?
Solved

Cisco WLC 2500 Series - Cisco 1601i Access Points

Posted on 2014-03-04
23
Medium Priority
?
2,389 Views
Last Modified: 2014-04-15
We have two 1601i access points that are lightweight and controlled by a WLC 2500.

We are having issues with them dropping clients and the client will reassociate and drop again.  They go through this cycle constantly.  I have found on the web that the antenna power may be causing the issues.  I have tried changing the power settings and nothing works.

Does anyone know what we can try on this?
0
Comment
Question by:considerscs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 10
23 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39904804
What code are you running on the WLC?  I'll guess it's 7.4?

If so, try upgrading to 7.5 or 7.6.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39904845
I am on 7.5.102.0.  I have tried upgrading in the past and it doesnt help.  Below is the link I found for the power issues for the antennas.

http://networkengineering.stackexchange.com/questions/2774/wifi-dropping-randomly-on-cisco-ap-1602

The only thing is, this refers to autonomous and I need it for lightweight or how to configure this on the WLC.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39904884
The article you refer to only offers that answer as a possible solution and was not marked specifically as 'the answer'.

I've not seen any issues with the 1600 APs and v7.5 or 7.6 code.  I did with the 7.4 train, but that was resolved.

Can you post the logs from the WLC?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:considerscs
ID: 39906276
What 7.5 code have you run?  Higher than the 7.5.110.0?  I will attempt another upgrade to see if that resolves it.

Here is a portion of the logs.  I am seeing this error alot.

*Dot1x_NW_MsgTask_5: Mar 04 19:31:00.657: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:361 Invalid replay counter from client 84:4b:f5:62:09:75 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_5: Mar 04 19:31:00.648: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:361 Invalid replay counter from client 84:4b:f5:62:09:75 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_5: Mar 04 19:31:00.005: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:361 Invalid replay counter from client 84:4b:f5:62:09:75 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 00
*Dot1x_NW_MsgTask_5: Mar 04 19:30:56.834: #DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2112 Received EAPOL-key message while in invalid state (0) - version 1, type 3, descriptor 2, client 84:4b:f5:62:09:75
*Dot1x_NW_MsgTask_5: Mar 04 19:30:55.874: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:361 Invalid replay counter from client 84:4b:f5:62:09:75 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39906299
That looks like a TKIP problem.

What authentication/encryption are you using?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906302
WPA w/ TKIP
WPA2 w/ AES
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39906308
Can you turn off WPA/TKIP and see if you still get the errors/dropouts?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906333
After removing WPA policy I am still seeing the drops.

Here is the log after this change was made seeing the same as above.

INVALID_REPLAY_CTR: 1x_eapkey.c:361 Invalid replay counter from client bc:92:6b:88:d0:fb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906335
The weird part is that we have two 1602i and they are the ones dropping clients, but we have 8 1130s and never have any issues with dropping clients.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39906461
Ok so if you take a client which works fine on the 1130 APs, and try to connect to the 1600 APs, do you see the issue?

Are the 1130s and the 1600s using the same WLANs?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906492
Yes, all using same WLAN.  We have a production and free wifi.  When clients move buildings, they are fine on 1130s, when they come to the 1602i they drop consistently.

On the free wifi on the 1602i, they can connect and stay connected, but on the production which is protected, they continue to drop.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39906555
How are you doing the 802.1x?  What RADIUS do you have?  Can you see anything in the RADIUS logs?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906566
802.1x is not enabled on the WLAN under authentication key management in the WLAN settings.

Only PSK is enabled with PSK format of ASCII
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39906584
Ok, so I don't understand why you're seeing this:

DOT1X-3-INVALID_WPA_KEY_STATE
That would mean you're trying to use 802.1x at the client side, but if you're using a PSK the client shouldn't be trying to use 802.1x

How are your clients configured to connect to the WLAN? Do you do this manually or via GPO for example?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906716
Manually all clients are added as we image their pcs and set them up on site for them.  So they are joined based on the wireless network showing in Windows 7, and then typing in the password.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39906767
Are you using a recent NIC driver?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906770
Yes, all these machines having conneciton issues are brand new machines with the most updated drivers from the manufacturer.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39906772
i did see somewhere that the Intel 6500 (I believe thats the model) card is know by Cisco to have issues with the 1602i, but we do not have any of those.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 39908848
In the Layer2 Security tab for the WLAN, do you have Auth Key Mgmt set to 802.1X or 802.1X + CCKM?
0
 
LVL 1

Author Comment

by:considerscs
ID: 39909223
Neither are checked.  I only have PSK checked.  See the image attached for a screenshot of this tab.

Maybe not having these checked is the issue.
auth-key-management.png
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39909357
Ok so it has to be something that the client is doing then.  The WLC isn't expecting to see any 802.1x so when the client sends an EAPOL frame it drops the connection.

You should review the client's configuration.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39909592
My only concern with it being the WLC versus the client is that, these same clients connect to the exact same WLC and WLAN at another building with an 1130 AP.  So why is the 1602i the only ones that are kicking clients?
0
 
LVL 1

Author Closing Comment

by:considerscs
ID: 40002146
problem not resolved but giving points for the assistance
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question