Wireless client being dropped from network

I am working an issue where a client device (ac:a2:13:0d:92:fb) is dropped from the our wireless network once or twice in a hour.  I found the following message in my controller log.  Based on the message below can someone give me a idea what may be going?


Wed Feb 21 11:28:46 2018
Rogue client: ac:a2:13:0d:92:fb is detected by 1 APs Rogue Client Bssid: 84:80:2d:45:35:40, State: Alert, Last detecting AP :84:3d:c6:70:82:70 Rogue Client gateway mac ff:ff:ff:ff:ff:ff.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
MAC block AC:A2:13 is assigned to "Shenzhen Bilian electronic CO.,LTD" which is not much help in figuring out what the device is.

"Shenzhen Bilian Electronic Co., Ltd. is a company that specializes in the production of wireless networking equipment, and provides high quality home WiFi and business WiFi equipment."

See the enlightening commentary at the link below:


From where I sit it appears that you do, in fact, have a rogue / unauthorized device connecting to your network, and the reason you're seeing it get dropped periodically is because it's a rogue device and its gateway is not configured correctly.
nh6weAuthor Commented:
The strange thing is that the mac address is from a valid client.  Its a known device and the user is fully authenticated
Dr. KlahnPrincipal Software EngineerCommented:
Well, whatever it is, it appears to be periodically forgetting what its gateway is and substituting FF:FF:FF:FF:FF:FF instead.  Could well be a loose solder joint somewhere around the WiFi chip.  I can certainly see how this would upset a smart access point when a device uses the local network broadcast address improperly.

"Broadcast is possible also on the underlying Data Link Layer in Ethernet networks. Frames are addressed to reach every computer on a given LAN segment if they are addressed to MAC address FF:FF:FF:FF:FF:FF. Ethernet frames that contain IP broadcast packages are usually sent to this address."
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Craig BeckCommented:
Loose solder joint??

Forget looking at the client. It is being flagged as rogue as it is connecting to an AP on an external network with the same SSID.

It is likely roaming because of poor signal so try to improve coverage for the client so that it doesn't try to roam.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dr. KlahnPrincipal Software EngineerCommented:
External network with the same SSID??
Craig BeckCommented:
Yep. Ever heard of a honeypot?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.