I am getting this error for many clients. I don't think they get disconnected but it's just filling-up my logs:
xtrcca204wm40: *Dot1x_NW_MsgTask_3: Dec 15 17:22:36.045: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:957 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 40, Key type 1, client cc:3d:82:5d:f5:43
I've read many Cisco posts in regards with this and they recommend changing the EAPOL-Key Timeout to 5000 ms. I'll probably try to play around with the values this Friday, but is increasing (or decreasing) the value will really help? We are using the default of 1000 ms. Thanks.
Best Answer
This error is caused by Windows 7 clients specifically.
Cisco is aware of the problem, but has never fixed the issue on the controller. Since the Cisco bug tool requires access, i've posted the answer as described by Cisco.
In our own setup with 11 to 12.000 clients a day, we get tons of these errors on our WLC 8540.
The bug can be found here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuh22382
Case description:
Symptom: Windows 7 clients connecting to wireless networks with WPA2 and session timeout may get disconnected during the key exchange after reauthentication.
This is because on the re-keying process the Win7 clients are sending message M2 with what the WLC considers to be a MIC error. "debug client" on the WLC will show messages similar to the following:
Usually at this point, the WLC will retransmit the M1, and then the second time the client sends its M2, it will not have an invalid MIC, and the key exchange will succeed.
Conditions:Windows 7 Clients connecting to wireless network with WPA2/AES with EAP, and session timeout enabled on the WLAN.
This problem is seen with all client chipsets.
Workaround: Use WPA1 or Disable session timeout.
This problem can be mitigated by reducing the EAPOL key retransmission timeout (e.g. "config advanced eap eapol-key-timeout 300") Do be aware that reducing this value might negatively impact key negotiations with some very old and slow clients.
More Info:How to reproduce:
This bug is marked as Junked because it is a Microsoft, not a Cisco bug.