Guest

Preview Tool

Cisco Bug: CSCvs91638 - NAM sends different sNounce/MIC in the 2nd M2 compared to first M2 response to the AP

Last Modified

Oct 19, 2020

Products (1)

  • Cisco AnyConnect Secure Mobility Client

Known Affected Releases

4.8(1000) 4.8(1090) 4.8(2000)

Description (partial)

Symptom:
4 way handshake is failing with NAM supplicant. AnyConnect  4.7.03052/4.8 If NAM is removed and windows supplicant is used then the client can connect. NAM able to connect to open SSID.

In the WLC debug we see:-

*Dot1x_NW_MsgTask_5: Jan 14 12:15:35.934: Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile
*Dot1x_NW_MsgTask_5: Jan 14 12:15:35.934: 
EAPOL Key message with invalid authenticator replay counter got      00 00 00 00 00 00 00 00 expected 00 00 00 00 00 00 00 01 from mobile 
00 00 00 00 00 expected 00 00 00 00 00 00 00 01 from mobile 
*osapiBsnTimer: Jan 14 12:15:41.085:  802.1x 'timeoutEvt' Timer expired for station and for message = M3


On NAM we see:-
7487: VLADS-LT: Oct 28 2019 09:14:43.661 -0200: %NAM-3-ERROR_MSG: %[tid=5708][comp=SAE]: RSN (12) Pairwise MIC verification failed
7488: VLADS-LT: Oct 28 2019 09:14:45.826 -0200: %NAM-3-ERROR_MSG: %[tid=5708][comp=SAE]: RSN (12) Pairwise MIC verification failed
7489: VLADS-LT: Oct 28 2019 09:14:45.826 -0200: %NAM-3-ERROR_MSG: %[tid=5708][comp=SAE]: RSN (12) Pairwise MIC verification failed

Conditions:
NAM 4.7/4.8
AP is sending duplicate EAP/EAPOL packets
IOS APs
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.