Cisco AP – troubleshooting notes

This post contains notes related to troubleshooting Cisco APs (in autonomous mode) and wireless clients.

Analyze logs

Open network

The following logs come from AP configured without authentication/encryption settings.

  1. The client has configured invalid SSID. There is no log messages on AP. Note that SSID is case sensitive.
  2. The client connects to the AP
    Dec 28 2015 10:05:47.208 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   240a.6456.3701 Associated KEY_MGMT[NONE]
    
  3. The client connects to the AP, leaves BSS immediately and returns to BSS quickly
    Dec 28 2015 10:46:34.036 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    // The station is leaving the BSS - no logs
    // ...
    // Now the station returns back to the BSS
    Dec 28 2015 10:47:01.599 CET: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 5c93.a2d0.5414 Reason: Sending station has left the BSS
    Dec 28 2015 10:47:01.602 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    ap#
    
  4. The client connects to the AP, leaves BSS immediately and returns to BSS after long period
    Dec 28 2015 11:04:21.273 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    // The station leaves the BSS immediately 
    // ...
    // The station still out of BSS
    Dec 28 2015 11:05:58.135 CET: %DOT11-4-MAXRETRIES: Packet to client 5c93.a2d0.5414 reached max retries, removing the client
    Dec 28 2015 11:05:58.136 CET: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 5c93.a2d0.5414 Reason: Previous authentication no longer valid
    // ...
    // The station returns back to BSS
    Dec 28 2015 11:09:06.945 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    

WEP network

The following logs come from AP configured without authentication but with WEP encryption settings.

  1. The client has configured invalid SSID. There is no log messages on AP. Note that SSID is case sensitive.
  2. Invalid WEP password. In this case Windows client shows “Limited access” (in the tray icon).
    Dec 28 2015 11:50:58.898 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    ap#
    Dec 28 2015 11:50:59.054 CET: %DOT11-4-ENCRYPT_MISMATCH: Possible encryption key mismatch between interface Dot11Radio0 and station 5c93.a2d0.5414
    
  3. The client connects to the AP
    Dec 28 2015 11:24:13.820 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    
  4. The client connects to the AP, leaves BSS immediately and returns to BSS quickly
    Dec 28 2015 11:41:08.695 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    // The station is leaving the BSS - no logs
    // ...
    // Now the station returns back to the BSS
    Dec 28 2015 11:41:51.007 CET: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 5c93.a2d0.5414 Reason: Sending station has left the BSS
    Dec 28 2015 11:41:51.072 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    ap#
    
  5. The client connects to the AP, leaves BSS immediately and returns to BSS after long period
    Dec 28 2015 11:41:08.695 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    // The station leaves the BSS immediately 
    // ...
    // The station still out of BSS
    Dec 28 2015 11:41:51.007 CET: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 5c93.a2d0.5414 Reason: Sending station has left the BSS
    Dec 28 2015 11:41:51.072 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE] authentication no longer valid
    // ...
    // The station returns back to BSS
    Dec 28 2015 11:45:42.643 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[NONE]
    

WPA2 network

The following logs come from AP configured with WPA2 authentication/encryption settings.

  1. The client has configured invalid SSID. There is no log messages on AP. Note that SSID is case sensitive.
  2. Invalid WPA2 (PSK) password
    Dec 28 2015 12:06:12.030 CET: %DOT11-7-AUTH_FAILED: Station 5c93.a2d0.5414 Authentication failed
    ap#
    
  3. The client connects to the AP
    Dec 28 2015 12:06:38.501 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[WPAv2 PSK]
    
  4. The client connects to the AP, leaves BSS immediately and returns to BSS quickly
    Dec 28 2015 12:20:47.618 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[WPAv2 PSK]
    // The station is leaving the BSS - no logs
    // ...
    // Now the station returns back to the BSS
    Dec 28 2015 12:21:45.575 CET: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 5c93.a2d0.5414 Reason: Sending station has left the BSS
    Dec 28 2015 12:21:49.354 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[WPAv2 PSK]
    ap#
    
  5. The client connects to the AP, leaves BSS immediately and returns to BSS after long period
    Dec 28 2015 12:23:56.044 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[WPAv2 PSK]
    // The station leaves the BSS immediately 
    // ...
    // The station still out of BSS
    Dec 28 2015 12:24:38.014 CET: %DOT11-4-MAXRETRIES: Packet to client 5c93.a2d0.5414 reached max retries, removing the client
    Dec 28 2015 12:24:38.015 CET: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 5c93.a2d0.5414 Reason: Previous authentication no longer valid
    // ...
    // The station returns back to BSS
    Dec 28 2015 12:25:44.226 CET: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  5c93.a2d0.5414 Associated KEY_MGMT[WPAv2 PSK]
    

Roaming logs (WEP authentication/encryption)

AP 2: (association, roaming, disassociation)
 Dec 23 11:31:25.163: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  4083.de82.da91 Associated KEY_MGMT[NONE]
 Dec 23 11:31:28.651: %DOT11-6-ROAMED: Station 4083.de82.da91 Roamed to 80e8.6f99.3830
 Dec 23 11:31:28.651: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 4083.de82.da91 Reason: Sending station has left the BSS

AP 1: (association (roaming from AP2)
 Dec 23 11:31:28.637: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  4083.de82.da91 Associated KEY_MGMT[NONE]

Troubleshooting commands

See enabled ssids

ap#show dot11 bssid

Interface      BSSID         Guest  SSID
Dot11Radio0   0017.59fa.c770  Yes  wep_net
ap#

See enabled radios

ap#show ip interface b
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.0.105   YES NVRAM  up                    up
Dot11Radio0                unassigned      YES NVRAM  up                    up
Dot11Radio1                unassigned      YES NVRAM  administratively down down
FastEthernet0              unassigned      YES NVRAM  up                    up

See associated clients

ap#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [wep_net] :

MAC Address    IP address      Device        Name            Parent         State
240a.6456.3701 192.168.0.101   unknown       -               self           Assoc
5c93.a2d0.5414 192.168.0.102   ccx-client    -               self           Assoc

Note: one of the devices support Cisco CCX extension (it is a laptop with Intel Wi-Fi card).

Analyze client connectivity

Use linktest command to analyze client connectivity in detail. The option works only with ccx client. Use the command:

ap#dot11 dot11Radio 0 linktest target 5c93.a2d0.5414

The result is:aptrb-linktest1
The following example show how you can limit available speed on AP and how it impacts connectivity quality.
aptrb-linktest2

See controllers information

ap#show controllers  dot11Radio 0
!
interface Dot11Radio0
Radio AIR-MP21G, Base Address 0017.59fa.c770, BBlock version 0.00, Software version 6.11.6
Serial number: FOC1009C8RM
Number of supported simultaneous BSSID on Dot11Radio0: 8
Carrier Set: EMEA (EU )
Uniform Spreading Required: No
Current Frequency: 2437 MHz  Channel 6
Allowed Frequencies: 2412(1) 2417(2) 2422(3) 2427(4) 2432(5) 2437(6) 2442(7) 2447(8) 2452(9) 2457(10) 2462(11) 2467(12) 2472(13)
(...)
Listen Frequencies: 2412(1) 2417(2) 2422(3) 2427(4) 2432(5) 2437(6) 2442(7) 2447(8) 2452(9) 2457(10) 2462(11) 2467(12) 2472(13) 2484(14)
Beacon Flags: 0; Beacons are enabled; Probes are enabled
Current CCK Power: 50 mW
Allowed CCK Power Levels: 1 5 10 20 30 50
Current OFDM Power: 30 mW
Allowed OFDM Power Levels: 1 5 10 20 30
Allowed Client Power Levels: 1 5 10 20 30 50
ERP settings: protection mechanisms, non-ERP present.
Neighbors in non-erp mode:
(...)
Current Rates:  basic-1.0 basic-2.0 basic-5.5 basic-11.0
Active Rates:  basic-1.0 basic-2.0 basic-5.5 basic-11.0
(...)
Data Rate Sensitivity (rate, SNR dB, Contention dBm)
( 1.0,  1, -98)   ( 2.0,  7, -94)   ( 5.5,  9, -92)   (11.0, 16, -86)
( 6.0,  7, -92)   ( 9.0, 14, -87)   (12.0, 12, -87)   (18.0, 15, -84)
(24.0, 17, -82)   (36.0, 24, -76)   (48.0, 29, -73)   (54.0, 33, -69)
(...)
Antenna: external , gain 4 (platform 0, domain class E)
PCI sys_id: 0xA506 subsys_id 0x5100 (0x5101)

Tips

Cisco Aironet Extnesions

Disabling Aironet extensions turns off some features, but it sometimes improves the ability of non-Cisco client devices to associate to the wireless device. Aironet extensions are enabled by default.

ap# conf t
ap(config)# interface dot11Radio 0
ap(config-if)# no dot11 extension aironet
ap(config-if)#

You can use this tip if your client loses connectivity without any obvious reason. For example you can get this log entry:

Dec 23 11:39:57.938: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 4083.de82.da91 Reason: Previous authentication no longer valid

Source: https://supportforums.cisco.com/discussion/10073326/aironet-1240ag-error-previous-authentication-no-longer-valid-help

Leave a Reply

Your email address will not be published. Required fields are marked *