CommScope RUCKUS Community Forums

wlangeek · ‎08-12-2013

Hi Everyone,

I'm evaluationg the zf7372 as a potential replacement for some 2942's and 7363's that I use in a very high density environment. We typically budget 75-85 stations per radio on the current AP's we have. From the documentation on the 7372 it looks like it can handle 250 stations per radio and I'd really like to present a case for upgrading to reduce protocol overhead by reducing the number of AP's, but I need to get a proof working in the lab first.

I've setup a testing environment in one of my labs, and have only been able to get ~120 devices to associate before the AP stops accepting associations. The logs on the attached ZD1100 show "User [DEVICE_MAC] fails to join WLAN [WLAN_NAME] from AP[AP_MAC]"

I've done a little more snooping using some of the tools I have and it appears that once I hit this ~120 device limit, the newer devices are able to associate, but are immediately (within ~7ms) sent a deauth frame. This testing environment is an open/WEP64 wlan, so I don't think I'm running into memory or other resource issues on the AP during the negotiation phase, but I could be wrong. I've looked at the AP logs and they show that the AP has plenty of memory remaining (60+MB)

I'm running 9.6.0.0.267 on a zf1100 with the same release on the AP.

The logs on the AP show the following errors once I reach the ~120 device range and start to see the deauth frame response to new clients:

Aug 12 23:35:04 RuckusAP user.info kernel: tac_set_station_key(): tac_set_station_key: new key failed
Aug 12 23:35:04 RuckusAP user.info kernel: net80211_tac_cfg_sta_add(): add station {DEVICE_MAC} session key,failed cipher = 2
Aug 12 23:35:04 RuckusAP user.info kernel: tac_set_station_key(): tac_set_station_key: new key failed
Aug 12 23:35:04 RuckusAP user.info kernel: net80211_tac_cfg_sta_add(): add station {DEVICE_MAC} session key,failed cipher = 2
Aug 12 23:35:04 RuckusAP local2.err syslog: Failed add station in processing MSG_MOBILE_CFG_REQ

I've tried disabling all the features I can to narrow down the issue, but I haven't had any luck (background scanning on/off, dropping multicast packets on/off, client load balancing on/off, client fingerprinting on/off, only one wlan active on the AP, etc). I've also ensured that the device limits are set higher than 120 clients so I don't believe I'm running into an issue there. I also don't see any warnings about reaching 90%+ of the AP's capacity as I generally do when I approach the limits on a 7363 device which also leads me to believe that it's a software issue and not a misconfiguration.

Anyone have some pointers on what might be going on here? It's starting to look like a bug in the AP firmware somewhere in the key management subsystem to me.

~WlanGeek

keith_redfield · ‎08-24-2013

@wlangeek - I'm working on getting someone to provide details on how the AP max clients values are obtained and what if any caveats may exist.

eizens_putnins · ‎08-24-2013

I have seen mentioned in the docs, that 250 associated clients per radio are supported without authentication and encryption.
Iti will be not a surprise, if using WPA/TKIP and even worse, WEP can degrade max connected client quantity. I suppose, WPA2/AES must be better.

I also can't imagine what kind of environment you have, which require high density for devices, supporting WEP-only. Antique devices usually have also 802.11b WLAN cards, which will make such environment not usable much before 100 associations, also they must be at least 10 years old, and must be a candidate for replacement long ago. WEP also normally isn't allowed on corporate networks because of security reasons.
As WEP is not much a security any more, you would be probably in better position using just WEB authentication without encryption (we have used it in a very loaded networks, and it works well), allowing much more clients.

Hope it helps,
Eizens

david_botha · ‎08-25-2013

Hi all - sorry for delayed response here.
The 250+ client limit is for un-encrypted only. For encrypted clients eg WPA/AES, the limitation is just over 100 clients, defined by the size of the encryption block in the WiFi chips used in our APs.

-Dave

wlangeek · ‎08-26-2013

Thanks @Dave!

Can you clarify for me whether this encrypted connection limit is ~100 devices per radio, or ~100 devices per access point? I have some ability to force my devices to load balance between the 2.4GHz and 5GHz bands and I might be able to make this work with some creativity on the client side if I could get 100 devices per radio (Eg. 200 per AP - 100 on 2.4GHz and 100 on 5GHz ).

@Eizens: I'm not forced to use WEP for this application, but it was the simplest to implement initially so I went with that. I've done some small scale testing with ~150 devices using WPA2/AES and found that the limit was ~112 devices there as well. I was hoping that the 250 device/radio spec would hold for some of the newer 802.11 security methods as much of the overhaed is handled in user space by WPA Supplicant on the *nix side (thereby dodging hardware encryption engine limitations and being limited instead by CPU, memory, and latency).

-WlanGeek

david_botha · ‎08-28-2013

The 100 encrypted connection limit is per radio, so 200 per AP for a dual-band like 7372. Note that if the encryption table is full (e.g. 100 clients), it is still possible to add un-encrypted connections until the sum total of connections reaches the un-encrypted limit.

CommScope RUCKUS Community Forums

ZF7372 High Client Density issue