Cisco 871W Deauthenticating Clients

Discussion in 'Cisco' started by ensnare, Jan 24, 2009.

  1. ensnare

    ensnare

    Joined:
    Jan 24, 2009
    Messages:
    5
    Hi -- I'm having a lot of trouble with my 871W deauthenticating clients. I have 2 SSIDs, G and G-Guest where G uses WPA2 and G-Guest is open. I find that random clients get deauthenticated from G which causes a loss of connectivity. Most recently, my two friends were over with their two laptops and each laptop's registration caused the other laptop to deregister. This all happened while 5-6 other hosts remained associated without connectivity loss. I tried changing the channel, that didn't make much of a difference. I was originally running 124-22 and downgraded to 124-15.T8, which is what I am using now.

    The error message I see in my log is: "Deauthenticating Station 001f.5bc6.857e Reason: Previous authentication no longer valid"

    My run conf is displayed below. Any help with resolving this issue would be greatly appreciated; as you can imagine, this is very frustrating. Thank you !!
     
    ensnare, Jan 24, 2009
    #1
    1. Advertising

  2. ensnare

    ensnare

    Joined:
    Jan 24, 2009
    Messages:
    5
    Building configuration...

    Current configuration : 12293 bytes
    !
    ! No configuration change since last restart
    ! NVRAM config last updated at 22:37:54 MST Fri Jan 23 2009 by admin
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname snowcloud
    !
    boot-start-marker
    boot system flash c870-advipservicesk9-mz.124-15.T8.bin
    boot-end-marker
    !
    aaa new-model
    !
    !
    !
    !
    aaa session-id common
    clock timezone MST -7
    clock summer-time MDT recurring
    !

    dot11 syslog
    !
    dot11 ssid G
    vlan 1
    authentication open
    authentication key-management wpa
    mbssid guest-mode
    wpa-psk ascii 7 1515020B052832302D
    !
    dot11 ssid G-Guest
    vlan 2
    authentication open
    mbssid guest-mode
    !
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip domain name example.com
    ip inspect name myfw rtsp timeout 5
    !
    multilink bundle-name authenticated
    !
    !
    username admin privilege 15 password 7 0708284B4F0B001112
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip ssh rsa keypair-name snowcloud.example.com
    ip ssh version 2
    !
    class-map match-all SCCP
    match ip dscp cs3
    class-map match-any AutoQoS-VoIP-Remark
    match ip dscp ef
    match ip dscp cs3
    match ip dscp af31
    class-map match-all RTP
    match ip dscp ef
    class-map match-any AutoQoS-VoIP-Control-UnTrust
    match access-group name AutoQoS-VoIP-Control
    class-map match-any AutoQoS-VoIP-RTP-UnTrust
    match protocol rtp audio
    match access-group name AutoQoS-VoIP-RTCP
    !
    !
    policy-map AutoQoS-Policy-UnTrust
    class AutoQoS-VoIP-RTP-UnTrust
    priority percent 70
    set dscp ef
    class AutoQoS-VoIP-Control-UnTrust
    bandwidth percent 5
    set dscp af31
    class AutoQoS-VoIP-Remark
    set dscp default
    class class-default
    fair-queue
    policy-map Guest
    class class-default
    police rate 524000 bps
    exceed-action drop
    policy-map Voice
    class RTP
    set cos 6
    set precedence 6
    class SCCP
    set cos 3
    set precedence 3
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    bandwidth 2048
    bandwidth receive 16384
    ip ddns update hostname ajg-colorado.dyndns.org
    ip ddns update HTTP
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    load-interval 30
    duplex auto
    speed auto
    auto qos voip
    crypto map mymap
    max-reserved-bandwidth 85
    service-policy output AutoQoS-Policy-UnTrust
    !
    interface Dot11Radio0
    no ip address
    beacon period 500
    no dot11 extension aironet
    !
    encryption vlan 1 mode ciphers aes-ccm
    !
    ssid G
    !
    ssid G-Guest
    !
    mbssid
    speed basic-54.0
    station-role root
    world-mode dot11d country US both
    no cdp enable
    max-reserved-bandwidth 85
    service-policy input Voice
    service-policy output Voice
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    service-policy input Voice
    service-policy output Voice
    !
    interface Dot11Radio0.2
    encapsulation dot1Q 2
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    service-policy input Voice
    service-policy output Voice
    !
    interface Vlan1
    description Internal Network
    no ip address
    ip nat inside
    ip virtual-reassembly
    auto qos voip
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Vlan2
    description Guest Network
    no ip address
    ip nat inside
    ip virtual-reassembly
    bridge-group 2
    bridge-group 2 spanning-disabled
    !
    interface BVI1
    description Bridge to Internal Network
    ip address 10.1.0.1 255.255.0.0
    ip nat inside
    ip virtual-reassembly
    !
    interface BVI2
    description Bridge from Guest Network to Internet
    ip address 192.168.0.1 255.255.255.0
    ip access-group 130 in
    ip access-group 130 out
    ip nat inside
    ip virtual-reassembly
    service-policy input Guest
    service-policy output Guest
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source static tcp 10.1.10.4 6881 interface FastEthernet4 6881
    ip nat inside source route-map NAT_ACCESS interface FastEthernet4 overload
    !
    ip access-list extended AutoQoS-VoIP-Control
    permit tcp any any eq 1720
    permit tcp any any range 11000 11999
    permit udp any any eq 2427
    permit tcp any any eq 2428
    permit tcp any any range 2000 2002
    permit udp any any eq 1719
    permit udp any any eq 5060
    ip access-list extended AutoQoS-VoIP-RTCP
    permit udp any any range 16384 32767
    ip access-list extended RTP
    permit udp any range 16384 32767 any
    permit udp any any range 16384 32767
    ip access-list extended SCCP
    permit tcp any eq 2000 any
    permit tcp any any eq 2000
    !
    ip sla 1
    icmp-echo 10.0.0.1 source-interface Vlan1
    ip sla schedule 1 life forever start-time now
    access-list 1 permit 67.26.17.15
    access-list 1 permit 80.207.8.1
    access-list 1 remark REMOTE ROUTER SSH and TELNET ACCESS
    access-list 1 permit 10.0.0.0 0.255.255.255
    access-list 1 permit 172.16.0.0 0.0.255.255
    access-list 1 permit 172.17.0.0 0.0.255.255
    access-list 1 permit 98.113.56.0 0.0.0.255
    access-list 1 permit 69.90.154.0 0.0.0.255
    access-list 1 deny any
    access-list 10 remark SNMP ACCESS
    access-list 10 permit 172.16.1.1
    access-list 10 deny any
    access-list 110 remark TRAFFIC TO MARK AS VPN
    access-list 110 permit ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255
    access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.0.0 0.0.255.255
    access-list 120 remark INTERNET ACCESS THROUGH NAT
    access-list 120 deny ip 10.1.0.0 0.0.255.255 10.0.0.0 0.0.255.255
    access-list 120 deny ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255
    access-list 120 permit ip 10.1.0.0 0.0.255.255 any
    access-list 120 permit ip 192.168.0.0 0.0.0.255 any
    access-list 130 remark Guest Network Access Control
    access-list 130 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 130 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
    access-list 130 permit ip any any
    snmp-server community public RO 10
    !
    !
    !
    route-map NAT_ACCESS permit 10
    match ip address 120
    !
    !
    control-plane
    !
    bridge 1 route ip
    bridge 2 route ip
    rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
    rmon alarm 33338 cbQosCMDropBitRate.82.14154081 30 absolute rising-threshold 1 33333 falling-threshold 0 owner AutoQoS
    banner login ^CC
    NOTICE TO USERS
    =============================================================================
    This is an official computer system and is private property of AJG Networks.
    It is for authorized users only. Unauthorized users are
    prohibited. Users (authorized or unauthorized) have no explicit or
    implicit expectation of privacy. Any or all uses of this system may be
    subject to one or more of the following actions: interception, monitoring,
    recording, auditing, inspection and disclosing to security personnel and
    law enforcement personnel, as well as authorized officials of other agencies,
    both domestic and foreign. By using this system, the user consents to these
    actions. Unauthorized or improper use of this system may result in
    administrative disciplinary action and civil and criminal penalties.
    By accessing this system you indicate your awareness of and consent to
    these terms and conditions of use. Discontinue access immediately
    if you do not agree to the conditions stated in this notice.
    =============================================================================

    User Access Verification

    snowcloud.example.com
    ^C
    !
    line con 0
    modem enable
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    access-class 1 in
    privilege level 15
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    ntp clock-period 17176532
    ntp server 18.7.21.144
    time-range daytime
    periodic weekdays 7:00 to 9:00
    periodic weekdays 13:30 to 23:59
    periodic weekend 9:00 to 23:59
    periodic weekend 0:00 to 3:00
    !
    end
     
    ensnare, Jan 24, 2009
    #2
    1. Advertising

  3. ensnare

    ensnare

    Joined:
    Jan 24, 2009
    Messages:
    5
    I resolved this issue. It seems that Cisco is having some trouble with 12.4.22T, 12.4.20T and some versions of the 12.4.15T train. I tried various versions of the firmware and one version miraculously fixed all errors: 12.4.15T7 (T8 did not work). Now everything is working great. I hope if anyone else has a similar problem, this helps to resolve it. Good luck !
     
    ensnare, Jan 24, 2009
    #3
  4. ensnare

    brianmiller

    Joined:
    Apr 16, 2009
    Messages:
    1
    I'm going insane with this damn 871w router. I have 6 871w routers connected via DMVPN links. Everything is working great but the goddam WPA wireless WLAN. I have it bridged to the hardwired network.

    Linux, Windows XP and Vista connect just fine.

    Blackberry's won't connect worth a damn and our WiFi WPA cameras won't either.

    Sometimes I'll get an ip in the "sh dot11 assoc" table.

    Logs are showing:

    DOT11-4-MAXRETRIES: Packet to client xxx.mac.add.xxx reached max retries, removing the client


    I've ran:
    c870-advipservicesk9-mz.124-22.T.bin
    c870-advipservicesk9-mz.124-24.T.bin
    c870-advipservicesk9-mz.124-15.T8.bin
    c870-advipservicesk9-mz.124-15.T7.bin <--- (copying to a test router now)

    All fail with horrible WPA connectivity.

    I took a look at 124-15.T7, there are tons of "Software Advisories" showing loads of problems that have been corrected in T8.

    Have you experienced any issues so far with T7? Are you using EIGRP and DMVPN? What about WPA?


    Any feedback would be helpful... thank you.


    -Brian
     
    Last edited: Apr 16, 2009
    brianmiller, Apr 16, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jason.pearcy@gmail.com

    Cisco 871w + WEP + VLans

    jason.pearcy@gmail.com, Mar 2, 2006, in forum: Cisco
    Replies:
    2
    Views:
    5,259
    anybody43@hotmail.com
    Mar 2, 2006
  2. MedikDave
    Replies:
    2
    Views:
    1,213
    ckamila
    Sep 5, 2006
  3. lorrainek@gmail.com

    Cisco 871W Wireless Associated but no DHCP

    lorrainek@gmail.com, Dec 28, 2006, in forum: Cisco
    Replies:
    3
    Views:
    1,577
    lorrainek@gmail.com
    Dec 29, 2006
  4. hack0059@gmail.com

    Cisco 871w no wireless....

    hack0059@gmail.com, Mar 8, 2007, in forum: Cisco
    Replies:
    1
    Views:
    572
    Martin Bilgrav
    Mar 11, 2007
  5. Art Feagles
    Replies:
    0
    Views:
    480
    Art Feagles
    Oct 15, 2007
Loading...

Share This Page