This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Support Info Massage meaning

mitsui_electron
New Contributor

‎10-20-2014 09:18 PM

There are a lot of following messages and degraded the performance of AP.

Oct 16 05:52:21 RuckusAP daemon.warn Eved: MLME-REPLAYFAILURE.indication(wlan3 AES-CCM keyid=100 unicast RA:addr=50:a7:33:f7:c9:68 TA:addr=e8:99:c4:aa:0e:2a) (pkt-rsc:10879 k->rsc[1]:10885

Could you please let me know the meaning of the "REPLAYFAILURE" and the condition of generation?

Thank you.
Matsuura
11 REPLIES 11

kiyoshi_matsuur
New Contributor III

‎10-22-2014 06:01 PM

Thank you for your suggestion.
Customer already did several examination such as packet capture on radio etc.
In this first investigation, they found a lot of messages that I asked then simply asking what is the meaning. In order to get a clue, we are analysing the log and some capture data. It looks like an environment dependant issue.
If we would not get a clue or not to isolate a problem, we will submit a support case with our analysis result.
0 Kudos

michael_brado
Esteemed Contributor II

‎10-27-2014 05:53 PM

Ruckus Development Engineering manager made a comment in ER-1702:

My understanding is this is mainly caused by STA's re-transmission. It is normal to see replay failure in this case. I believe these messages are suppressed to avoid confusion in later releases.

You can ignore this as non-issue.

and

Yes, you can ignore the following message:

"Aug 22 12:56:41 HSK 1220-042 daemon.warn Eved: MLME-REPLAYFAILURE.indication(wlan15 AES-CCM keyid=68 unicast RA:addr=c4:10:8a:ff:3a:7d TA:addr=c4:10:8a:bf:3b:1d) (pkt-rsc:21846880 k->rsc[6]:21846928 "

This message is caused due to retransmissions and is displayed in case of WPA/WPA2 security being used. It is completely safe to ignore this message.

kiyoshi_matsuur
New Contributor III

‎10-27-2014 07:30 PM

Thank you for your information. They are very helpful to see a supportInfo for us.
We are trying to got a clue from investigation of RF environment.

Best Regards,
Matsuura
0 Kudos

michael_brado
Esteemed Contributor II
In response to kiyoshi_matsuur

‎08-23-2017 09:17 AM

Yes, that is correct, and you are most welcome.
0 Kudos

joke_jong
New Contributor III

‎02-07-2018 07:26 PM

Explanation i received from one of the good support engineer -

This is a unicast key scenario, where sender and receiver obviously both possess the same key. Under WPA, the encryption process provides an additional layer of packet-replay protection through use of sequence counter - this is very standard security engineering today, to prevent replay attack. And the replay attack / detection is very simple: keep track of the last known received sequence number, and if ever receiving a packet with a sequence # smaller or same, throw it away.

 

That is to say, over an WPA network, there are 2 mechanisms for duplicate (or even replay) detection: one provided by 802.11 protocol layer, and another one provided by 802.11i encryption layer.

 

The reason we have these logs is because of previous Atheros/Qualcomm chip / driver issue that requires a very ugly patch to deal in this area, where the link actually breaks because the received sequence counter is messed up. These logs in that case give us a clue. So to judge whether those logs are bad or not (by the way, it is not labeled an 'error', but 'warning') is whether packets can pass.

 

Repeat: the replay logs shall be considered harmless, unless there is an actual packet-passing problem.

Copyright © 2024 Khoros, LLC