Friday, 23 May 2014

WLC 7.6 and MFP anomalies

Since we have set up a wireless controller with WLC 7.6 we are seeing large numbers of alarms starting with: "MFP Anomaly Detected - x 'CCMP Not Encrypted' violation(s) have originated from the client with MAC..."

MFP, as I understand it is Management Frame Protection and is used to help prevent denial of service and man in the middle attacks. While I am fairly sure nobody is trying to attack our test environment, I am pretty concerned that this has coincided with a group of Apple device users reporting they have trouble connecting, or lose connection and have to reauthenticate.

We have set MFP from optional to disabled on the controller that is reporting all the problems but the alarms still persist, as does the problems with Macs and iPhones. The client MAC addresses on the alarms all display Apple or unknown as the vendor type. I can't see any obvious other problems and all other devices seem to be working well.

I'd love to stop people using Apple kit, but I don't think that is going to work somehow.

If/when I find a solution I will update below. It may have to involve a call to Cisco before too long.


Update 27/05/14

I am still seeing the errors after the MFP changes, but I am also seeing Apple OSX Mavericks clients being unable to connect without displaying an error.

Update 30/05/14

A few days off and still scratching my head. Not just Apple devices now but reports from a variety of devices and OS's. 3 People complained in one room and when investigated had a SNR of 40dBm and signal strength in the -50dBm's, they had an AP in their room, which typically works fine when we are stood in the room.

Of course, we were told by management that packet capturing tools were too advanced and we didn't need that level of expertise. Now, though, at this stage what are we supposed to do without them?

Update 09/07/14

This morning we upgraded our controllers to 7.6.120.0. The MFP anomaly alarms are still appearing on Prime, but leaving MFP and QoS disabled and reapplying the config to our backup controller seems to have halted the client connectivity issues that have been reported. So far the affected users say the wireless has been much better.

Going to keep the support call open with our supplier as Prime is currently showing 225 critical alarms.

5 comments:

Eric Glodowski said...
This comment has been removed by the author.
Anonymous said...

I see the same messages in the log. It is not clear as to whether or not clients are suffering, but after migrating wireless infrastructure to support the 3702s, these messages appear in the log of PI 2.1, WLC code is 7.6.120.0.

CBites said...

We still currently have nearly 200 MFP anomaly alarms showing on Prime v1.4, but disabling MFP and QoS as well as updating our controllers from 7.6.110.0 to 7.6.120.0 seems to have stopped the client connectivity issues that users were reporting.

Eric Glodowski said...

Looks like it will be fixed once 8.0 code is available. Have a look here:

https://tools.cisco.com/bugsearch/bug/CSCtd34834

CBites said...

Thanks for the info. Appreciate it.