Guest

Preview Tool

Cisco Bug: CSCuq45110 - M1 is sometimes encrypted, leading to M1 refusal on station side

Last Modified

Nov 16, 2018

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

7.6(120.0) 8.0(100.0)

Description (partial)

Symptom:
Sometimes the WLC will send the M1 pairwise key encrypted, when it should not be encrypted.  As a result, the client
will fail to send M2, resulting in a pairwise key exchange failure.  The client will have to reassociate and exchange the keys again.

At the time of the failure, "debug client" will display output similar to the following:

*apfPmkCacheTimer: Aug 15 09:40:51.478: 1c:99:4c:89:7a:9a Removing expired PMK cache entry for station 1c:99:4c:89:7a:9a AKM was:APF_KEY_MGMT_80211r
*apfPmkCacheTimer: Aug 15 09:40:51.478: 1c:99:4c:89:7a:9a Removing expired PTK entry for station 1c:99:4c:89:7a:9a
*apfReceiveTask: Aug 15 09:40:51.479: 1c:99:4c:89:7a:9a Initiating 802.1x due to PMK Timeout Event for STA 
[ ...]
*dot1xMsgTask: Aug 15 09:40:51.480: 1c:99:4c:89:7a:9a Initiating RSN PSK to mobile 1c:99:4c:89:7a:9a
[ ... ]
*dot1xMsgTask: Aug 15 09:40:51.481: 1c:99:4c:89:7a:9a Starting key exchange to mobile 1c:99:4c:89:7a:9a, data packets will be dropped
*dot1xMsgTask: Aug 15 09:40:51.481: 1c:99:4c:89:7a:9a Sending EAPOL-Key Message to mobile 1c:99:4c:89:7a:9a
   state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
[ ... ]
*osapiBsnTimer: Aug 15 09:40:52.486: 1c:99:4c:89:7a:9a 802.1x 'timeoutEvt' Timer expired for station 1c:99:4c:89:7a:9a and for message = M2
*dot1xMsgTask: Aug 15 09:40:52.487: 1c:99:4c:89:7a:9a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 1c:99:4c:89:7a:9a
[ ... ]
*dot1xMsgTask: Aug 15 09:40:53.487: 1c:99:4c:89:7a:9a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 1c:99:4c:89:7a:9a
[ ... ]
*osapiBsnTimer: Aug 15 09:40:54.486: 1c:99:4c:89:7a:9a 802.1x 'timeoutEvt' Timer expired for station 1c:99:4c:89:7a:9a and for message = M2
*dot1xMsgTask: Aug 15 09:40:54.487: 1c:99:4c:89:7a:9a Retransmit failure for EAPOL-Key M1 to mobile 1c:99:4c:89:7a:9a, retransmit count 3, mscb deauth count 0

Conditions:
SSID is configured for WPA2/AES FT-PSK.
802.11r is enabled on the SSID.

The key exchange failure occurs when the session timeout expires.

Related Community Discussions

8.0MR4 Beta Availability
Release 8.0.140.0 is now posted in CCO, the beta program is over Thanks for your interest! Updated August  26h. Resolved Caveats up to 8.0.134.71: CSCuq28038 Hop2- multiple attempts to rejoin WLC in very-fast convergence CSCur63031 AP error: %ENTROPY-0-ENTROPY_ERROR: Unable to collect sufficient entropy CSCur68316 802AP-891 in flexconnect mode are losing vlan mapping after power cycle CSCut51019 observing error message adding oeap mode ap to apgroup CSCut71612 BGL-Alpha: OUI string should be synched ...
Latest activity: Aug 26, 2016
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.