Extreme Networks

Christoph · ‎06-04-2014

Hello,

one of our customers has a v2110 controller with AP36xx. Since the beginning of this year they have several APs where clients are not able to (re) connect to. Only a reboot of the AP helps. Than clients are able to connect again.
This behaviour happens every few weeks and under higher load sometimes several times a day.

Many APs on different locations are affected.

The traces we took from the APs prior to reboot have the following log messages in common:
Info 05/28/14 07:15:35: Can't deflect TKIP chop-chop attack--no sta!

The software version is 8.11.06.0006-1

Are there any security procedures implemente which cause this issue or is it a bug?

Doug · ‎06-04-2014

Hello,

The quick fix for this is to disable WPA1 and or Auto mode with WPA2. You should set WPA2-AES only. Here is an explanation of the attack - http://wirelessnetworkssecurity.blogspot.com/2013/01/wpa-attacks.html

There is a potential of false positives with clients that are having issues, these are usually driver related.

-Doug

Doug Hyde
Director, Technical Support / Extreme Networks

hsachse · ‎06-04-2014

Good security recommendation, Doug. If no devices require TKIP moving to AES only is a good choice.

If I remember right some client reconnect issues are fixed in newer firmware releases. The 8.11.06.x firmware is really not up to date. I would recommend you to update the firmware to version 8.21.x or 8.32.x. T

he 8.21.x tree is really stable (my experience in several customer installations).

Extreme Networks

Clients can't accociate - TKIP chop-chop attack?

Clients can't accociate - TKIP chop-chop attack?