RT-AC86U with 384.15 has an unknown MAC trying to connect over and over

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

automaton

New Around Here
My general log was getting spammed with dissoc messages after migrating from 384.13 to 384.15. I commented about this problem here: 384.14_2 on AC86U | Disassociated because sending station is leaving....

The log spam looks like this:

Mar 5 11:54:11 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:15 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:15 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:19 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:19 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:24 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:24 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:28 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:28 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:32 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:32 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:36 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:36 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:40 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:40 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Mar 5 11:54:44 syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind D8:F1:5B:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Mar 5 11:54:44 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth D8:F1:5B:XX:XX:XX, status: 0, reason: d11 RC reserved (0)​

This was mostly fixed after following the above thread, however today I noticed the spam again. However what's interesting is it appears to be from a MAC address that is unidentified and I don't recognize it either, and the Wireless Log shows the device as '<unknown>' for both IP and device name. Additionally, this device is not listed in the 'Display low level details' at all.

It constants auths, then dissasocs, and after awhile I think gives up and doesn't do it anymore.

The MAC address of the offending device is D8:F1:5B:xx:xx:xx which appears to be manufactured by Espressif Inc., a Chinese company who does generic WiFi chipsets mostly for IoT. But I don't have anything like that in my house, and I'm not sure if this is a malicious thing or not.

My SSIDs are set to hidden and have WPA2 on. This connection is only targeting eth1 (2.4GHz). Does anyone have a device with the similar MAC address? And if so, what is that device? Just trying to track it down...

Thanks.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top