[WLAN access rejected: incorrect security] from MAC address Constantly in Logs

[Frostedflake87]

Afternoon,

I just have a question about the logs I have been getting for while now. About every three seconds I get the following error from the same MAC Address:

[WLAN access rejected: incorrect security] from MAC address 00:01:36:xx:xx:xx, Thursday, April 16, 2020 16:58:56
[WLAN access rejected: incorrect security] from MAC address 00:01:36:xx:xx:xx, Thursday, April 16, 2020 16:58:53
[WLAN access rejected: incorrect security] from MAC address 00:01:36:xx:xx:xx, Thursday, April 16, 2020 16:58:50

The MAC is not a device I own, I have no idea what it is. Anything I can do about it?

Thanks,

Ben

[Netduma Fraser]

Hey, welcome to the forum!

Do you have any devices that are connected to the ISP hub or another router behind the XR? Do you have remote management enabled in Advanced Settings?

[Frostedflake87]

I have the Hitron Coda-4582 Modem from my ISP which is set to bridge mode, then the XR500 is connected to it. I have 3 wired devices connected to the XR500 but nothing else connected to the modem. Remote Management has not been configured by me and is off.

[Zippy]

Hey Frostedflake, Is that MAC address possibly the MAC of your Hitron Coda Modem? Id double check that once and see. 

Good luck!

Zippy.

[Frostedflake87]

I checked the modem and it doesn't have that MAC address. I was trying to get an open NAT for the Playstation this morning. From within the Address Reservation menu I can see a device with that MAC. It's listed as IP: <unknown> and Device name: <unknown>.

[Netduma Fraser]

Put the full MAC address into this tool and it will lookup what the manufacturer of the device is which may give you a better idea of what it could be: https://dnschecker.org/mac-lookup.php

What are your WiFi settings like? Do you have an easy to guess WiFi password?

[Zippy]

That tool Fraser has posted should help out tremendously. It will at least help narrow it down for you. Sometimes a device will have a couple different MACs for the same device. Each one has a different reason. If there is a MAC address that is close to one you have or know of on your network then its very possible it has two for a reason. This is very common to see this on modem gateways as an example. One MAC for the modem side and one for the router side. Even though its just one device.

Zippy.

[Frostedflake87]

I've looked up the MAC address before and it belongs to Cybertan Technology, I'm sure you know that because you linked the site. I have no gear made by them. I may have a device that uses say a Cybertan chip for wireless but I would have no idea how to even go about finding that out.

The WIFI password is not as secure as most of my stuff. The password would definitely be more geared toward convenience than security for the people living here, I didn't select it. Should be fine but I could make it more complex should that be necessary. I use a password manager for pretty much everything else and my passwords are 20+ characters (paranoid I know). To do that for the WIFI doesn't make it easy to connect new devices.

Would you be able to shed more light on what the log message means? Is the device already on the network and if so, why would it not show up as a device on the router?

[Netduma Alex]

It's not already on the network, the error means that the connection attempt was made, but the security info provided was incorrect. This could happen if you tried to connect a new device, but you entered the password incorrectly.

[Frostedflake87]

Then would changing or hiding the SSID prevent the attempts?

[Netduma Fraser]

19 minutes ago, Frostedflake87 said:

Then would changing or hiding the SSID prevent the attempts?

Someone could still attempt access, whatever password you choose. In WAN Setup disable Respond to Ping on the internet and that should make it harder for anyone to try and access you.

[Frostedflake87]

33 minutes ago, Netduma Fraser said:

Someone could still attempt access, whatever password you choose. In WAN Setup disable Respond to Ping on the internet and that should make it harder for anyone to try and access you.

It is already disabled.

[Netduma Fraser]

You mentioned you saw that device listed in the network, delete it from the device manager and see if you get any attempts again.

[Frostedflake87]

The device is listed in the Address Reservation Menu under LAN Setup. It is not present anywhere else on the router, including device manager.

[Netduma Fraser]

So it's been given a reservation then? Delete that as you don't know what it is, I then assume that the entries will stop.

[Frostedflake87]

Sorry if I am not explaining it clearly.. The device was not given a reservation. The device shows up as a device available to make a reservation but does not appear anywhere else on the router.

 

[Netduma Fraser]

That is really strange, I'd suggest you take a backup of your settings then do a reset and restore from the backup. We're going overboard here but it should be fine regardless.

[Frostedflake87]

14 minutes ago, Netduma Fraser said:

That is really strange, I'd suggest you take a backup of your settings then do a reset and restore from the backup. We're going overboard here but it should be fine regardless.

Do you guys have an SOP for this?

[Netduma Fraser]

• Go to Settings > Administration > Backup Settings
• Click Backup to download the file
• Click erase to factory reset
• Wait 1 - 2 minutes and try to access the interface - it may refresh the page if you were still on the page and connected via ethernet
• Go back to the same page and restore

It's possible the device entry may come back after restoring, so it depends how much hassle it is for you to resetup after a reset. Myself personally would recommend reset without restoring.

[Frostedflake87]

Okay, thank you Fraser. I will give it a try during off hours. I don't want to cause downtime for the people using the internet right now, could be a couple day. I'll update here when complete.

[zrocweb]

I recently acquired the XR1000 and I have my logs when they fill up email me. I awoke this morning to about 5 emails with nothing but these [WLAN access rejected.....] messages with mac addresses I have now clue to.  I looked them up and one is from Vendor/company linksprite technologies, inc. and the other is from hewlett packard .

Why doesn't the message include the attempts "from" ip"?

Are these attempts being access wireless? I would assume?  The only HP product I have is a wireless HP Laserjet printer and I have confirmed one of the addresses in the log is from this printer.  What's happening?

Any suggestions?? The logs just keeps filling up and filling up with these repeated msgs.

[Netduma Fraser]

Hey, welcome to the forum!

Have you put any device in the DMZ at all? That is most likely the reason for getting the entries, I think they're false positives.

[zrocweb]

Hey. No I have not. I generally stay away from DMZ for reasons...

However I was able to resolve the HP issue. So that one is gone and not re-attempting / given proper credentials.

So I guess I have another device from that "LinkSprite Tech" company that I never knew was by them. I looked into them a little and I think it might be our dishwasher, frig or range oven. Almost makes sense as when I installed and setup the XR1000 I changed all credentials to my networks. So just have to figure out which one it is. Not an easy task though as you can't get info from them to view their MAC's.

 

Thanks for the response man! Appreciate it.

This might be off topic but with the QOS with a verizon gig connection what do you recommend for that setting as well as the sliders?

[Netduma Fraser]

1 hour ago, zrocweb said:

Hey. No I have not. I generally stay away from DMZ for reasons...

However I was able to resolve the HP issue. So that one is gone and not re-attempting / given proper credentials.

So I guess I have another device from that "LinkSprite Tech" company that I never knew was by them. I looked into them a little and I think it might be our dishwasher, frig or range oven. Almost makes sense as when I installed and setup the XR1000 I changed all credentials to my networks. So just have to figure out which one it is. Not an easy task though as you can't get info from them to view their MAC's.

Thanks for the response man! Appreciate it.

This might be off topic but with the QOS with a verizon gig connection what do you recommend for that setting as well as the sliders?

From what I can see they deal with a lot of AI and IOT devices so what you've said makes sense and I doubt your dishwasher would be trying to access the interface!

For a gig connection you don't really need to use QoS as you're very unlikely to have local congestion but you could start on 70% upload/download with Auto Enable so it only applies when you're gaming and then leave everything else on QoS as is.

[zrocweb]

Thanks for the response. So still haven't found the damn device this mac is trying to gain access from. Have all devices accounted for. Any suggestions?

Also, a little off-topic again here again, sorry.  Having some issues this morning with my children's school chromebook's not seeing the network(reg or guest)? Any suggestions.