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 IPv6 Vlan = 81, IPv6 intf id = 13
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sent an XID frame
*apfMsConnTask_3: May 24 13:26:49.401: 10:40:f3:91:7e:24 Updating AID for REAP AP Client 3c:ce:73:6d:37:00 - AID ===> 1
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
*apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Disassociated
*apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: May 24 13:29:09.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Sent Deauthenticate to mobile on BSSID 3c:ce:73:6d:37:00 slot 1(caller apf_ms.c:4981)
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsAssoStateDec
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Disassociated to Idle
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [3c:ce:73:6d:37:00]
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Deleting mobile on AP 3c:ce:73:6d:37:00(1)
*pemReceiveTask: May 24 13:29:09.317: 10:40:f3:91:7e:24 0.0.0.0 Removed NPU entry.

#does the client at the remote site roams between AP that connects to different WLC?
#type 9 is not good.
*pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
#Does your dhcp server getting hits.
#Also, get debug dhcp message & packet.
#Dhcp server is not responding.
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.

Client not receive ip address - dhcp_reqd

Hi,
In my environment there's a 5508 (firmware 7.4.110.0) and ap 1600 with a ias radius server. All wlan are in flex-connect local switching, one client try to connect on a wlan but not receive ip address. After enabled debug aaa all i took the log corresponding :
Cisco Controller) >*emWeb: Feb 11 16:52:36.047: Created WARP Capabilities IE (length 12) for WLAN LAB
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 Adding mobile on LWAPP AP 00:3a:9a:77:55:a0(0)
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 Association received from mobile on BSSID 00:3a:9a:77:55:06
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 Rf profile 200 Clients are allowed to AP radio
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 Max Client Trap Threshold: 50 cur: 3
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 Rf profile 200 Clients are allowed to AP wlan
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 Re-applying interface policy for client
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_2: Feb 11 16:54:22.495: 18:3d:a2:25:01:a4 In processSsidIE:4264 setting Central switched to FALSE
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 Applying site-specific Local Bridging override for station 18:3d:a2:25:01:a4 - vapId 103, site 'Test', interface 'management'
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 Applying Local Bridging Interface Policy for station 18:3d:a2:25:01:a4 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 Applying site-specific override for station 18:3d:a2:25:01:a4 - vapId 103, site 'Test', interface 'management'
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 Re-applying interface policy for client
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 Processing WPA IE type 221, length 24 for mobile 18:3d:a2:25:01:a4
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 Setting active key cache index 8 ---> 8
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 unsetting PmkIdValidatedByAp
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_2: Feb 11 16:54:22.496: 18:3d:a2:25:01:a4 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:3a:9a:77:55:a0 vapId 103 apVapId 1for this client
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:3a:9a:77:55:a0 vapId 103 apVapId 1 flex-acl-name:
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 apfMsAssoStateInc
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 18:3d:a2:25:01:a4 on AP 00:3a:9a:77:55:a0 from Idle to Associated
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 apfPemAddUser2:session timeout forstation 18:3d:a2:25:01:a4 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 Sending Assoc Response to station on BSSID 00:3a:9a:77:55:a0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_2: Feb 11 16:54:22.497: 18:3d:a2:25:01:a4 apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 18:3d:a2:25:01:a4 on AP 00:3a:9a:77:55:a0 from Associated to Associated
*apfMsConnTask_2: Feb 11 16:54:22.506: 18:3d:a2:25:01:a4 Updating AID for REAP AP Client 00:3a:9a:77:55:a0 - AID ===> 4
*dot1xMsgTask: Feb 11 16:54:22.512: 18:3d:a2:25:01:a4 Station 18:3d:a2:25:01:a4 setting dot1x reauth timeout = 1800
*dot1xMsgTask: Feb 11 16:54:22.512: 18:3d:a2:25:01:a4 dot1x - moving mobile 18:3d:a2:25:01:a4 into Connecting state
*dot1xMsgTask: Feb 11 16:54:22.512: 18:3d:a2:25:01:a4 Sending EAP-Request/Identity to mobile 18:3d:a2:25:01:a4 (EAP Id 1)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.513: 18:3d:a2:25:01:a4 Received EAPOL START from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.513: 18:3d:a2:25:01:a4 dot1x - moving mobile 18:3d:a2:25:01:a4 into Connecting state
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.513: 18:3d:a2:25:01:a4 Sending EAP-Request/Identity to mobile 18:3d:a2:25:01:a4 (EAP Id 2)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.541: 18:3d:a2:25:01:a4 Received EAPOL EAPPKT from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.541: 18:3d:a2:25:01:a4 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.554: 18:3d:a2:25:01:a4 Received EAPOL EAPPKT from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.554: 18:3d:a2:25:01:a4 Received Identity Response (count=2) from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.554: 18:3d:a2:25:01:a4 EAP State update from Connecting to Authenticating for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.554: 18:3d:a2:25:01:a4 dot1x - moving mobile 18:3d:a2:25:01:a4 into Authenticating state
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.554: 18:3d:a2:25:01:a4 Entering Backend Auth Response state for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.572: 18:3d:a2:25:01:a4 Processing Access-Challenge for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.572: 18:3d:a2:25:01:a4 Entering Backend Auth Req state (id=3) for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.572: 18:3d:a2:25:01:a4 Sending EAP Request from AAA to mobile 18:3d:a2:25:01:a4 (EAP Id 3)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.585: 18:3d:a2:25:01:a4 Received EAPOL EAPPKT from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.585: 18:3d:a2:25:01:a4 Received EAP Response from mobile 18:3d:a2:25:01:a4 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.585: 18:3d:a2:25:01:a4 Entering Backend Auth Response state for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.598: 18:3d:a2:25:01:a4 Processing Access-Challenge for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.598: 18:3d:a2:25:01:a4 Entering Backend Auth Req state (id=4) for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.598: 18:3d:a2:25:01:a4 Sending EAP Request from AAA to mobile 18:3d:a2:25:01:a4 (EAP Id 4)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.613: 18:3d:a2:25:01:a4 Received EAPOL EAPPKT from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.613: 18:3d:a2:25:01:a4 Received EAP Response from mobile 18:3d:a2:25:01:a4 (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.613: 18:3d:a2:25:01:a4 Entering Backend Auth Response state for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.627: 18:3d:a2:25:01:a4 Processing Access-Challenge for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.627: 18:3d:a2:25:01:a4 Entering Backend Auth Req state (id=7) for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.627: 18:3d:a2:25:01:a4 WARNING: updated EAP-Identifier 4 ===> 7 for STA 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.627: 18:3d:a2:25:01:a4 Sending EAP Request from AAA to mobile 18:3d:a2:25:01:a4 (EAP Id 7)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.643: 18:3d:a2:25:01:a4 Received EAPOL EAPPKT from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.643: 18:3d:a2:25:01:a4 Received EAP Response from mobile 18:3d:a2:25:01:a4 (EAP Id 7, EAP Type 25)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.643: 18:3d:a2:25:01:a4 Entering Backend Auth Response state for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Processing Access-Accept for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Resetting web IPv4 Flex acl from 65535 to 65535
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Station 18:3d:a2:25:01:a4 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Username entry (pippo) created for mobile, length = 253
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Username entry (pippo) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Creating a PKC PMKID Cache entry for station 18:3d:a2:25:01:a4 (RSN 0)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.656: 18:3d:a2:25:01:a4 Sending EAP-Success to mobile 18:3d:a2:25:01:a4 (EAP Id 7)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.657: 18:3d:a2:25:01:a4 Freeing AAACB from Dot1xCB as AAA auth is done for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.657: 18:3d:a2:25:01:a4 Starting key exchange to mobile 18:3d:a2:25:01:a4, data packets will be dropped
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.657: 18:3d:a2:25:01:a4 Sending EAPOL-Key Message to mobile 18:3d:a2:25:01:a4
                                                                                                                    state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.657: 18:3d:a2:25:01:a4 Entering Backend Auth Success state (id=7) for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.657: 18:3d:a2:25:01:a4 Received Auth Success while in Authenticating state for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.657: 18:3d:a2:25:01:a4 dot1x - moving mobile 18:3d:a2:25:01:a4 into Authenticated state
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.671: 18:3d:a2:25:01:a4 Received EAPOL-Key from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.671: 18:3d:a2:25:01:a4 Received EAPOL-key in PTK_START state (message 2) from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.671: 18:3d:a2:25:01:a4 Stopping retransmission timer for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.671: 18:3d:a2:25:01:a4 Sending EAPOL-Key Message to mobile 18:3d:a2:25:01:a4
                                                                                                                    state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.689: 18:3d:a2:25:01:a4 Received EAPOL-Key from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.689: 18:3d:a2:25:01:a4 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.689: 18:3d:a2:25:01:a4 Stopping retransmission timer for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.689: 18:3d:a2:25:01:a4 apfMs1xStateInc
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.689: 18:3d:a2:25:01:a4 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.689: 18:3d:a2:25:01:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 00:3a:9a:77:55:a0 vapId 103 apVapId 1for this client
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.689: 18:3d:a2:25:01:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:3a:9a:77:55:a0 vapId 103 apVapId 1 flex-acl-name:
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5952, Adding TMP rule
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:3a:9a:77:55:a0, slot 0, interface = 13, QOS = 0
IPv4 ACL ID = 255, IP
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 0, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 Key exchange done, data packets from mobile 18:3d:a2:25:01:a4 should be forwarded shortly
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 Sending EAPOL-Key Message to mobile 18:3d:a2:25:01:a4
                                                                                                                    state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*pemReceiveTask: Feb 11 16:54:22.690: 18:3d:a2:25:01:a4 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*spamApTask3: Feb 11 16:54:22.707: 18:3d:a2:25:01:a4 Sent EAPOL-Key M5 for mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.768: 18:3d:a2:25:01:a4 Received EAPOL-Key from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.768: 18:3d:a2:25:01:a4 Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 18:3d:a2:25:01:a4
*Dot1x_NW_MsgTask_4: Feb 11 16:54:22.769: 18:3d:a2:25:01:a4 Stopping retransmission timer for mobile 18:3d:a2:25:01:a4
*apfReceiveTask: Feb 11 16:54:25.619: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Feb 11 16:54:25.619: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5576, Adding TMP rule
*apfReceiveTask: Feb 11 16:54:25.619: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:3a:9a:77:55:a0, slot 0, interface = 13, QOS = 0
IPv4 ACL ID = 255,
*apfReceiveTask: Feb 11 16:54:25.619: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 0, Local Bridging intf id = 0
*apfReceiveTask: Feb 11 16:54:25.619: 18:3d:a2:25:01:a4 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*pemReceiveTask: Feb 11 16:54:25.619: 18:3d:a2:25:01:a4 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
(Cisco Controller) >*emWeb: Feb 11 16:54:46.127: 18:3d:a2:25:01:a4 Central Switch = FALSE
*emWeb: Feb 11 16:54:46.128: 18:3d:a2:25:01:a4 Central Switch = FALSE
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >*emWeb: Feb 11 16:55:36.461: 18:3d:a2:25:01:a4 Central Switch = FALSE
*emWeb: Feb 11 16:55:36.463: 18:3d:a2:25:01:a4 Central Switch = FALSE
From log i know that 802.1x passed, while dhcp don't send ip address. It seems that the local vlan id is 0 while in reality is 3... WHY ? i don't understand.
Someone can help me to find the problem? i think the problem is on the network, the dhcp ( the corporate router) is directly connected to the ap.

Are you setting your FlexConnect native vlan and the wlan to vlan mapping? You also need to make sure you have the ip helpers setup and that dhcp is working. I would configure a switch port to a vlan that the wireless users is suppose to be on locally at that site and connect a laptop to that port and make sure that the laptop gets an address.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

Some clients not receiving SCEP definition updates

Similar Messages

Maybe you are looking for