We saw a lot of the same. The ARP cache bug (since we run GLBP on the gateways) has killed us too.
<div>-------- Original message --------</div><div>From: Jeffrey Sessler <[email protected]> </div><div>Date:25/09/2014 16:40 (GMT-06:00) </div><div>To: [email protected] </div><div>Subject: Re: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 </div><div> </div>We noticed that our WLAN with band/load-steering enabled had a high report rate of Macintosh connectivity issues, and the WLAN that did not was trouble free. I suspect what was happening was this: Mac would initially associate (Ent-WPA2), then the controller would force it to move to another band and/or AP. It's at this point (a roam) that the Apple certificate issue would kick in, and it was hit or miss as to the Mac re-associating or failing. This was especially problematic when a Mac client was equidistant from two AP's. Turning off band/load steering pretty much eliminated the bulk of the connectivity issues, and trusting the certificate solved the rest. Band/load steering is just problematic because you can never predict how a client will react to it. Jeff >>> On Wednesday, September 24, 2014 at 5:07 PM, in message >>> <9b14e007db035b49b466f094e5a6ed3649346...@mailmb04.ad.adelaide.edu.au>, >>> Jason Cook <[email protected]> wrote: Cisco here but we have had plenty of issues with Mac OS. Spent some time with TAC recently seeing what we can do about it with no real fix. Our EAP timers had gotten a bit out of whack, and adjusting them made improvements for some clients, but ultimately OSX clients just don’t seem to like roaming. Though we have seen rather large differences between devices. So a 2014 Macbook Pro and an Air, both running 10.9.4, both with the same model Broadcom card had different results. The Air continues to lost connectivity for 10+ seconds sometimes requiring intervention to get it back, while the pro was typically 4 seconds or less. Sometimes the Air is authenticating, others it’s waiting for DHCP…. Or both For a stationary client, we have seen this issue occur when a client sits between 2 AP’s and get a pretty similar signal from both. As signal fluctuates, the client jumps AP and the above happens. Note I don’t see “Ptk Challenge Failed” in our logs. -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 e-mail: [email protected]<mailto:[email protected]> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Derek Johnson Sent: Thursday, 25 September 2014 1:53 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 Likewise, I see the same "Ptk Challenge Failed" errors show up in logs. Sometimes I've seen it when a client's having temporary issues, other times I'll see it when a client is roaming rapidly. As an example, when someone is walking across campus with a smartphone in their pocket (which never happens..... cough) and it's trying to connect to APs as it moves along. It may move out of range of the AP before the key exchange completes, and I'll see this error. When I spoke with Aruba support about these issues, they didn't seem concerned, though I never could get a straight answer why it would happen with a stationary client. I'd be very interested to hear what you learn about it. :) FWIW, I'm running AOS 6.3.1.11 with AP-225s here. OKC disabled, PMKID enabled. Derek Johnson | Data Communications Coordinator FORT HAYS STATE UNIVERSITY 415 Lyman Dr. TH 101, Hays, KS 67601 (785) 628 - 5688 | [email protected] From: "Wang, Yu" <[email protected]> To: [email protected] Date: 09/24/2014 10:19 AM Subject: Re: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> I echo what Ryan described here. Ryan alerted me of this issue and after changing user logging level to notification on our Aruba controllers, we got quite a number of “Ptk Challenge Failed” in our logs. We have both OKC and Validate PMKID enabled and have not changed any of the settings as I saw Aruba engineers gave conflict statements. Yu Wang ____________________________ Network Architect Information Technology Services The Florida State University 850-645-6810 [email protected] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Turner, Ryan H Sent: Wednesday, September 24, 2014 10:29 AM To: [email protected] Subject: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 We’ve had complaints for a while that would come in sporadically, but didn’t pay them much mind as it was always difficult to reproduce. The complaint was with Apple devices (normally OSX) that would just drop connectivity and then reestablish moments later. People would complain that our secure SSID (our primary EAP-TLS WPA2-Ent SSID) was not stable. It was always from Apple users. Recently, however, one of our employees with an Apple running OSX (Yosemite) started to have the problem routinely on our PSK SSID. When I turned on debugging in the logs, the following message was logged every time he dropped: Sep 5 10:53:48 :501105: <NOTI> |AP [email protected] stm| Deauth from sta: 48:d7:05:bf:28:e5: AP 172.28.65.99-00:1a:1e:52:dd:51-RB_House_016 Reason Ptk Challenge Failed When I did a google the Ptk Challenge failed, it turned up an Airheads forum that said that since OSX devices don’t support Opportunistic Key Caching, having this enabled on your controllers could cause drops on these devices when they roam from AP to AP. We disabled it on both out UNC-Secure and UNC-PSK SSIDs, and yet the user is still having disconnects, and we still see this message when his device drops. We actually see a LOT of these messages in the logs now that I have turned on the proper notification logging, indicating that this error message is either a red herring, or a lot more prevalent in our environment that we had hoped for. I plan on opening a case with Aruba, but before I beat my head against a wall for the next couple of hours with a support engineer, have any of you seen this problem and tackled it? Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,54248bec232402388798487! ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
