Guest

Preview Tool

Cisco Bug: CSCuq45110 - M1 is sometimes encrypted, leading to M1 refusal on station side

Last Modified

Jul 10, 2017

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

7.6(120.0) 8.0(100.0)

Description (partial)

Symptom:
Sometimes the WLC will send the M1 pairwise key encrypted, when it should not be encrypted.  As a result, the client
will fail to send M2, resulting in a pairwise key exchange failure.  The client will have to reassociate and exchange the keys again.

At the time of the failure, "debug client" will display output similar to the following:

*apfPmkCacheTimer: Aug 15 09:40:51.478: 1c:99:4c:89:7a:9a Removing expired PMK cache entry for station 1c:99:4c:89:7a:9a AKM was:APF_KEY_MGMT_80211r
*apfPmkCacheTimer: Aug 15 09:40:51.478: 1c:99:4c:89:7a:9a Removing expired PTK entry for station 1c:99:4c:89:7a:9a
*apfReceiveTask: Aug 15 09:40:51.479: 1c:99:4c:89:7a:9a Initiating 802.1x due to PMK Timeout Event for STA 
[ ...]
*dot1xMsgTask: Aug 15 09:40:51.480: 1c:99:4c:89:7a:9a Initiating RSN PSK to mobile 1c:99:4c:89:7a:9a
[ ... ]
*dot1xMsgTask: Aug 15 09:40:51.481: 1c:99:4c:89:7a:9a Starting key exchange to mobile 1c:99:4c:89:7a:9a, data packets will be dropped
*dot1xMsgTask: Aug 15 09:40:51.481: 1c:99:4c:89:7a:9a Sending EAPOL-Key Message to mobile 1c:99:4c:89:7a:9a
   state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
[ ... ]
*osapiBsnTimer: Aug 15 09:40:52.486: 1c:99:4c:89:7a:9a 802.1x 'timeoutEvt' Timer expired for station 1c:99:4c:89:7a:9a and for message = M2
*dot1xMsgTask: Aug 15 09:40:52.487: 1c:99:4c:89:7a:9a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 1c:99:4c:89:7a:9a
[ ... ]
*dot1xMsgTask: Aug 15 09:40:53.487: 1c:99:4c:89:7a:9a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 1c:99:4c:89:7a:9a
[ ... ]
*osapiBsnTimer: Aug 15 09:40:54.486: 1c:99:4c:89:7a:9a 802.1x 'timeoutEvt' Timer expired for station 1c:99:4c:89:7a:9a and for message = M2
*dot1xMsgTask: Aug 15 09:40:54.487: 1c:99:4c:89:7a:9a Retransmit failure for EAPOL-Key M1 to mobile 1c:99:4c:89:7a:9a, retransmit count 3, mscb deauth count 0

Conditions:
SSID is configured for WPA2/AES FT-PSK.
802.11r is enabled on the SSID.

The key exchange failure occurs when the session timeout expires.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.