WLC 5508 problem

Hi
I have one 5508 and about 70 Cisco1140 AP and spred around in to about 5 sites.
We use a Microsoft IAS server as radius server with auth from the AD with dot1x and certificate in the clinents to verify the clientents
The clients are IBM and Dell laptops
Some clients loses the connection to the network time to time
I have some errors in the WLC logg
dot1xMsgTask: Jan 18 11:23:34.254: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmissions
exceeded for client 00:24:d7:22:0e:e0
*apfMsConnTask_3: Jan 18 11:21:13.118: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:273 Could not che
ck supported rates. Missing Supported Rate. Length :0. Mobile MAC: b8:ff:61:8f:df:25.
*Dot1x_NW_MsgTask_0: Jan 18 11:15:31.521: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:708 Receiv
ed invalid EAPOL-key M2 msg in START state - invalid secure bit; len 40, key type 1, client 00:21:6a
:50:21:80
*spamApTask0: Jan 18 11:14:34.630: %LWAPP-3-VALIDATE_ERR: spam_lrad.c:9090 Validation of SPAM Vendor
Specific Payload failed - AP  30:37:a6:c9:53:20
*dot1xMsgTask: Jan 18 11:14:19.850: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity re
quest retries (14) exceeded for client 00:1f:3b:16:aa:ef
Decrypt error occurred for clienten 00:24:d7:69:fb:7c using WPA2 key on 802.11a interface of AP e8:04:62:60:a0:10
Any sugestions ?

Looking at the error messages, they don't point to a singlular fault with the WLC, more like a client issue.  Below I'll explain the messages you are seeing.
dot1xMsgTask: Jan 18 11:23:34.254: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmissions
exceeded for client 00:24:d7:22:0e:e0
      This means, the WLC has sent an EAP request to the client, and has not received a response.  This could be because either the cleint didn't hear the request, or the AP didn't hear the response.  It could also be the client ignored the request.  You may want to take a look at the following document and see if you want to change the EAP timer values
.   https://supportforums.cisco.com/docs/DOC-12110
*apfMsConnTask_3: Jan 18 11:21:13.118: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:273 Could not che
ck supported rates. Missing Supported Rate. Length :0. Mobile MAC: b8:ff:61:8f:df:25.
   The WLC was reading a message from the client, and the client did not tell the WLC what rates it could support.  This could happen because the packet from the client wasn't heard fully.  As well, some clients will see the WLC that they are associated to, and not the individual AP.  In this case, it is possible that the client didnt' send the supported rates, as it didn't see a change in BSSID>
*Dot1x_NW_MsgTask_0: Jan 18 11:15:31.521: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:708 Receiv
ed invalid EAPOL-key M2 msg in START state - invalid secure bit; len 40, key type 1, client 00:21:6a
:50:21:80
   The client tried to send a key, when the PEM state on the WLC was START.  More than likely the client thought it could roam, but the WLC thought differently
*spamApTask0: Jan 18 11:14:34.630: %LWAPP-3-VALIDATE_ERR: spam_lrad.c:9090 Validation of SPAM Vendor
Specific Payload failed - AP  30:37:a6:c9:53:20
   Bad packet.
*dot1xMsgTask: Jan 18 11:14:19.850: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (14) exceeded for client 00:1f:3b:16:aa:ef
   WLC is sending EAP Identity request to the client, and it is not repsonding. 
Decrypt error occurred for clienten 00:24:d7:69:fb:7c using WPA2 key on 802.11a interface of AP e8:04:62:60:a0:10
Couldn't decrypt the packet.  Could be a bad key, or could be we didnt' get the full packet, thus making the decrypt fail.
    For the most part, these are commonly seen issues.  Could be the result of RF issues, so you may want to take a look and make sure the coverage at the site is clean.   Some of these can also be caused by WZC, which likes to ignore EAP messages, and has a tendancy to use the login credentials that get cached.  Which if these are not domain credentials can cause issues as well.
Cheers,
Steve
If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • WLC 5508 Problem with #DOT1X-3-INVALID_REPLAY_CTR

    Hi all,
    I have WLC 5508 with version 7.4.110.0 and with 13 AccessPoints.So 12 of this AP are  AIR-LAP1142N-E-K9 and 1 is AIR-CAP3602I-E-K9.
    Logs of my WLC are:
    *Dot1x_NW_MsgTask_1: Jan 11 01:15:05.167: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 90:c1:15:c6:c3:49 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 01:09:41.015: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 5c:0a:5b:c1:16:34 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.269: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.266: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.648: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 24:77:03:67:01:48 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_5: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:da:c1:cd - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_2: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client cc:78:5f:29:cc:82 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_4: Jan 11 01:03:31.633: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 08:11:96:55:81:c4 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.631: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 84:3a:4b:56:36:50 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 01:03:31.630: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:e2:d4:91 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 00:59:52.593: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client a0:88:b4:60:20:f8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *apfRogueTask_3: Jan 11 00:59:32.168: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 2, Requested containment level 4
    *apfRogueTask_3: Jan 11 00:58:38.635: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 1, Requested containment level 4
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.885: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.883: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 02
    *dot1xMsgTask: Jan 11 00:49:05.842: #DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:618 Client c8:e0:eb:19:2a:97 may be using an incorrect PSK
    *apfRogueTask_3: Jan 11 00:40:42.576: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 3, Requested containment level 4
    *Dot1x_NW_MsgTask_3: Jan 11 00:40:17.471: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:43:8f:f1:8c:8b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 00:40:03.368: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client f0:d1:a9:8e:1a:dc - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 00:39:30.528: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:d8:84:09 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    I already go to this link to check the Description of errors-
    http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html#wp1000139
    Appreciate all feedback. Thank you.

    Hi Ruben,
    a) After successful dot1x authentication, session keys are derived from pairwise master key.
    b) When the AP transmits a key to a station by default, it expects a response back within a set timeframe.
    c) If the station does not respond, the AP increments the counter and retransmits the key.
    d) If the AP receives a response to first message just after the retransmission of the key, a mismatch occurs in the counter.
    This in most of the cases will be a client driver problem.
    Solution :
    1) try to increase the EAPOL-Key Timeout ( config advanced eap ).
    2) Upgrade the client driver.
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Config RADIUS on WLC 5508 - Problems comunication with NPS Server

    Hi,
    I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
    My WLAN interface is in a different vlan than the management interface, is that a problem?
    I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
    The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
    the logs from the WLC shows this, but i have difficulties interpreting all this data:
    *apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
    *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)

    yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
    One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
    Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
    dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
    Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
    Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
    I also note this: "Applying Local Bridging Interface Policy for station "
    What does this means?

  • WLC 5508 - wlan stability problems

    Hi.
    I have a WLC 5508 with half a dozen LAPs (AIR-CAP3502I-E-K9).
    They have been working but sometimes clients detect conectivity problems with the wlan.
    Here is the message log I can obtain from the controller:
    Nov 09 12:16:31.886: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32Previous message occurred 7 times.Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*apfReceiveTask: Nov 09 11:51:30.788: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *spamApTask2: Nov 09 11:51:20.144: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.23.1.118*dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67*apfReceiveTask: Nov 09 11:50:40.672: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:38.625: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:35.531: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:31.068: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:29.257: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:28.707: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    Can somebody help me to understand these messages?
    1)
    *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    2)
    Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
    3)
    *dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67
    Thanks

    1)
    *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    //APs are rebooting. don't panic, check the up time of AP. This message seen when AP rebooted/freshly joined and waiting for wlc to assign channel.
    2)
    Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
    //It is cosmetic and can be ignored.
    3)
    *dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32
    //Keys M1-M5 used for wireless auth, here client having struggle completing the auth process.
    get output of, WLC>debug client

  • WLC 5508 HA Problem Soft.ver 7.4.100

    Dear Support,
    we are using two WLC 5508 software ver.7.4.100 with first 50AP license and in the next day we add 50AP license again to the primary WLC. when we activate HA base in the following guiden http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html but when we doing test the failover we found a couple log message on the Secondary WLC like below and not for long time all AP on the Secondary WLC was drop off. 
    1. DP Critical Error
    2. *RRM-DCLNT-2_4: May 23 07:43:53.204: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
    *RRM-DCLNT-2_4: May 23 07:43:53.164: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
    *RRM-DCLNT-2_4: May 23 07:43:52.854: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:2c:36:f8:72:fc:c0,Key SlotId:0
    I also send a complete log for both problem above and enclose it with pdf file. need you advice and assistance,
    regard, afriansyah

    I agree go to version 7.4.121.0 I has some strange issues on prior releases. Personally I am running 7.6.120.0 right now but that's mainly due to support for the 3702 access points.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#pgfId-74573
    that's a good guide just to double check yourself just in case. -

  • Upgrade WLC 5508 to 7.4.121.0 problem

    After I upgraded WLC 5508 from 7.2.111.3 to 7.4.121.0, all 3602i APs don't associate with the controller.  All APs were working/associating with controller on 7.2.111.3 at same setting.  IP address of APs are setup as DHCP.
    The error message is "AP couldn't get IP address".   
    Any one has this type of problem when you upgrade WLC 5508 from 7.2.111.3 to 7.4.121.0.
    Thanks,

    Hi,
    This doesn't look like software issue.
    You have to check why the APs are not able to get ip address. Try connecting a PC to a swtich port where one of these APs are connected and see if you are able to get IP on PC.
    Also check if the DHCP server is reachable and if there are IP address in the pool assigned for APs.
    HTH,
    Thanks & Regards,
    Ishant
    *** Please rate the post if you find it useful ***

  • WLC 5508, DHCP Problem after Update Cisco ASA(DHCP-Server)

    Hello,
    our Problem is, our Apple Devices get no ip adress from our Cisco ASA Cluster(ASA 9.1.2) over Wireless(Cisco WLC 5508). All other devices(Windows, Android,...) work correct, without problems. Our WLC is in HA-Mode.
    Does anybody have an Idea?
    Thank you very much and Best regards,
    Stefan

    Hello again,
    I hope this case is the solution.
    https://supportforums.cisco.com/message/3942112#3942112
    I will let you know after downgrade.
    Best regards,
    Stefan

  • WLC 5508 WPA Authentication Problems

    Hello,
    We have a WLC 5508 with 7.4.100.0 Firmware.
    We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
    Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
    The strange thing is that the problem is solved restarting the Access-points.
    Anyone had this problem previusly?
    Thanks in advance.

    I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
    Cisco Recommended  and not recommended Authentication Settings
    Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
    These images provide examples of incompatible settings for TKIP and AES:
    Note: Be aware that security settings permit unsupported features.
    These images provide examples of compatible settings:

  • Problem uploading SSL certificat on a WLC 5508

    Hello,
    I'm trying to upload a SSL-certificate (RSA:2048) on a WLC 5508 via the "Management->HTTP-HTTPS" - Tab and get the following problem :
    *TransferTask: Jul 18 16:36:14.487: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1
    *TransferTask: Jul 18 16:36:14.487: %SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4028 Cannot PEM decode private key
    I've generated it using the following commands:
    # openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.ca-bundle -out CA.pfx
    # openssl pkcs12 -in CA.pfx -nodes -out CA.pem
    But it doesn't work...
    Does anyone have an idea?
    Best regards,
    Eric

    Hello Eric,
    I'm facing the same problem, when trying to upload a chained SSL certificate (2048bits) to the wlc version 7.0.116.0
    Did you use an unchained certificate and what size is your cert?
    According to a Cisco document, for controllers version 5.1.151.0 and later, only unchained certificates are supported for the management certificate.
    I'm just wondering, if this limitation still applies to the newer versions.
    Regards,
    Oliver

  • RF Grouping problem WLC 5508

    Hi,
    We have a problem regarding RF Grouping between two WLC 5508.
    The two controllers have the same RF Group name,RF Grouping is enabled,they belong to the same mobility group,their management IP
    address is on the same subnet, they ping each other but they don't elect a Group Leader. Each one
    elects itself as the Group Leader.
    We have tried to place 2 APs,each belonging to different controller, close one to the other but nothing changed.
    Any help would be much appreciated.

    Hi Nicolas,
    Because we have an almost live network, we wouldn't like to go public with our configurations. Is there any other way we can send them to you?
    Thanks in advance,
    Theofilos

  • Windows Sharing problem from WLC 5508 to wired LAN

    Dear All,
    I'm having problem with windows sharing (file/printer sharing) from Wireless lan client which is connected to AP3500 and
    WLC 5508 then to Nexus 7010. It's already using ip command, for example \\192.168.84.65
    WLC os version 7.0.116.0 (using AP groups)
    Nexus os version 4.2(6)
    The weird thing is i can connect using windows sharing from wired LAN to wireless user however not vice versa.
    for better explanation, here are the scenarios
    1. Wireless lan to wired LAN using windows sharing - failed
    1. Wired LAN to Wireless lan using windows sharing - success.
    I've been analyzing by making sure that all the to end, there would be no firewall within source pc(s) and destination pc(s) and also
    the ACL inside Nexus.
    Been dying here to find solution for this, due to the customer is using it for file and printer sharing service.
    Anyone has idea to solve this problem, i'm looking forward for any suggestion coming.
    Arrai.

    Peer to peer within wlc is using default setting which is allowed and as you may know, peer to peer permission only related between wireless client not wired one. CMIIW.

  • WLC 5508 7.0.98.0 problem with locpRxServerTask missed software watchdog

    Hi
    today my wlc 5508 crash. after trying to get access via sp. i doesnt reponds. so i rebooted. in the sh tech i saw this message which i gues indicates the RC of the failure.    ANY IDEAS...
    *             Start Cisco Crash Handler Serv               *
    Sys Name:       usa-5354-wlc-02
    Model:          AIR-CT5508-K9
    Version:        7.0.98.0
    Timestamp:      Thu Jan  5 05:43:13 2012
    SystemUpTime:   254 days 4 hrs 46 mins 24 secs
    pid:            1225
    TID:            944042816
    Task Name:      locpRxServerTask
    Reason:         Reaper Reset
    timer tcb:      0x2572
    timer cb:       0x10354e28 ('rrmTimerInit+600')
    timer arg1:     0x19b11010
    timer arg2:     0x0
    Long time taken timer call back inforamtion:
    --More-- or (q)uit
    Time Stamp:     Thu Sep 22 15:56:24 2011
    timer cb:       0x100d6f48 ('apfRldpScheduleSet+656')
    Duration  : 103753 usecs, cbCount= 15
    Analysis of Failure:
      Software was stopped by the reaper for the following reason:
         Reaper Reset: Task "locpRxServerTask" missed software watchdog

    May be here is the bug that u r hitting..
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti21343
    Upgrade the image to the latest that we have (7.0.220)
    Please dont forget to rate the useful posts!!
    Regards
    Surendra

  • WLC 5508 + NPS MS-CHAP v2 Auth problems

    Hi,
    I am having a lot of trouble trying to set up a Cisco WLC 5508 to use NPS on Windows Server 2008 as it's authentication.
    When a client attempts to connect to the WLAN, the authentication is denied on Windows 7/Vista/XP, however, on Mac/iOS clients, it asks to accept the certificate (this is a public cert, issued by Entrust - however, it is a wildcard cert..), but then it will connect.
    So I have two questions:
    1/ Why won't the windows clients authenticate? If I set up the WLAN profile on the windows machine, and I deselect "Validate server certificate", then they connect just fine....
    2/ Is it possible to make it so the user is not prompted to accept the certificate? Why can't this certificate be validated locally by the client?
    Thanks,
    Josh

    Looks like it might have been an issue with that certificate, I don't know.
    Either it didn't like the wildcard, or it didn't like the intermediate/root CA.
    I downloaded a Comodo Trial SSL and plugged that in - works like a charm now!

  • Problem Concurent client WLC 5508

    Hi All support,
    i have running cisco wlc 5508 with software upgrade 7-4-100-0.aes  and 24 cisco 1552 AP with mode mesh, concurent client only show 185 clients but if we using dual load wlc ( Whitout mobility group, if using mobility group clients still stuck concurent) clients can get online 150 on wlc01 and 130 on wlc02 ,total client we have is 300 client.for more information we using feature passive client on this network. any body can help  ??
    regards,
    Sigit H.W

    this is debug iapp :
    *iappSocketTask: Mar 18 11:13:09.419:      [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.419:      [0496] 00 00 00 00 00 27 22 16 13 f9 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0512] 00 00 00 02 00 00 00 00 00 00 01 46 b8 17 01 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0528] 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0688] 00 00 27 22 40 a8 81 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0704] 01 00 00 00 00 00 00 00 a8 b9 19 01 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0720] 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:09.420:      [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.785: IAPP Rx Frame (1633)
    *iappSocketTask: Mar 18 11:13:10.785:      [0000] d0 c2 82 e3 ae c4 2c 36 f8 73 e6 80 81 00 00 0b
    *iappSocketTask: Mar 18 11:13:10.785:      [0016] 08 00 45 00 05 cc d3 da 40 00 ff 11 28 8a 0a 9d
    *iappSocketTask: Mar 18 11:13:10.785:      [0032] 32 6d 0a 9d 32 15 3e 69 14 7f 05 b8 00 00 00 20
    *iappSocketTask: Mar 18 11:13:10.785:      [0048] 03 20 bb 9f 00 00 01 04 00 00 00 00 00 00 01 08
    *iappSocketTask: Mar 18 11:13:10.785:      [0064] 00 00 2c 36 f8 73 e6 80 2c 36 f8 73 e6 80 2c 36
    *iappSocketTask: Mar 18 11:13:10.785:      [0080] f8 73 e6 80 00 00 aa aa 03 00 40 96 00 00 06 03
    *iappSocketTask: Mar 18 11:13:10.785:      [0096] 32 8b 2c 36 f8 73 e6 80 2c 36 f8 73 e6 80 00 00
    *iappSocketTask: Mar 18 11:13:10.785:      [0112] 39 00 05 ed e1 cf 0a 30 08 00 00 27 22 40 a4 df
    *iappSocketTask: Mar 18 11:13:10.785:      [0128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0144] 00 00 a0 05 00 00 00 00 00 0c 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0272] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0288] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0304] 00 00 00 00 00 00 00 00 27 22 84 89 30 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a3
    *iappSocketTask: Mar 18 11:13:10.786:      [0336] 06 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0352] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0368] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0384] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0400] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0416] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0432] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0448] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0464] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0496] 00 00 00 00 00 27 22 40 a8 57 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0512] 00 00 00 00 00 00 00 00 00 00 00 00 aa 0d 01 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0528] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0688] 00 00 27 22 2c a9 c6 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0704] 00 00 00 00 00 00 00 00 00 a2 06 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0720] 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:10.786:      [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554: IAPP Rx Frame (1633)
    *iappSocketTask: Mar 18 11:13:12.554:      [0000] d0 c2 82 e3 ae c4 2c 36 f8 73 04 20 81 00 00 0b
    *iappSocketTask: Mar 18 11:13:12.554:      [0016] 08 00 45 00 05 cc 00 50 40 00 ff 11 fc 17 0a 9d
    *iappSocketTask: Mar 18 11:13:12.554:      [0032] 32 6a 0a 9d 32 15 30 44 14 7f 05 b8 00 00 00 20
    *iappSocketTask: Mar 18 11:13:12.554:      [0048] 03 20 bb fa 00 00 01 04 00 00 00 00 00 00 01 08
    *iappSocketTask: Mar 18 11:13:12.554:      [0064] 00 00 2c 36 f8 73 04 20 2c 36 f8 73 04 20 2c 36
    *iappSocketTask: Mar 18 11:13:12.554:      [0080] f8 73 04 20 00 00 aa aa 03 00 40 96 00 00 06 03
    *iappSocketTask: Mar 18 11:13:12.554:      [0096] 32 8b 2c 36 f8 73 04 20 2c 36 f8 73 04 20 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0112] 39 00 05 ed 00 00 0a 30 08 00 00 27 22 40 a8 f0
    *iappSocketTask: Mar 18 11:13:12.554:      [0128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0144] 00 00 b0 14 01 00 00 00 00 12 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0272] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0288] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0304] 00 00 00 00 00 00 00 00 27 22 16 a3 f7 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ad
    *iappSocketTask: Mar 18 11:13:12.554:      [0336] 10 01 00 00 00 00 24 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0352] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0368] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0384] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0400] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0416] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0432] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0448] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0464] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0496] 00 00 00 00 00 27 22 40 a9 37 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0512] 00 00 00 00 00 00 00 00 00 00 00 00 b1 13 01 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0528] 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0688] 00 00 27 22 40 a9 fd 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0704] 00 00 00 00 00 00 00 00 00 b2 16 01 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0720] 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    *iappSocketTask: Mar 18 11:13:12.554:      [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    (Cisco Controller) >debug iapp all disable

  • Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

    Hello,
    I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
    building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
    well as the Wireless solution.
    At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
    the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
    are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
    from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
    Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
    large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
    the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
    the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
    connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
    support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
    Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
    i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
    between the two switches and their integrated controller.
    Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
    feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
    existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
    This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
    already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
    focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
    state of their connections to the WLAN infrastructure.
    To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
    to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
    subnets need to be assigned to the SSIDs.
    As such, I have the following questions:
    Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
    that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
    as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
    the solution as per the next question. Please advise which is a better option?
    Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
    then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
    Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
    Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
    Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
    clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
    Regards,
    Amir

    Hi Amir,
    Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
    I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
    Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
    MO is not required (it is only for very large scale deployments)
    Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
    Yes, documents are hard to find :(
    These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
    http://mrncciew.com/2014/05/06/configuring-new-mobility/
    http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
    HTH
    Rasika
    *** Pls rate all useful responses ****

Maybe you are looking for

  • What's wrong with my computer network?

    Hello, recently Google Chrome has been displaying "Error 7 (net::ERR_TIMED_OUT)" on all pages i try to access. For a while, i thought it was a Chrome specific problem, so i did a lot of research on how i thought i could fix it.. i did many things, fr

  • Sorting XMLListCollection by nested elements

    I've been sorting XML files using an XMLListCollection when I have an XML with the following structure: <products>      <product id="1">           <field1>value</field1>           <field2>value</field2>           <field3>value</field3>      </product

  • Demo License

    Hi Friends, I have Downloaded and installed a demo version of Sun Forte in my V880 System.Now i require the license for it to use.Accdng to Sun they say tat during downloading there is a option from where we cud get the demo license for 1mth.I am dow

  • Sudden slowness and loss of wireless connection to PC

    I've used my Dell laptop on my Airport Extreme wireless network without problem for two years. Yesterday, after installing an HP 8500 printer on the network, my PC became extraordinarily slow on the network, and kept losing its connection. I haven't

  • N96 incoming call voice over HELP

    I've just bought the Nokia N96. Every time i receive a call i hear my ring tone BUT then a computer voice talks over the ring tone saying (or attempting to pronounce) the name. How do i switch this annoying voice off? I only want to hear my ring tone