What's new

RT-AC86U with 384.15 has an unknown MAC trying to connect over and over

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

automaton

Occasional Visitor
My general log was getting spammed with dissoc messages after migrating from 384.13 to 384.15. I commented about this problem here: 384.14_2 on AC86U | Disassociated because sending station is leaving....

The log spam looks like this:

Mar 5 11:54:11 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:15 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:15 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:19 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:19 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:24 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:24 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:28 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:28 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:32 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:32 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:36 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:36 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:40 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:40 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:44 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:44 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)​

This was mostly fixed after following the above thread, however today I noticed the spam again. However what's interesting is it appears to be from a MAC address that is unidentified and I don't recognize it either, and the Wireless Log shows the device as '<unknown>' for both IP and device name. Additionally, this device is not listed in the 'Display low level details' at all.

It constants auths, then dissasocs, and after awhile I think gives up and doesn't do it anymore.

The MAC address of the offending device is D8:F1:5B:xx:xx:xx which appears to be manufactured by Espressif Inc., a Chinese company who does generic WiFi chipsets mostly for IoT. But I don't have anything like that in my house, and I'm not sure if this is a malicious thing or not.

My SSIDs are set to hidden and have WPA2 on. This connection is only targeting eth1 (2.4GHz). Does anyone have a device with the similar MAC address? And if so, what is that device? Just trying to track it down...

Thanks.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top