Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3511
Views
0
Helpful
0
Replies

WLC - ISE Authentication - Error DOT1X-3INVALID_REPLAY - Some Clients are complaining about randomly disconnections

Not applicable

‎07-21-2017 04:13 AM - last edited on ‎07-05-2021 07:23 AM by Community Manager

Dear All

At a customers installation user are complaing about random disconnections in a WLAN with ISE as Radius-Server.

The WLAN 1 is setup with peap authentication and the WLAN Clients are Windows 7 Clients - Lenovo T440.

WLC: 8.0.115.0

ISE-Server: 1.2

Some Clients are disconnection randomly. The configuration is correct and it works basically. In the ISE Authentication-Log everything looks fine but on the WLC I see  "Error DOT1X-3INVALID_REPLAY" logs from Clients using this WLAN.

From Cisco it looks like the driver of the Client is not up to date:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/message/guide/controller_smg/msgs4.html#wp1000139
Error Message    %DOT1X-3-INVALID_REPLAY_CTR: Invalid replay counter from client
[hex]:[hex]:[hex]:[hex]:[hex]:[hex] - got [hex] [hex] [hex] [hex] [hex] [hex]
[hex] [hex], expected [hex] [hex] [hex] [hex] [hex] [hex] [hex] [hex]

Explanation    Client authentication failed because an EAPOL message from the client contained an invalid replay counter.
 
Recommended Action    If the problem persists, try upgrading the client driver software or using different client software to isolate the cause. Also investigate possible intruder activity.

Here are some logs:
*Dot1x_NW_MsgTask_4: Jul 20 17:30:02.433: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client 48:74:6e:60:dd:0c - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_3: Jul 20 17:29:14.944: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client c0:f2:fb:b4:31:fb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_5: Jul 20 17:25:47.057: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client 00:b3:62:b7:ba:95 - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_6: Jul 20 17:16:43.835: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client 28:ed:6a:d6:8b:1e - got 00 00 00 00 00 00 00 04, expected 00 00 00 00 00 00 00 05
*Dot1x_NW_MsgTask_6: Jul 20 17:16:43.834: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client 28:ed:6a:d6:8b:1e - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 05
*Dot1x_NW_MsgTask_4: Jul 20 17:00:28.533: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client 70:ec:e4:d2:80:8c - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_4: Jul 20 16:48:45.216: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client bc:6c:21:67:ed:f4 - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_2: Jul 20 16:42:15.871: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client 1c:5c:f2:d1:53:0a - got 00 00 00 00 00 00 00 05, expected 00 00 00 00 00 00 00 06
*Dot1x_NW_MsgTask_4: Jul 20 16:40:39.132: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:446 Invalid replay counter from client cc:3d:82:11:c2:54 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 00

And I see also some LWAPP Replay errors:

*spamApTask4: Jul 20 18:20:20.189: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 3, count 4 from AP 50:67:ae:6a:6b:f0
*spamApTask6: Jul 20 18:15:29.054: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 3, count 1 from AP 50:1c:bf:e3:02:c0
*spamApTask5: Jul 20 17:45:10.625: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 1, WLAN ID 3, count 1 from AP 24:01:c7:91:cb:d0
*spamApTask4: Jul 20 17:13:02.138: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 3, count 1 from AP 84:b8:02:db:82:b0
*spamApTask5: Jul 20 17:11:51.410: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 3, count 1 from AP b0:aa:77:7b:8e:20
*spamApTask4: Jul 20 17:11:02.134: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 3, count 2 from AP 84:b8:02:db:82:b0
*spamApTask0: Jul 20 17:09:36.836: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 1, count 1 from AP 24:01:c7:ac:5a:e0
*spamApTask5: Jul 20 16:59:51.545: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 1, count 1 from AP 24:01:c7:29:af:e0
*spamApTask6: Jul 20 16:52:02.400: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 1, count 2 from AP 50:1c:bf:e3:04:30
*spamApTask6: Jul 20 16:50:03.140: #LWAPP-3-REPLAY_ERR: spam_lrad.c:37704 The system has received replay error on slot 0, WLAN ID 1, count 2 from AP 50:1c:bf:e3:04:30

Does anybody has the same Issue and logs on the WLC?

Thanks a lot and best regards

Oliver

13 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card