Professional Documents
Culture Documents
Brkewn-3011 Troubleshooting Wireless Lans With Centralized Controllers1
Brkewn-3011 Troubleshooting Wireless Lans With Centralized Controllers1
LANs
Supportability
Software and Support Model
Troubleshooting Basics
The Client Debug
WLC Config Analyzer (WLCCA)
Additional Troubleshooting
WLC Supportability
Methods of Management
Using the GUI
Important Show Commands (CLI)
Important Debugs (CLI)
Best Practices
AP Supportability
Methods of Accessing theAP
Important Show Commands
Show tech-support
CLI Tip
Log all output
Config Paging Disable
Best Practices
Change default SNMP Parameters
Configure Syslog for WLC and AP
Enable Coredump for WLC and AP
Configure NTP Server for Date/Time
Enabling Telnet/SSH
WLC CLI: config ap [telnet/ssh] enable <ap name>
WLC GUI: Wireless > All APs > Select AP > Advanced
Select [telnet/ssh] > Apply
Show log
WLC: show ap eventlog <ap name>
Show capwap client <?>
CLI Tips
Debug capwap console client
Debug capwap client no-reload
4. Authentication Request
5. Authentication Response
State 2:
Authenticated, 6. Association Request
Unassociated
7. Association Response
WLC
State 3:
8. (Optional: EAPOLAuthentication)
Authenticated,
Associated 9. (Optional: Encrypt Data)
10. Move User Data
© 2019 Cisco and/or its affiliates. Trainer-Amuya.... Cisco Public 17
Understanding the Client State
Name Description
8021X_REQD 802.1x (L2) Authentication Pending
DHCP_REQD IP Learning State
WEBAUTH_REQD Web (L3) Authentication Pending
RUN Client Traffic Forwarding
00:16:ea:b2:04:36 10.10.1.103 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
Association received
Association Request, client did not “Roam” (Reassociate)
AP Base Radio = 00:26:cb:94:44:c0
vlan 3
Vlan = Vlan # of Dynamic Interface
STA - rates
Madatory Rates (>128) = (#-128)/2
Supported Rates (<128) = #/2
1m,2m,5.5m,11m,6s,9s,12s,18s,24s,36s,48s,54s
0.0.0.0 START
0.0.0.0 = IP we know for client (In this case nothing)
Scheduling deletion
Session Time on WLAN (1800 seconds in this case)
Further troubleshooting
May require Wireless Sniffer or capture at AP Switchport
If not sending Assoc Request, must know why from Client
Trying disabling WLAN features to “dumb it down”
EAPOL-START
EAP-ID-Request
EAP-ID-Response
RADIUS (EAP-ID_Response)
Radius-Access-Accept
EAP-Success
(Key)
The Supplicant Derives the
Session Key from User Password or Session
Certificate and Authentication Key
Exchange
© 2019 Cisco and/or its affiliates. Trainer-Amuya.... Cisco Public 29
WPA2-AES-802.1X
Sending Assoc Response to station on BSSID 00:26:cb:94:44:c0 (status 0) ApVapId 1 Slot 0
***OR***
Processing Access-Reject for mobile 00:16:ea:b2:04:36
2 – Notification
6 – Generic Token
13 – EAP TLS
17 – LEAP
18 – EAP SIM
21 – EAP TTLS
25 – PEAP
43 – EAP-FAST
Further Troubleshooting
Debug aaa [all/event/detail/packet] enable
Debug dot1x [aaa/packet] enable
Client State =
Client is in DHCP_REQD state “DHCP_REQD“
IP Address Learned
32.151: 00:16:ea:b2:04:36 DHCP received op BOOTREQUEST (1) (len 312,vlan 0, port 29, encap 0xec03)
32.151: 00:16:ea:b2:04:36 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
32.151: 00:16:ea:b2:04:36 DHCP selected relay 1 - 10.10.1.1
(local address 10.10.1.4, gateway 10.10.1.1, VLAN 0, port 29)
32.151: 00:16:ea:b2:04:36 DHCP transmitting DHCP DISCOVER (1)
32.151: 00:16:ea:b2:04:36 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
32.151: 00:16:ea:b2:04:36 DHCP xid: 0x91014db0 (2432781744), secs: 0, flags: 0
32.152: 00:16:ea:b2:04:36 DHCP chaddr: 00:16:ea:b2:04:36
32.152: 00:16:ea:b2:04:36 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
32.152: 00:16:ea:b2:04:36 DHCP siaddr: 0.0.0.0, giaddr: 10.10.1.4
32.152: 00:16:ea:b2:04:36 DHCP requested ip: 10.99.76.147
32.152: 00:16:ea:b2:04:36 DHCP sending REQUEST to 10.10.1.1 (len 346, port 29, vlan 0)
32.152: 00:16:ea:b2:04:36 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.1.4 VLAN: 0
32.152: 00:16:ea:b2:04:36 DHCP selected relay 2 - NONE
*00:16:ea:b2:04:36 DHCP received op BOOTREQUEST (1) (len 312,vlan 0, port 29, encap 0xec03)
*00:16:ea:b2:04:36 DHCP processing DHCP DISCOVER (1)
*00:16:ea:b2:04:36 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*00:16:ea:b2:04:36 DHCP xid: 0x18a596d9 (413505241), secs: 1024, flags: 0
*00:16:ea:b2:04:36 DHCP chaddr: 00:16:ea:b2:04:36
*00:16:ea:b2:04:36 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*00:16:ea:b2:04:36 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*00:16:ea:b2:04:36 DHCP requested ip: 10.10.3.86
*00:16:ea:b2:04:36 DHCP successfully bridged packet to DS
*00:16:ea:b2:04:36 DHCP received op BOOTREPLY (2) (len 308,vlan 3, port 29, encap 0xec00)
*00:16:ea:b2:04:36 DHCP processing DHCP OFFER (2)
*00:16:ea:b2:04:36 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*00:16:ea:b2:04:36 DHCP xid: 0x18a596d9 (413505241), secs: 0, flags: 0
*00:16:ea:b2:04:36 DHCP chaddr: 00:16:ea:b2:04:36
*00:16:ea:b2:04:36 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.3.86
*00:16:ea:b2:04:36 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*00:16:ea:b2:04:36 DHCP server id: 10.10.3.3 rcvd server id: 10.10.3.3
*00:16:ea:b2:04:36 DHCP successfully bridged packet to STA
*00:16:ea:b2:04:36 DHCP received op BOOTREPLY (2) (len 308,vlan 3, port 29, encap 0xec00)
*00:16:ea:b2:04:36 DHCP processing DHCP ACK (5)
*00:16:ea:b2:04:36 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*00:16:ea:b2:04:36 DHCP xid: 0x18a596d9 (413505241), secs: 0, flags: 0
*00:16:ea:b2:04:36 DHCP chaddr: 00:16:ea:b2:04:36
*00:16:ea:b2:04:36 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.3.86
*00:16:ea:b2:04:36 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*00:16:ea:b2:04:36 DHCP server id: 10.10.3.3 rcvd server id: 10.10.3.3
*00:16:ea:b2:04:36 10.10.3.86 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*00:16:ea:b2:04:36 Assigning Address 10.10.3.86 to mobile
*00:16:ea:b2:04:36 DHCP successfully bridged packet to STA
*00:16:ea:b2:04:36 10.10.3.86 Added NPU entry of type 1, dtlFlags 0x0
Client State =
Client in WEBAUTH_REQD state “WEBAUTH_REQD“
Webauth Redirect
WLC Responding
with SYN, ACK
Redirect to Virtual
Interface Comes
from Here
WLC Responding
with SYN, ACK
Client Is Talking to
Webauth….
If proven that TCP SYN is sent and WLC does not SYN
ACK, then there may be a WLC side problem
Debug webauth enable <client ip address>
debug client <MAC Address>
debug pm ssh-appgw enable
debug pm ssh-tcp enable
BRKEWN-3011 2019 Cisco and/or its affiliates. All
© 2011 Trainer-Amuya....
rights reserved. Cisco Public
Client Debug - Run
OR
Session Timeout
Occurs at scheduled duration (default 1800 seconds)
Will force WEBAUTH user to WEBAUTH again
apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1e:8c:0f:a4:57 on
AP 00:26:cb:94:44:c0 from Associated to Disassociated
Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
Sent Deauthenticate to mobile on BSSID 00:26:cb:94:44:c0 slot 0(caller apf_ms.c:5094)
Manual Deauth
From GUI: Remove Client
From CLI: config client deauthenticate <mac address>
apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 6, reasonCode 1
Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1e:8c:0f:a4:57 on
AP 00:26:cb:94:44:c0 from Associated to Disassociated
Sent Deauthenticate to mobile on BSSID 00:26:cb:94:44:c0 slot 0(caller apf_ms.c:5094)
Authentication Timeout
Auth or Key Exchange max-retransmissions reached
Retransmit failure for EAPOL-Key M3 to mobile 00:1e:8c:0f:a4:57, retransmit count 3,
mscb deauth count 0
Sent Deauthenticate to mobile on BSSID 00:26:cb:94:44:c0 slot 0(caller 1x_ptsm.c:534)
Find All
“Association Received” (will also pull reassociations)
“Assoc Resp”
“Access-Reject”
“timeoutEvt”
Wireshark Tutorial
Clean Air SE-Connect / AP Sniffer Mode
AP Join
RRM
Multicast/Broadcast
Mobility
VoWiFi
Dynamic
DNS: cisco-capwap-controller.domain
DHCP: Option 43
Configured (nvram)
High Availability WLCs – Pri/Sec/Ter/Backup
Last WLC
All WLCs in same mobility group as last WLC
Manual from AP - “capwap ap controller ip address <ip>”
BRKEWN-3011 2019 Cisco and/or its affiliates. All
© 2011 Trainer-Amuya....
rights reserved. Cisco Public
AP - Discover Process
broadcast
X
From WLC
Debug mac addr <AP ethernet mac>
Debug capwap [event/error/packet] enable
Debug pm pki enable
Asymmetric
traffic path
established
(deprecated)
Symmetric
traffic path
Best Practices
-67 dBm signal with 20-30% cell overlap
802.11A
CCKM for Fastest Roaming
Avoid designs where AP is seen at superb signal, but drops
off instantly