Skip to main content

7 Messages

 • 

130 Points

Mon, Aug 12, 2013 11:48 PM

Doesn't need answer

ZF7372 High Client Density issue

Hi Everyone,

I'm evaluationg the zf7372 as a potential replacement for some 2942's and 7363's that I use in a very high density environment. We typically budget 75-85 stations per radio on the current AP's we have. From the documentation on the 7372 it looks like it can handle 250 stations per radio and I'd really like to present a case for upgrading to reduce protocol overhead by reducing the number of AP's, but I need to get a proof working in the lab first.

I've setup a testing environment in one of my labs, and have only been able to get ~120 devices to associate before the AP stops accepting associations. The logs on the attached ZD1100 show "User [DEVICE_MAC] fails to join WLAN [WLAN_NAME] from AP[AP_MAC]"

I've done a little more snooping using some of the tools I have and it appears that once I hit this ~120 device limit, the newer devices are able to associate, but are immediately (within ~7ms) sent a deauth frame. This testing environment is an open/WEP64 wlan, so I don't think I'm running into memory or other resource issues on the AP during the negotiation phase, but I could be wrong. I've looked at the AP logs and they show that the AP has plenty of memory remaining (60+MB)

I'm running 9.6.0.0.267 on a zf1100 with the same release on the AP.

The logs on the AP show the following errors once I reach the ~120 device range and start to see the deauth frame response to new clients:

Aug 12 23:35:04 RuckusAP user.info kernel: tac_set_station_key(): tac_set_station_key: new key failed
Aug 12 23:35:04 RuckusAP user.info kernel: net80211_tac_cfg_sta_add(): add station {DEVICE_MAC} session key,failed cipher = 2
Aug 12 23:35:04 RuckusAP user.info kernel: tac_set_station_key(): tac_set_station_key: new key failed
Aug 12 23:35:04 RuckusAP user.info kernel: net80211_tac_cfg_sta_add(): add station {DEVICE_MAC} session key,failed cipher = 2
Aug 12 23:35:04 RuckusAP local2.err syslog: Failed add station in processing MSG_MOBILE_CFG_REQ

I've tried disabling all the features I can to narrow down the issue, but I haven't had any luck (background scanning on/off, dropping multicast packets on/off, client load balancing on/off, client fingerprinting on/off, only one wlan active on the AP, etc). I've also ensured that the device limits are set higher than 120 clients so I don't believe I'm running into an issue there. I also don't see any warnings about reaching 90%+ of the AP's capacity as I generally do when I approach the limits on a 7363 device which also leads me to believe that it's a software issue and not a misconfiguration.

Anyone have some pointers on what might be going on here? It's starting to look like a bug in the AP firmware somewhere in the key management subsystem to me.

~WlanGeek

Responses

683 Messages

 • 

11K Points

7 years ago

Do you have TKIP enabled by any chance? Switch to AES explicit if so (don't use auto). TKIP abuses the CPU.

7 Messages

 • 

130 Points

7 years ago

I'm using wep-64 as most of my device chiptsets have builtin hardware for wep and don't require the use of wpa-supplicant to handle encryption. The CPU utilization seemed to be around 50% according to the logs while I was experiencing this issue. Any chance you could forward the error log to an engineer? This seems like the kinda thing the right individual would look at and either say "hrm...that's interesting...it should never do that" or "hrm...I know just what's going on here".

683 Messages

 • 

11K Points

7 years ago

If you get a case opened I can get it to our escalation team (I would open a case for you but I can't ID you in any of our systems using your forum email...)

-K
Brand User

2.6K Messages

 • 

44.8K Points

7 years ago

WlanGeek, your AP can support more than 100 clients, thou WEP is not a regular
client, but requires wifi chip hardware keycache which is limited to 128 slots, and
with some overhead, 112 slots is a more likely limit for WEP (only) clients. You
should find that you can add additional Open Auth (or WPA) type clients after
you've maxed the WEP clients.

Please also be aware that WEP will not be supported in our (very near) future
ZoneDirector/SCG releases of firmware.

7 Messages

 • 

130 Points

7 years ago

Hi Michael,

I've tried WPA2 with AES and seem to be hitting a limit at ~112 clients with a similar message to the WEP case in the AP's onboard logs. When you said WPA type clients were you refering to all the WPA versions, or only to WPA (and excluding WPA2)?

7 Messages

 • 

130 Points

7 years ago

ttt

1 Message

 • 

62 Points

7 years ago

Another one here on 9.6.0.0... WPA2 with AES, ~112 clients then the super quick auth / deauth... ZF7982 APs, more than capable of handling this number of clients... In fact, they do, but no more than 112 on the WPA2 WLAN... HELP?!

7 Messages

 • 

130 Points

7 years ago

@Craig, Are you able to get more than 112 clients with some kind of encryption associated with an AP (eg 100 WPA2 and 100 WEP)? I'm starting to wonder if the 250device/radio claim only applies when you're not running any kind of encryption or security and there's still a ~100 device limit when you're running something other than a completely open network. Anyone from Ruckus want to chime in here?

7 Messages

 • 

130 Points

7 years ago

Soo...ruckus...where are you guys? This seems like a pretty simple question to answer. This doesn't give me warm fuzzies about becoming a ruckus customer.

683 Messages

 • 

11K Points

7 years ago

@wlangeek - I'm working on getting someone to provide details on how the AP max clients values are obtained and what if any caveats may exist.

126 Messages

 • 

2.4K Points

7 years ago

I have seen mentioned in the docs, that 250 associated clients per radio are supported without authentication and encryption.
Iti will be not a surprise, if using WPA/TKIP and even worse, WEP can degrade max connected client quantity. I suppose, WPA2/AES must be better.

I also can't imagine what kind of environment you have, which require high density for devices, supporting WEP-only. Antique devices usually have also 802.11b WLAN cards, which will make such environment not usable much before 100 associations, also they must be at least 10 years old, and must be a candidate for replacement long ago. WEP also normally isn't allowed on corporate networks because of security reasons.
As WEP is not much a security any more, you would be probably in better position using just WEB authentication without encryption (we have used it in a very loaded networks, and it works well), allowing much more clients.

Hope it helps,
Eizens

11 Messages

 • 

370 Points

7 years ago

Hi all - sorry for delayed response here.
The 250+ client limit is for un-encrypted only. For encrypted clients eg WPA/AES, the limitation is just over 100 clients, defined by the size of the encryption block in the WiFi chips used in our APs.

-Dave

7 Messages

 • 

130 Points

7 years ago

Thanks @Dave!

Can you clarify for me whether this encrypted connection limit is ~100 devices per radio, or ~100 devices per access point? I have some ability to force my devices to load balance between the 2.4GHz and 5GHz bands and I might be able to make this work with some creativity on the client side if I could get 100 devices per radio (Eg. 200 per AP - 100 on 2.4GHz and 100 on 5GHz ).

@Eizens: I'm not forced to use WEP for this application, but it was the simplest to implement initially so I went with that. I've done some small scale testing with ~150 devices using WPA2/AES and found that the limit was ~112 devices there as well. I was hoping that the 250 device/radio spec would hold for some of the newer 802.11 security methods as much of the overhaed is handled in user space by WPA Supplicant on the *nix side (thereby dodging hardware encryption engine limitations and being limited instead by CPU, memory, and latency).

-WlanGeek

11 Messages

 • 

370 Points

7 years ago

The 100 encrypted connection limit is per radio, so 200 per AP for a dual-band like 7372. Note that if the encryption table is full (e.g. 100 clients), it is still possible to add un-encrypted connections until the sum total of connections reaches the un-encrypted limit.

9 Messages

 • 

174 Points

7 years ago

WlanGeek, I am concerned of your initial step of trying to reduce ap count to open up protocol overhead? Are you talking about the management and control frames? If you are having traffic issues with your ap's separate the ap's into different vlans to reduce the amount of traffic in each vlan. Keep your clients separate from your management vlans and the management traffic should be a negligible issue if one at all. Your clients will have a much easier time if you can spread the clients out between more radios, not fewer radios at higher client density! Remember this is a shared medium and only one client can talk to one radio at a time, throughput of a radio with 250 clients attached to it has got to be a trickle and that would happen even with ac and 80 MHz channels. That is setting yourself up for failure in my opinion. Do you really want 250 clients on each radio? Not this guy!