Guest

Preview Tool

Cisco Bug: CSCvs83185 - AP duplicates all EAP/EAPOL packets

Last Modified

Jun 10, 2020

Products (1)

  • Cisco Aironet 3700 Series Access Points

Known Affected Releases

8.2(166.0) 8.5(151.0)

Description (partial)

Symptom:
4 way handshake is failing with NAM supplicant. AnyConnect  4.7.03052/4.8 If NAM is removed and windows supplicant is used then the client can connect. NAM able to connect to open SSID.

In the WLC debug we see:-

*Dot1x_NW_MsgTask_5: Jan 14 12:15:35.934: d8:f2:ca:38:08:3d Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile d8:f2:ca:38:08:3d
*Dot1x_NW_MsgTask_5: Jan 14 12:15:35.934: d8:f2:ca:38:08:3d EAPOL Key message with invalid authenticator replay counter got      00 00 00 00 00 00 00 00 expected 00 00 00 00 00 00 00 01 from mobile d8:f2:ca:38:08:3d
00 00 00 00 00 expected 00 00 00 00 00 00 00 01 from mobile d8:f2:ca:38:08:3d
*osapiBsnTimer: Jan 14 12:15:41.085: d8:f2:ca:38:08:3d 802.1x 'timeoutEvt' Timer expired for station d8:f2:ca:38:08:3d and for message = M3
*Dot1x_NW_MsgTask_5: Jan 14 12:15:41.085: d8:f2:ca:38:08:3d key Desc Version FT - 0

On NAM we see:-
7487: VLADS-LT: Oct 28 2019 09:14:43.661 -0200: %NAM-3-ERROR_MSG: %[tid=5708][comp=SAE]: RSN (12) Pairwise MIC verification failed
7488: VLADS-LT: Oct 28 2019 09:14:45.826 -0200: %NAM-3-ERROR_MSG: %[tid=5708][comp=SAE]: RSN (12) Pairwise MIC verification failed
7489: VLADS-LT: Oct 28 2019 09:14:45.826 -0200: %NAM-3-ERROR_MSG: %[tid=5708][comp=SAE]: RSN (12) Pairwise MIC verification failed

AP is duplicating the EAP success & M1 frames. M1 is being sent twice due to which NAM is sending different MIC in the 2nd M2 compared to first M2 response to the AP/vWLC. Looks like due to this the MIC mismatch happens.
When the duplicate M1 has same exact content for the 802.1x payload the M2 response should be consistent.

Conditions:
vWLC on 8.2.166.0/8.5.151.0 
3702 APs in flexconnect as WLC is virtual
NAM version 4.7 and 4.8
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.