INTEL WIRELESS
Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)

 

Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports

 

Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap

EXAMPLE 1  

EXAMPLE 2

EXAMPLE 3  

CWSP RELEASE DATE 2/08/2010
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

IEEE 802.11a/g/n Reference Sheet

 

LWAPP QoS Packet Tagging

 

 

Interference Types

BLUETOOTH
 

Microwave Oven
 

Cordless Phone

JAMMER!
 

Entries by George (64)

Tuesday
Dec142010

End-of-Sale and End-of-Life Announcement for the Cisco 4400 Series Wireless LAN Controllers

Here is the official announcement from Cisco on the EOS / EOL of the Cisco 4400 controller

Title: End-of-Sale and End-of-Life Announcement for the Cisco 4400 Series Wireless LAN Controllers

Description: Cisco announces the end-of-sale and end-of life dates for the Cisco 4400 Series Wireless LAN Controllers.

The last day to order the affected product(s) is June 13, 2011. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement.

For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2010-12-13 09:00:00.0


http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6366/end_of_life_notice_c51-634665.html๏ปฟ๏ปฟ๏ปฟ๏ปฟ

Thursday
Oct072010

Cisco WiSM Config Practice Opens SVI Vulnerability

Cisco’s recommend WiSM configuration practice will make you vulnerable – by George Stefanick

I was asked, “The WiSM Config Practice has been out for years, how did you find this ?” The devil is in the details.... 

WiSM Configuration Practice

The initial steps in configuring a Cisco WiSM is what I like to call a “configure-and-forget” step. This is because once the WiSM is configured and married to the backplane of the Sup720 via the “service port” its rare one would need to revisit this procedure again.

There are a number of Cisco WiSM Configuration guides available at cisco.com explaining this process. We will get into these in a bit… 

What is the WiSM “service port”?

First lets understand what the service port interface is and the purpose of the service port. The WiSM service port is one of many ports on a Cisco WiSM. They include the management, ap manager, virtual, service and the operator dynamic interfaces.

  •  Management interface (pre-defined and mandatory)
  •  AP-Manager interface (pre-defined and mandatory)
  •  Virtual interface (pre-defined and mandatory)
  •  Service-port interface (pre-defined and mandatory)
  •  Operator-defined interface (user-defined)

Cisco’s 4400 and 5500 model controller’s service port is used for out-of-bandwidth management. The service port is a physical port supported on these models, whereby allowing you physical access with a console / null modem cable.

Contrary to the service port on the 4400 and  5500’s models. The WiSM service port is NOT used for out-of-bandwidth management. Rather it is used to synchronize the supervisor engine (720) and the WiSM. 


How does the “service port” on the Cisco WiSM connect to the Sup720?

Once the WiSM is installed, you enter the Sup720 and create a local vlan for the purpose of communications between both the WiSM and the Sup720.  Cisco references vlan 192 in their WiSM config documents, but of course any vlan number can be used. 

Cisco’s WiSM Configuration documentation goes a step further and states to create an SVI interface. An SVI interface is a gateway to bridge traffic. (Here in lies the problem. I will cover in more detail in the next section.)

(See below reference and links to Cisco WiSM configuration Guides, note the SVI interface recommendations and the lack of an ACL) 


The Vulnerability

The Cisco WiSM Configuration Guides detail the creation of an SVI interface for the purpose of the service port interface. For example;

Sup720(config)# interface Vlan 192
Sup720(config-if)# ip address 192.168.10.1 255.255.255.0
Sup720(config-if)# no shutdown
Sup720(config-if)# exit

The Cisco WiSM Guides makes no reference to an ACL which would restrict traffic access to the service port SVI interface. By creating the SVI interface you have a “connected route” from users who terminate to the 6500 to reach the SVI interface. This would include wired and wireless users. Essentially, inside users have access to the WiSM service port. This would also include wireless guest!

Lets follow the packet:

1)     Wireless client pings 192.168.10.1

2)     The packet egresses the wireless client and 802.11 headers are applied

3)     The packet travels via RF

4)     Packet reaches Access Point

5)     Access points encapsulates the packet in a LWAPP/CAPWAP headers

6)     The packet is then sent to the Cisco WiSM / Controller

7)     The WiSM removes the LWAPP/CAPWAP encapsulation and adds 802.3 headers

8)     The WiSM places the packet on the wired

9)     The packet transverses the router to the connected 192.168.10.1 SVI interface

  

I’m positive this is an oversight by Cisco. Recent conversations with Cisco SE’s, Cisco TAC and other peers agree this is an issue on many levels.

Engineers and Admins who configure the WiSM for the first time or perhaps engineers who have little knowledge would follow the Cisco WiSM Configuration Guide step by step. Not understanding that an ACL needs to be applied to the SVI interface for the WiSM service port. 

Real World Examples:

Lets cover why this is an issue with some real world examples:

Example#1 –

Your inside networks are 10.x.x.x and 172.x.x.x. Your service port on the WiSM is configured for 192.168.10.x network. Users who terminated to the cat / Sup 720 that houses the WiSM has access to the SVI interface 192.168.10.x. Why, because it is a connected route. The traffic will bridge over from 10 / 172  to the 192 network.

 

Example#2 –

Suppose you don’t have a Cisco WLC to anchor guest traffic. Your wireless guest traffic terminates to the  cat / Sup720 that houses the WiSM. Let suppose you ACL your "GUEST" SVI interface denying your known inside networks. You think you are done and call it a day.

DENY 10.0.0.0 (inside network)

But did you remember to deny 192.168.10.x? If you didn’t your wireless guest now have access to your service port


How to Fix it:

If you configured an SVI interface. Simply ACL the SVI not to allow ANY network access to this SVI interface.  


Conclusion:

I admit this isn’t a five-alarm hole. You don’t have to drop everything you are doing.  But it is one that needs to be addressed if you followed Cisco WiSM Configuration Guides.

 

Cisco links to WiSM Config

http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/reference/appnote.html

! - Create a vlan in the Supervisor 720, this vlan is local to the chassis and is used for

communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit interface on

the Supervisor and service-port in the Cisco WiSM. 

Sup720(config)# vlan 192 

! -- Assign an appropriate IP address and subnet mask for VLAN 192 

Sup720(config)# interface Vlan 192

Sup720(config-if)# ip address 192.168.10.1 255.255.255.0

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

 

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a00808330a9.shtml

Create the WiSM Service Port Gateway and assign the IP address.

Create a VLAN in the Supervisor 720. This VLAN is local to the chassis and is used for communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit Interface on the Supervisor and a service port in the Cisco WiSM.

interface Vlan192 
Description WiSM Service Port Gateway or Management Interface on CAT6K
ip address 192.168.10.1 255.255.255.0 

 

 

Sunday
Aug152010

Cisco WCS SQL Injection Vulnerability: CSCtf37019

  

Cisco released a WCS vulnerability last week

Cisco WCS devices running software 6.0.x are affected by this vulnerability.

Note: Cisco WCS software release 7.0 is not affected by this vulnerability. Cisco WCS version 7.0.164.0 (which is the first 7.0 version) already contains the fix for this vulnerability. Cisco WCS software releases prior to 6.0 are not affected by this vulnerability.

The version of WCS software installed on a particular device can be found via the Cisco WCS HTTP management interface. Choose Help > About the Software to obtain the software version.

Cisco WCS enables an administrator to configure and monitor one or more WLCs and associated access points.

A SQL injection vulnerability exists in Cisco WCS. Exploitation could allow an authenticated attacker to modify system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS.

This vulnerability is documented in Cisco bug ID CSCtf37019 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2826.

 

Read more about this field notice: 

http://www.cisco.com/warp/public/707/cisco-sa-20100811-wcs.shtml

Sunday
Aug082010

Cisco 6.0.199.0 - Reported Vocera Issues

  

Vocera is reporting connectivity issues on 6.0.199.0. They went as far as to release a Technical Advisory to customers. Its not clear what the issue is at the moment. 

The Vocera Advisory states:

Vocera is aware of an issue that customers are experiencing after moving to Cisco WLC version 6.0.199 that manifests itself in a substantial increase in difficulty with badge communications to the Vocera Application Server over the network. Badges will display "Searching For Server" or "Searching For AP."

Vocera is working closely with Cisco and its mutual customers on the problem.

Please consult with Vocera Technical Support and Cisco TAC before upgrading to 6.0.199.

Friday
Jul232010

Cisco 6.0.199.0 Controller Code Release - Potential MD / AW release

  

Cisco released a new rev in the 6.0 track, 6.0.199.0. Note: this has potential to be MD / AW tagged. Although, I will wait and see what fall out there is based on the previous releases in the 6.0. track.

Look at the resolved caveats. There are some BIG problems resolved with this reelase. 

Note:6.0 is a MD train and 6.0.199.0 is a potential MD / AW release. 6.0.199.0 release will be marked with MD / AW Tag after few weeks of customer adaptation and completion of AW release certification

 

Table 5 Resolved Caveats 

ID Number
Caveat Title

CSCtf63030

Radio get stuck when it is in the RESET or DOWN state.

CSCta91358

HREAP is locking up due to a wedge input queue on the radio interface.

CSCtb02136

AP1252 with AP groups and HREAP do not broadcast SSIDs.

CSCth05209

An OEAP configuration option needs to be removed in an unsupported platform.

CSCth02673

Errors occur when you apply the WLAN template with security as the WEP.

CSCtg93517

The wrong error message appeared while the H-REAP access point was added to a different H-Group.

CSCsx62302

REAP VLAN support mapping on an access point is lost when you upgrade from 4.2.176 to 6.0.182.

CSCtg93928

A traceback occurred on the mesh access point.

CSCsy90434

The controller command line displays that diversity was enabled for the 1522a radio.

CSCtg94715

Lock Assert dtlARPTask has caused the Cisco 5500 Series Controller to crash.

CSCtg74904

The Cisco 1142 Access Point stopped transmitting and receiving on its radio.

CSCth11525

A WLAN gets disabled after you add a new SSID to an existing access point group.

CSCsy93463

Debug the output through Telnet and SSH sessions.

CSCsy99905

RLDP constantly finds wired threats only when manually used.

CSCth09687

The controller GUI has a problem when configuring new ACL rules.

CSCsz19203

The controller crashes at SSHpmMainTask.

CSCsz37520

Noise was not factored in Channel Util calculations for AP1140.

CSCsz38828

AMAC radio core dumps: the transmitter has stopped working.

CSCsz40659

Need to reboot the wireless controller after an upgrade.

CSCsz42048

An inconsistency has occurred in the neighbor RSSI measurements.

CSCsz84895

An association response has the wrong set of supported rates for the 11b device.

CSCta04008

The call station type on the controller does not state that it is applicable to non-802.1X devices only.

CSCta13941

An access point is rejecting the association request with the status code 13.

CSCta34765

The controller console displays that invalid behavior occurred when you entered the config mirror port command.

CSCta41584

The backup port was not active when the primary port was disabled on the controller.

CSCta49375

The Cisco 4404 Controller crashes when you restart the sig11 at nPCSL_timer.

CSCta58642

LAP1252-P seems to have violated the maximum power levels in the regulatory domain.

CSCta71448

Reduce the severity of the error msg: %APF-1-CHANGE_ORPHAN_PKT_IP.

CSCtb20125

CCMP displays errors when the radio configuration is changed.

CSCtb34971

When the Controller WISM loads third-party certificates for web authentication, HTTPS port 443 is disabled.

CSCtb39368

The webauth custom page fails with some file extensions.

CSCtb39612

The WGA two device solution displays the "Cannot find MSCB for NPU SCB on console" message.

CSCtb42260

Enabling broadcast forwarding versus multicast forwarding through the controller CLI.

CSCtb44059

The controller should send the DHCP packets to the proper DHCP server.

CSCtb45178

Insufficient memory or a traceback occurred on AP1130 and AP1232.

CSCtb63297

A file read error message was reported in message log.

CSCtb69778

The output of the show log ip-port hash command was not correct in Telnet or SSH sessions. Instead, the output displayed results in the console window.

CSCtb92872

The WiSM with no access points crashed and the controller is unresponsive and you have to reset the hardware module to bring it up.

CSCtc01748

The Controller 2106 kernal panic crashed and hung while running combination stress test.

CSCtc13337

Even after the clients are associated to the controller, the message log displays an error saying no ACLS was defined on the controller.

CSCtc13378

The Cisco 5508 Controller crashed on the apfProbeThread.

CSCtc22661

An MFP anomaly was detected on deauthenticated frames.

CSCtc23210

MC2UC: Fragmentation has caused fewer clients to connect.

CSCtc23277

Radio driver is consuming all of the WLAN pool buffers.

CSCtc23789

The AP 1140 and 1250 radios were down and the interface was stuck in the reset state.

CSCtc29509

A predownload of the image has stopped after completing 18 out of the 230 access points on the controller.

CSCtc41797

RLDP does not work for G-only APs.

CSCtc44480

The access points were still transmitting ad-hoc deauths even after auto-contain was disabled.

CSCtc50424

The Cisco 5500 controller crashes and an error message "cond pbuf->dataLen <= 2048 failed" appears in the crashlog.

CSCtc51076

The "config spanningtree port mode off" settings are not saved in the backup configuration file.

CSCtc57611

Delay in Music on Hold on 7925 with HREAP AP.

CSCtc67372

On the controller with some access points, the SSH/Telnet session hangs with sh run output with paging disabled.

CSCtc73503

The radios are showing a Tx power level of 0.

CSCtc73527

Low latency MAC is not supported on the 802.11n APs.

CSCtc90985

The DMA input queue is overrun by fast Ethernet bursts.

CSCtc95434

An FTP transfer does not work on Cisco 2100 Controllers.

CSCtc97144

The 1800-seconds session that occurs after the session timeout has been fixed when H_REAP is in the standalone mode.

CSCtc97595

Only one of many gratuitous ARP packets is forwarded to the client.

CSCtd04572

Video metrics fixes and enhancements.

CSCtd06186

Directed broadcast does not work when IGMP snooping is enabled.

CSCtd21859

WLAN CKIP PSK is deleted when the Apply button is applied.

CSCtd23497

1242 AP HREAP Mode crashes after%CAPWAP-5-CHANGED the state to Join.

CSCtd26168

Incorrect source MAC address in the ARP request when the controller is in lag mode.

CSCtd26794

5508 DP was crashing and fragmentation consumes all pbufs.

CSCtd28542

The controller was crashing on EmWeb due to an access point configuration change.

CSCtd28757

The LDAP user password length needs to be increased.

CSCtd30669

WLAN security settings and session timeouts are changed after restoration.

CSCtd59231

The master bit configuration was not saved in xml.

CSCtd60522

The configuration backup adds the wrong 802.11a channel list.

CSCtd72649

The Cisco 4400 Controller crashes at osapi_task.c:3660.

CSCtd74472

The Cisco 5500 Controller crashes with the OSAPI reaper task and throws a null tunnel pointer exception.

CSCtd75089

The controller needs to have the "devshellsysapiDumpMbufStatus" command to show mbuf usage.

CSCtd75094

The access point crashed while clearing the CAPWAP MGIDs for the new client.

CSCtd86901

The mobility anchor configuration for WLAN is lost while copying the configuration through auto installation.

CSCtd92105

The controller reloads and the DHCP task reaper is reset.

CSCtd97011

When the AMAC radio core dump is observed, the neighbor discovery frames are stuck.

CSCtd99288

The client authentication trapflag cannot be configured through the CLI.

CSCtd99659

An SNMP agent inserts null data during the mesh link test.

CSCte08090

A TFTP upload fails while trying to upload a packet capture to the Windows TFTP server.

CSCte19262

The client is deauthenticated after the key exchange and displays an error message "Unable to locate AP 00:00:00:00:00:00".

CSCte27052

An inconsistency in the AAA Override feature occurred.

CSCte36493

The controller GUI displays a guest LAN error when the ingress is set to None on the anchor WLAN controller.

CSCte43508

5508 DP CRASH: buffer leaks due to ARP storm.

CSCte51177

The SNMP TRAP port number is not reflected in the configuration file of the controller.

CSCte55458

The web authentication page takes a long time to display under a heavy load.

CSCte62815

The Cisco 5508 Controller is not passing OSPF multicast traffic.

CSCte74879

The controller 5508 agentSwitchInfoPowerSupply MIB was not working.

CSCte76854

Unable to enable a WLAN on the Cisco 5508 Controller.

CSCte78472

An invalid PHY rate is returned on an ADDTS response.

CSCte79131

Containment details for the ad-hoc rogue is incorrect in the controller GUI.

CSCte79305

Auto containment for wired rogue access points does not contain wired rogues.

CSCte81420

When the access point crash was in process, the message "Dot11 driver" dot11_rate_is_allowed appears.

CSCte89891

The radio stops transmitting beacons periodically.

CSCte90918

WiSM locks-up during the upgrade with a full load of access points and clients.

CSCte92365

The auto immune attacks fix does not cover the incorrectly formatted association request.

CSCte95626

The Cisco 5508 Controller was not forwarding 100% of packets for the Gigabit line burst.

CSCte96140

Ethernet bridging breaks when the Ethernet interface of AP 1242 is flapped.

CSCtf03121

An optical SFP misconnect causes the Cisco 5508 Controller to disable its ports.

CSCtf03958

The WLAN Load Balance and Band Select should display Global Disabled as apply.

CSCtf06314

The WCS access point current associate client list is not up to date.

CSCtf06931

The controller emWeb crashes while running the ewaFormSubmit_blacklistclient_list.

CSCtf08553

The system log is not sent to the server that is on the same subnet as the dynamic interface.

CSCtf23682

An access point cannot join with the multicast MAC address as the gateway (checkpoint).

CSCtf27580

The Ethernet interface input queue wedge is from the broadcast/uniGRE traffic.

CSCtf28217

An access point unexpectedly joins the controller in bridge mode instead of local mode or H-REAP.

CSCtf33859

The client state is run with no IP address.

CSCtf34858

The client cannot transmit the traffic if it reassociates to an access point within 20 seconds.

CSCtf36051

The CPU ACL is not filtering after a reload.

CSCtf50921

Acct-Input-Octets counters do not reset for every accounting stop.

CSCtf53521

Directed broadcast does not work when the IGMP snooping is enabled.

CSCtf71637

The username entry in the accounting stop did not match the accounting start.

CSCtf94670

emWeb task crashed at usmWebGetSfpType.

CSCtf94679

The used memory increases by 25-MB immediately after bootup.

CSCtg10321

The Cisco 5500 controller crashes when all ports are disabled.

CSCtg34627

The video queue constrain limit allows only 9 to 10 clients of the 5-Mb stream.

CSCtg55102

AssocFailPayload causes a payload error at the controller.

CSCtg98413

There is a discrepancy between the help on the CLI and the actual code.

CSCth00490

The Dyn-int template with secondary port of 7 is getting applied while applying a dynamic interface.

CSCth02608

RRM RF group Leader Election did not occur.

CSCte55219

AMC radio core dumps with reason "transmitter seems to have stopped" due to a large number of uplink frames in the inprog queue.

CSCtf69598

There is a memory leakage in the access point upon a CCKM failure.

CSCtg71658

Access point level resets to 0 while upgrading from 5.0 to 6.0.

CSCtf65636

The access points that are crashed from the data TLB misses exception.

CSCth16398

Downloadable logs should include primaries.

CSCtd43906

RAP, which is a mesh access point, does not recover after the radar was detected.

CSCtf84965

CCKM roam fails with OEAP.

CSCtg89404

Association response to client is sent with AID 0.

 

Monday
Jun282010

Special 6.0.196.159 WLC Build Available From TAC

  

Cisco has released a new Engineer Special for the 6.x WLC code; 6.0.196.159

You will have to request this code from Cisco TAC as you will not find this on CCO. Cisco TAC stated 6.x release is tagged as software advisory. They are not recommending this code and if you have it installed you should apply the latest Engineer Special release until the 6.x maintenance release is released. The 6.x maintenance release is expected end of July / early August.

If you have 6.x running today Cisco TAC has advised the following path:

1)      Down grade to 5.2.193.0 (ED)

2)      Upgrade to 7.0.98.0 (ED)

3)      Upgrade to 6.0.196.159 (ES) 

 

AS_4200_6_0_196_159 is a build from 6.0.196.0, and it is an engineering special that resolves the following additional caveats:

CSCta13941 - AP rejecting association request with status code 13

CSCtb02136 - AP with AP Groups and HREAP will not broadcast SSID

CSCtb20125 - CCMP errors on key rotation

CSCtc73503 - Radios are showing Tx power level 0

CSCtd28542 - WLC crash on emWeb due to AP config change

CSCtd97011 - Radio core dump: Neighbor Discovery frames stuck

CSCte19262 - Client Deauthenticated – “Unable to locate AP 00:00:00:00:00:00”

CSCte55219 - radio core dump due to large # of uplink frames in inprog queue

CSCte55458 - Web-Auth: Web page takes a long time to display under heavy load

CSCte62815 - 5508 not passing OSPF Multicast traffic

CSCte78472 - Invalid PHY rate returned on ADDTS response

CSCte81420 - Crash in process: "Dot11 driver "

CSCte89891 - AP doesn't transmit beacons

CSCte92365 - Auto Immune - AP side

CSCte93549 - The dot11a radio not able to pass traffic, tx queue getting filled.

CSCte96140 - Ethernet bridging breaks when the Ethernet interface of AP 1242 flapped

CSCtf23682 - 5508 - AP cannot join with Multicast MAC as gateway (checkpoint)

CSCtf34858 - Clients unable to pass broadcast traffic

CSCtf69598 - Memory leak in AP on CCKM Failure

CSCtc57611 - Delay in Music on Hold on 7925 with HREAP AP CSCtg45014 - CT5508 - CAPWAP Control traffic has incorrect DSCP marking.

CSCtg71658 - Ap power level reset to 0 when upgrading from 5.0 to 6.0.196.158

CSCtd43906 - J: RAP not transmitting after coming up; when shut due to radar

*ENGINEERING SPECIAL USE DISCLAIMER*

The Engineering Special fix supplied herewith is a Temporary Software Module which has undergone limited testing. This temporary software module is provided “AS-IS” without warranty under the terms of the END USER LICENSE FOR THIS PRODUCT. Please use this software at your own risk. The intention for this code fix is for you to use in your production environment until a released version is available.

Thursday
Jun242010

Bugs: CSCtf34858 - Severity 1 - catastrophic (WLC Code Levels: 6.0.182.0, 6.0.188.0, 6.0.196.0)

  

Catastrophic isn't my words, but Cisco's.  Engineer's beware ...

Client can't transmit traffic if it reassociates to an AP within 20 sec

Symptom:

Intermittently, when a client reassociates to an access point
(within 20 seconds after having roamed away from that same
AP), the AP will fail to forward any data received from
that client, to the wired network.

Other clients can associate to that same SSID on the same AP
and work fine.

If the SSID is configured to use encryption, then, at the time
the problem is occurring, decrypt failures will be seen, when
the following debugs are enabled on the affected radio:

ap#no debug dot11 dot11radio0 print printf
ap#debug dot11 dot11radio0 trace print clients keys

Workaround:

Resetting the AP radio, or rebooting the AP, can cause the
problem temporarily to go away.

This problem is not seen in 5.2.193.0 or earlier code, nor does
it affect autonomous IOS APs.

Base Code: 6.0.182.0, 6.0.188.0, 6.0.196.0

Special Build: Following options are available:

 

1.     Move to 7.0.98.0 Release posted on CCO. Please note, 7.0 is a new feature release.

2.     Contact TAC to get a 6.0 Special or Beta release with fixes for the bugs below. 

3.     Wait for the CCO release of 6.0 MR3 (Maintenance Release), which is planned for July/August 2010 

 

 

The code is designed for 2100 / 4400 / 5500 / WiSM / WLC3750 / WLCM

 

This Software Advisory Notice is issued against all the above Wireless LAN Controller software versions due to the following bugs:

 

 

 

Thursday
Jun032010

Cisco 4.2.209.0 Controller Code Release

  

Cisco released a new rev for the controllers, 4.2.209.0. I'm not really surprised Cisco is still supporting 4.2. There are a number of large healthcare systems still on the 4.2 rev. 

Table 3 Resolved Caveats 

ID Number
Caveat Title

CSCtb31111

Memory Leak in EAP framework task

CSCsl22707

AP1250 Resets During Boot Using POE from 3550 Switch

CSCsm84048

AP1250 does not get 20 W power if switch is configure for trunk port

CSCso50723

WLC2106 EAP-FAST PAC provision failed due to slow DiffieHellman

CSCsq09933

Converted AP w/ static IP ignores DNS after downloading full image

CSCsv77658

AP reset from watchdog timer expired

CSCsw31160

Lobby Admin username can be used for webauthentication

CSCsx07150

Voice gap when phone roams, if CAC is not configured on APs

CSCsx50408

LWAP DOS Attack trap message does not record the source MAC address

CSCsx69535

AP on different subnet lost connetion with WLC

CSCsx70889

Crash due to stack corruption caused by recursive tunnels

CSCsx71175

WLC broadcast dhcp does not comply with RFC 1542

CSCsy06464

H-REAP AP obtains IP via DHCP on wrong interface

CSCsy06689

Memory leak on 3.2.210.0

CSCsy30722

Next hop address stored in capwap doesn't get updated on rcving GRAT ARP

CSCsy97077

WLC Controller 'show run-config' is truncated, not complete, incomplete

CSCsz03148

Talwar crashes @ EAP Framework

CSCsz14243

Unable to enable the WLAN while the APs are joining

CSCsz26858

WLC crash Task Name: dot11b (usmDbSnmpRrmProfileFailureTrapSend)

CSCsz32424

Rogue not detected on wire using the arp

CSCsz38828

AMAC radio core dumps: transmitter seems to have stopped

CSCsz48244

4.2 Mobility Control path flapping up/down

CSCsz48460

AP crashing on dot11_tx

CSCsz49863

WLC Local EAP auth periodically fails with 792x phone using EAP-FAST

CSCsz58995

Reaper reset crash on WLC with 1 monitor AP

CSCsz64049

WLC crash - nf_iterate causes kernel panic/exception

CSCsz72416

Unexpected vlan is assigned due to failed to aaa override

CSCsz76796

PMK cache isn't updated

CSCsz82548

Clients can communicate even though clients auth status is "No"

CSCsz88241

Per user bandwidth contracts stop functioning

CSCsz89606

AP unable to perform DNS based on given DHCP DNS options

CSCta09996

Sometimes LAP can't join to WLC via alternative port in port redundancy

CSCta13941

AP rejecting association request with status code 13

CSCta19001

AP1000 reboots continously when applying fix for CSCsl90630

CSCta29484

Radio stops beaconing for 10-second period

CSCta40160

Dropping primary discovery request from an AP already joined to the WLC

CSCta45156

Upgrade to 6.0.182.0 Webauth login page text views as one long sentence

CSCta93380

WLC on 4.2.205.0 drops bootp packet

CSCtb12031

1142 / 1252 inconsistently ACKs Vocera (gen1) badge

CSCtb29243

ARP storm on inter-controller NAC scenario for quarantined client

CSCtb34971

WLC WISM loading 3rd party cert for web-auth disables HTTPS port 443

CSCtb36010

Lightweight AP responds on port 22 when SSH is disabled

CSCtb52563

WLC 4.2.205.0 crashes at spam_CCM_decrypt+124

CSCtb58091

WLC CPU Spike with emWeb - Controller Not Responding - No crash

CSCtb64994

Intermittent Webadmin and Webauth access on WiSM running 5.2.193

CSCtb74239

WISM crashed on task sshpmMainTask System Crash

CSCtc03575

Controller fails to redirect web authentication to external server

CSCtc15346

AP1252 fails to retransmit missing AMPDU packet in response to block ack

CSCtc45090

Controller sends wrong mac in ARP response, can cause mobility flapping

CSCtc91431

ReadOnly local management user can change H-REAP VLAN mapping

CSCtc97595

Only one of many Gratitous ARP packets are forwarded to client

CSCtd01611

Important TLS/SSL security update

CSCtd16938

WLC crash after passing invalid arguments to emweb

CSCtd26408

WCS 4.2.110.0 cannot modify external web auth redirection URL for WLANs

CSCte40517

WLC2106 reboots at pemReceiveTask

CSCte55458

Web-Auth: Web page takes a long time to display under heavy load

CSCte89891

Radio may stop transmitting beacons periodically

CSCtf63030

Radio may get stuck in RESET or DOWN state

Wednesday
May122010

Special 7925/7921 (1.3.4.0.2) Build Available From TAC

  

Another special TAC release (1.3.4.0.2) this time for the Cisco 7921G and 7925G IP Phones. I'm told this release is a 'quick fix' for the battery issue discovered in release 1.3.4. 

Sources at TAC mentioned 1.3.5 could be out as early as end of May. Comments were also made that

 1.3.4.0.2, "has been through only basic testing to verify the power consumption issues"

 

Battery Life After Returning From Out of Range State

The Cisco Unified Wireless IP Phone may have a short battery life after returning from the out-of-range
state. The battery life can be two to four hours long if the IP phone travels out of range for up to three
to five seconds, and then returns in range of the configured network without rebooting the IP phone.
This may occur with IP phones using firmware release 1.3(4), but not with any earlier release. If your IP
phone experiences a short battery life after it has operated out-of-range for a few seconds, you can reboot the IP phone. The out-of-range alert may be enabled in Unified CM to provide a notification anytime the IP phone leaves the service area. For more information of the status of this operation, refer to CSCtf82507, using the Software Bug Toolkit.

 

Tuesday
May042010

Special 6.0.196.158 WLC build available from TAC

 

 

Not often you see 'special' releases on the Cisco WLC. I think Cisco tagged 6.0.196.0 as assurewave to soon! If you are having issues, TAC may recommend this TAC only release

Date entered: 4-May-2010 

Summary: fixes for several important WLC bugs are in the 6.0.196.158 build, available through TAC. This build will not be posted to CCO; the fixes will be incorporated into the next 6.0 release targeted for summer 2010. For more information, see the 6.0.196.158 release notes.

Addendum Release Notes for Cisco Wireless LAN

Controllers and Lightweight Access Points for
Special Build 6_0_196_158
___________________________________________
Base Code: 6.0.196.0
Special Build: 6_0_196_158


ENGINEERING SPECIAL BUILD


6_0_196_158 is a build from 6.0.196.0, and it is an engineering special that resolves the following
additional caveats:


CSCta13941 - AP rejecting association request with status code 13
CSCtb02136 - AP with AP Groups and HREAP will not broadcast SSID
CSCtb20125 - CCMP errors on key rotation
CSCtb92872 - WiSM: System crash - Task "cids-cl Task" taking too much cpu:
CSCtc23789 - AP radio down - interface stuck in reset
CSCtc57611 - Delay in Music on Hold on 7925 with HREAP AP
CSCtc73503 - Radios are showing Tx power level 0
CSCtd28542 - WLC crash on emWeb due to AP config change
CSCtd97011 - Radio core dump: Neighbor Discovery frames stuck
CSCte19262 - Client Deauthenticated – “Unable to locate AP 00:00:00:00:00:00”
CSCte55219 - radio core dump due to large # of uplink frames in inprog queue
CSCte55458 - Web-Auth: Web page takes a long time to display under heavy load
CSCte62815 - 5508 not passing OSPF Multicast traffic
CSCte78472 - Invalid PHY rate returned on ADDTS response
CSCte81420 - Crash in process: "Dot11 driver "
CSCte89891 - AP doesn't transmit beacons
CSCte92365 - Auto Immune - AP side
CSCte93549 - The dot11a radio not able to pass traffic, tx queue getting filled.
CSCte96140 - Ethernet bridging breaks when the Ethernet interface of AP 1242 flapped
CSCtf23682 - 5508 - AP cannot join with Multicast MAC as gateway (checkpoint)
CSCtf27580 - Ethernet interface input queue wedge from broadcast/uniGRE traffic
CSCtf34858 - Clients unable to pass broadcast traffic
CSCtf63030 - Radio may get stuck in RESET or DOWN state
CSCtf69598 - Memory leak in AP on CCKM Failure
CSCtf94589 - AP mac address discrepency in aggressive load balancing packets.


*ENGINEERING SPECIAL USE DISCLAIMER*

The Engineering Special fix supplied herewith is a Temporary Software Module which has undergone
limited testing. This temporary software module is provided “AS-IS” without warranty under the terms
of the END USER LICENCSE FOR THIS PRODUCT. Please use this software at your own risk. The
intention for this code fix is for you to use in your production environment until a released version is

available. 

Americas Headquarters
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2010 Cisco Systems, Inc. All rights reserved. 95134-1706 USA

Sunday
Mar212010

Cisco 6.0.196.0 is AssureWave Tested: See Solution Testing Results

 

 

Its been what, a year and a half since the WLC had an AssureWave Version? Below is the test results.

AssureWave Solution Testing Results

There are three types of AssureWave Certification:

  • Passed: No major defects identified in tested areas
  • Pass with Exception: Some defects that could affect certain deployments
  • Failed: One or more major defects identified in core area

Tested Versions

4.2.207.0 - Test Results pdf (PDF - 1.66 MB)

6.0.196.0 - Test Results pdf (PDF - 2 MB)

Wednesday
Jan202010

Bugs: CSCtd66943 - WCS 6.0.170.0 Shows Incorrect AP Duplex

 

 

I wanted to share a recent bug I just encountered with WCS. I’m running WLC code 6.0.188.0 and WCS 6.0.170.0. In WCS if you drill down to the access point and look under CDP neighbor tab the duplex is reported as half-duplex.  I double checked the switch and the access point and it was set to FULL.

 Reportedly this is fixed in the next version of WCS, not yet released. 6.0.178 .0 and 7.0.87.0.

 CSCtd66943 Bug Details

WCS: Reports incorrect duplex mode for CDP neighbor of an AP


Symptom: WCS reports incorrect duplex mode for CDP neighbor of an AP

Conditions:

WCS - 6.0.170.0
WLC - 6.0.182.0

Workaround:

None at this time.

Problem Description:

The WCS GUI reports incorrect duplex mode for CDP neighbor of an AP.

From Monitor --> Access points --> Click on an AP --> Click on the 'CDP neighbors' tab.

The duplex mode for the CDP neighbor is reported as 'half-duplex'. Verifying directly on the neighbor's CLI it's configured for full-duplex.

 

 

Sunday
Dec062009

Bugs: CSCtd46886 - 6.0.188.0 shows incorrect boot loader version

So I wasn’t losing my mind after all. In between projects I attempted to update the bootloader on my personal controller and the new WiSMs I just deployed. Both running 6.0.188.0. I tried over 10 times, each time I got a successful TFTP transfer and did a reload. But the new bootload wouldn’t take. I searched the release notes and docs. In fact I learned more about the WLC bootloader chasing this issue down.

So I gave in and called TAC.  Here is what I was told:

There are two know bugs that fit the issue you are having 1) CSCsy99596    Need to bundle bootload into ER image and 2) CSCtd46886    WLC with version 6.0.188.0 shows incorrect boot loader version.  Both are new bugs and have not been resolved as yet.

I understand CSCtd46886 is dated 11/25/09. 

Just wanted to share incase you come across this issue…

Thursday
Dec032009

12/2/09 - End-of-Life Announcement for the Cisco 526 Wireless Express Mobility Controller

Cisco announced the end of life and end of sale for the Cisco 526 Wireless Express Mobility Controller. You probably didn't even know Cisco had a controller 526 and 500 series APs, did you? This product line was an attempt to market to small price point customers who wanted a controller based  product with enterprise features. The 526 / 500 line had no compatibility between the 2100 / 4400 / 5500 / WiSM product line. So you couldn't take a 500 series AP and have it join a 4400 series controller. I mentioned when Cisco released this, it was doomed from the start. I didn't see this product taking hold in the market.

Title: End-of-Sale and End-of-Life Announcement for the Cisco 526 Wireless Express Mobility Controller  [Cisco 500 Series Wireless Express Mobility Controllers]
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7320/ps7339/end_of_life_c51-568040.html
Description: Cisco announces the end-of-sale and end-of life dates for the Cisco 526 Wireless Express Mobility Controller. The last day to order the affected product(s) is June 1, 2010. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2009-12-01 07:11:34.0

Title: End-of-Sale and End-of-Life Announcement for the Cisco 500 Series Wireless Express Access Points  [Cisco 500 Series Wireless Express Mobility Controllers]
Url: http://www.cisco.com/en/US/partner/prod/collateral/wireless/ps7306/ps7320/end_of_life_c51-568039.html
Description: Cisco announces the end-of-sale and end-of life dates for the Cisco 500 Series Wireless Express Access Points. The last day to order the affected product(s) is June 1, 2010. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2009-12-01 07:11:32.0

Sunday
Oct112009

10/07/09 Field Notice: FN - 63258 - WLC 44xx Potential Power Failure

Url: http://www.cisco.com/en/US/partner/ts/fn/632/fn63258.html
Description: Cisco has observed that certain identified serial numbers of WLC 4400 series controllers may fail to boot on a subsequent power cycle. Few 4400 series controllers that are built between November 2008 and March 2009 have experienced lower test during power cycles due to a bad part.
Date: 2009-10-06 10:00:00.0

 

Saturday
Sep122009

8/25/09 - Cisco Lightweight Access Point Over-the-Air Provisioning Manipulation Vulnerability

 

Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to insufficient security protections during wireless access point association sequences. An unauthenticated, remote attacker could exploit this vulnerability by injecting malicious packets into the wireless network where newly added access points are seeking controllers. This action could allow the attacker to cause the device to associate to a rogue controller, preventing the device from servicing network clients. An exploit could result in a DoS condition.

Cisco has confirmed this vulnerability; however, software updates are not yet available.

http://tools.cisco.com/security/center/viewAlert.x?alertId=18919

 

Tuesday
Jul282009

7/27/09 - Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers 

Summary

Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities:

  • Malformed HTTP or HTTPS authentication response denial of service vulnerability
  • SSH connections denial of service vulnerability
  • Crafted HTTP or HTTPS request denial of service vulnerability
  • Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml

 

Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility.

These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP).

Click to read more ...

Sunday
May312009

End-of-Sale and End-of-Life Announcement for the Cisco Power Supply for Cisco Aironet 1130, 1140, 1240 and 1300 Series Access Point

Message Type : End-of-sales/ End-of-life announcement

Cisco Systems announces the end-of-sale and end-of-life dates for the Cisco Power Supply for Cisco Aironet 1130, 1140, 1240 and 1300 Series Access Point. The last day to order the affected product is November 20, 2009. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as listed in Table 1 in the EoL announcement.

Click to read more ...

Wednesday
Feb042009

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Updated on Wednesday, February 4, 2009 at 9:59PM by Registered CommenterGeorge

Message Type : Security Advisory
Title: Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
URLs:
http://www.cisco.com/en/US/customer/products/products_security_advisory09186a0080a6c1dd.shtml
(available to registered users)
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a6c1dd.shtml
(available to non-registered users)

Click to read more ...

Friday
Jan092009

Field Notice: FN # 63177 - Cisco Aironet 1250 Access Point Buzzing, Vibrating and making Noise

Updated on Tuesday, February 3, 2009 at 9:10PM by Registered CommenterGeorge


Title: Cisco Field Notice: FN # 63177 - Cisco Aironet 1250 Access Point Buzzing, Vibrating and making Noise
URL: http://www.cisco.com/en/US/ts/fn/631/fn_63177.html
CDC http://www.cisco.com/en/US/customer/ts/fn/631/fn_63177.html
(available to registered users)

Click to read more ...