"MLME-REPLAYFAILURE" messages

Gilbert Mendoza linuxcruiser at yahoo.com
Sun Jan 23 17:35:44 EST 2005


> 
> What driver is this? Host AP driver does not generate this kind of
> message.
> 

I am using the latest CVS version of the madwifi drivers.

Chipset:  Atheros 5212
ATH_PCI_VERSION "0.9.4.12"
ATH_HAL_VERSION "0.9.12.14"
WLAN_VERSION    "0.8.4.5"

I am also using wpa_supplicant 0.3.4

Environtment:
Cisco Aironet 1200 AP's
Cisco Secure ACS v3.3
WPA+TKIP
EAP-PEAP wtih MSCHAPv2   
EAP-PEAP with GTC


> > Custom wireless event:
> > 'MLME-REPLAYFAILURE.indication(keyid=2 broadcast
> > addr=01:00:5e:00:00:01)'
> > Wireless event: cmd=0x8c02 len=83
> 
> I would assume this means that the driver noticed a packet with the
> same
> (or smaller than current) sequence number and dropped it as a
> possible
> replay attack. In this case, the packet is a multicast packet from
> the
> AP. The driver you are using may have some additional debug options
> available for finding out more details of the packet. Alternatively,
> you
> could use a wireless sniffer to verify whether the AP is incrementing
> packet number for the multicast packets.


I did some searching and see that the mac address in fact represents a
mutlicasted message.  A preliminary wired analysis of my network's
multicast traffic shows a couple of infrequent, however known-good,
IGMP messages which may be the "culprit".  I'll see if I can match them
up with a wireless ethereal session once back at the office.


> 
> Multicast packets are not retransmitted, so this could indicate a bug
> in
> the AP or something else replaying already sent messages.
> 

I set my Access Point's logging level 7 (debug) and don't see anything
out of the ordinary (not to say there's not an issue).  I will upgrade
the IOS to the latest available from Cisco however.  There are quite a
few bug fixes in the new 12.3.2-JA release.  Interestingly, there is a
WPA/TKIP replay detection feature which may or may not help in this
situation, as it is refering to bridge links with concatenation
enabled.  We'll see what else turns up.

Thanks for the reply.  I'll keep you posted.



=====
- Gilbert Mendoza
- PGP Key ID: 7987FCA8

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the HostAP mailing list