Ruijie RG-WLAN Troubleshooting Cookbook (V1.0)
Common AC/AP Management-related FAQs
1.1 Does the CAPWAP tunnel support cross-NATnetworking?
Yes, it supports.
If the AP is on the NAT intranet,
You do not need to configure the static IPaddress mapping or port mapping for the AP. You just need to configure thesource IP address conversion to ensure the connectivity between the AP and theAC.
If the AC is on the NAT intranet,
1. On the egressrouter, configure mapping for UDP ports 5246 (control channel) and 5247 (datachannel) with an AC address indicated by option 138.
2. The IP address of the AC (optional 138 IPaddress) on the AP is the public network address of the AC after mapping.
If the AP and the AC are on its own NATintranet, the above three configurations must be met.
1.2 what traffic is need to be allowed to pass thefirewall between the AC and the RADIUS server?
Interaction between the AC and the RADIUSserver is generally based on the RADIUS protocol and SNMP. The ports to beopened are:
RADIUSport: Based on UDP. The default authentication port is 1812 and the defaultaccounting port is 1813, which are both on the RADIUS server.
SNMP port: Based on UDP. The port is 161,which is on the AC.
1.3 How to kick a user offline
Check the user's MAC address:
WS#show ac-con client by-ap-name
Total Sta Num : 4
Cnt STA MACAP NAMEWlanId Radio Id Vlan Id Valid
------ --------------- ----------------------------- --------- --------- ---------
10021.6a99.6c5aBF2_AP_031122091
2701a.04a9.a1b2BF2_AP_062123091
3 0026.c690.0a06 BF7_AP_011122091
4001f.3b3b.b435BF7_AP_011122091
Kick the user offline:
WS(config)#ac-controller
WS(config-ac)#client-kick H.H.H----->H.H.H is the user's MAC address.
Because the client will be automaticallyreconnected, when the show ac-con client by-ap-name command is run after theuser is forced offline, the offline STA is still displayed.
1.4 Where is the ap-config file saved on the AC?
It’s saved in the ap-config.text file in ACflash.
1.5 Does the wireless network supportVLAN-Group?
A VLAN-Group contains multiple VLANs. Byassociating with a VLAN-Group, a WLAN can map to multiple VLANs and VLANs canbe flexibly allocated to STAs connected to the WLAN. The VLANs are allocatedmainly in the following two modes:
After the STA passes the 802.1xauthentication, the authentication server assigns a VLAN for the STA. The STAmust be deployed in the 802.1x authentication mode and the authentication modemust be supported by the authentication server.
The server assigns the VLAN for the STAaccording to the idle status of the address pool.
1.6 How to view the wireless terminal type andoperating system information on the AC?
Enable ip dhcp snooping and run the followingcommand on AC:
ruijie#sh terminal-identifyuser
User entry list: 3
mac-address aging-time terminal-type
-----------------------------------------
68df.ddc7.de5a --:-- XIAOMI PhoneAndroid 4.2
3859.f98b.658b --:-- PC Windows 7
a844.8130.c304 --:-- Nokia PhoneWindows 8
Note: Due to terminalrestrictions, the terminal may not be identified completely correct. When theterminal is connected to the wireless network, a DHCP packet is sent. Thedevice reads the option 60 field in the packet. The field carries the terminaltype information. However, not the DHCP packet of all the terminals carries thefield, and thus the read success rate is not 100%.
1.7 Which of “ap-conf all” and “ap-config name”takes effect first?
The AP configuration under ap-config nametakes effect first. If the AP under ap-config name is not configured, theap-config all configuration takes effect.
1.8 How to fix when the device cannot ping thedomain name?
Supplement the configuration AC(config)#ipname-server 8.8.8.8, which is used to set the DNS domain name for the device.You can modify the configuration based on the actual environment. Ensure thatthe AC normally communicates with the extranet.
1.9 How to delete an offline AP?
Perform the following operation:
Ruijie(config)#no ap-config ap-name1
Ruijie(config)#no ap-config all ----Delete the ap-config of all the offline APs.
Only configurations of offline APs can bedeleted.
1.10 How to configure the location of a fit AP?
Refer to the following configuration:
Ruijie(config)#ap-config 001a.a9bf.ffdc
Ruijie(config-ap)#location meeting room
1.11 How to modify the address used by the AC tocreate the CAPWAP tunnel?
Ruijie(config)#ac-controller
Ruijie(config-ac)#capwap ctrl-ip 2.2.2.2
1.12 How to modify the SSID of the wireless network?
Go to the WLAN configuration mode:
Ruijie(config)#wlan-config 1 ( “1” is the wlansequence)
Ruijie(config-wlan)#ssid yy (yyis the new SSID)
1.13 How to configure the static AP IP address in fitAP mode?
Refer to the command: (when this parameter ismodified, a tunnel is re-created.)
(1) Log on to the APthrough the Console or Telnet port, and enter the global mode (the password is apdebug)to configure the static AP IP address, default route, and AC IP address:
Ruijie(config)#acip ipv41.1.1.1 // Configure the IP address for the AC.
Ruijie(config)#apip ipv4172.16.1.34 255.255.255.0 172.16.1.109
(2) After the tunnelbetween the AP and the AC is created, log on to the AC to configure a static IPaddress for the AP:
Ruijie(config)#ap-config220e
Ruijie(config-ap)#acipipv4 1.1.1.1 ---->Configurethe IP address of the AC.
Ruijie(config-ap)#ipaddress 172.16.1.34 255.255.255.0 172.16.1.109 ---->Configure the IP address, mask, and gateway for theAP. After configuration, the capwap tunnel will be re-created.
The configurations retaineven the AP is restarted.
1.14 How to disable a radio of the AP?
In fat mode, directly go to this radio andshut it down.
Ruijie(config)#interface dot11radio 1/0
Ruijie(config-if-dot11radio 1/0)#shutdown
In fit mode:
Ruijie(config)#ap-config ap-name ---->Go to the AP configuration mode
Ruijie(config-ap)#no enable-radio 1 ---->Disable the radio 1.
1.15 How to disable automatic adjustment for the RRMchannel?
Ruijie(config)#advanced 802.11a channelglobal off
Ruijie(config)#advanced 802.11b channelglobal off
1.16 How to cancel AAA authentication for AC logon when AAAauthentication is enabled on the AC?
You can cancel AAA authentication for AClogon by modifying the configurations.
Ruijie(config)#aaa new-model
Ruijie(config)#aaa authentication loginno-login none ---->Create anAAA logon authentication list named "no-login" and set theconfiguration to none (no authentication).
Ruijie(config)#line con 0
Ruijie(config-line)#login authenticationno-login ---->Apply the no-loginto the console line, which indicates that the AAA authentication is not used.
Ruijie(config-line)#line vty 0 35
Ruijie(config-line)#login authenticationno-login ---->Nopassword is needed for logon through the Telnet port.
1.17 How to configureswitchover of the AC/AP O/E multiplexing interface
1. On AP:
Ruijie(config)#interface gigabitEthernet0/1
Ruijie(config-if-GigabitEthernet 0/1)# media-type baset ---->Enable the electrical interface.
Ruijie(config-if-GigabitEthernet0/1)#media-type basex ---->Enablethe optical interface.
2. On AC:
Ruijie(config)#interface gigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet0/1)#medium-type copper
Ruijie(config-if-GigabitEthernet0/1)#medium-type fiber
Ruijie(config-if-GigabitEthernet 0/1)#end
Ruijie#write
1.18 How to synchronize the AC time to the AP
Ruijie(config)# ap-config AP0001 //Enterthe specified AP configuration mode.
Ruijie(config-ap)# timestamp /ConfigureAP0001 to synchronize the time of the local AC to the AP.
1.19 How to configure daily timed restart for the AP?
To prevent that the network connection isaffected by too large load caused by long-time running of the AP, the dailytimed restart can be set for the AP to ensure the network connection quality.
Configure Ruijie-AP1 to restart the AP at1:00:00 each day on AC:
Ruijie(config)#ap-config Ruijie-AP1
Ruijie(config-ap)#reload at 1:00:00
1.20 How to close the LED indicator of the AP?
(1) Define a schedule session.
AC(config)#schedule session 1
AC(config)#schedule session 1 time-range 1period Sun to Sat time 00:00 to 23:59
(2) Apply the schedule session on the AP
AC(config)#ap-config ap-name
AC(config-ap)#quiet-mode session 1
Daily Device Maintenance
2.1 How to check the number of APs that can besupported by a device?
ruijie#sh ac-config
AC Configuration info:
max_wtp:32
sta_limit:1024
license wtp max:32
license sta max:1024
serial auth :Disable
password auth :Disable
certificate auth :Disable
Bind AP MAC :Disable
AP Priority :Disable
supp_psk_cer :Disable
ac_name:end
ac location :Ruijie_COM
2.2 How to view the MAC address of the AC?
WS6108#sh ac-config
AC State info:
sta_num :0
act_wtp :6
localIpAddr :1.1.1.1
localIpAddr6 :::
usedwtp :6.0(6 normal 0 half 0zero)
remainwtp :42 normal 84 half 634 zero
HWVer :1.01
SWVer :AC_RGOS11.1(5)B7, Release(02231014)
Mac address :5869.6c20.726a
ProductID :WS6108
NETID :9876543210012345
NASID :5869.6c20.726a
For VAC:
WS6108#show member
Systemdescription : WS6108
System MacAddress : 58:69:6C:20:72:6A
2.3 How to fix when the AP management addressis forgotten?
The administrator forgets the management address of WALL-AP but doesnot want to modify the device configurations or the factory settings of thedevice cannot be restored. Thismethod is also applicable for devices with a Console port but cannot be loggedonto through the Console port.
2. Configuration Tips
1. Execute the packetcapture software on a PC to capture packets from the interface of the wired network.
2. Connect the WALL-APcable to the PC and power on the AP.
3. ConfigurationSteps
1. Execute the packetcapture software (using Wireshark for an example) to capture packets from thewired interface.
(1) Select the interface.
(2) Select the wiredinterface of the AP and click Start to capture the packets.
(3) Connect the wiredinterface of the PC to the AP Ethernet port that is not powered on.
(4) Power on the AP toview packets output by the packet capture software on the PC. Pay attention tothe ARP packets.
Because the PC isdirectly connected to the AP, all the ARP packets except those sent by the PCare ARP packets sent by the AP.
(5) After getting the APIP address from the ARP packets, try to log on to the AP through the Telnetport.
(6) The AP may not sendthe ARP resolution packets. In this case, you can use the LLDP packets toobtain the AP management address. The Management Address in the LLDP packets isthe management address of the AP.
(7) If you still cannotlog on to the AP, restore the factory settings of WALL-AP, which results inloss of all configurations. You can try to log on to APs with the Console portfrom a serial port.
It is found thatduring actual packet capture, the AP often does not send the ARP resolutionpackets. In this case, you can use the LLDP packets to obtain the AP managementaddress.
1. The following is apacket capture screenshot:
2. Click to open theLLDP packet. The part in the red frame below is the management address of theAP:
2.4 How to fix when the system can outputinformation but cannot be operated during CRT-based logon through the Consoleport?
1. Symptom
According to the AP320-Iusers, in case of logon through the Console port, there is informationprompted, but no response is returned after Enter is pressed. Besides, nocommand can be entered.
2. NetworkEnvironment
The AP is new and justinstalled. It is logged onto through CRT.
3. TroubleshootingSteps
(1) Check whether the CRTor the HyperTerminal is used. If CRT is used, uncheck CTS/RTS.
(2) If an additionalcable is used, confirm whether the driver is installed correctly.
(3) Change the baud rate.The baud rate for the version 1T8 is 115200 bps.
(4) Change the consolecable and the PC.
4. Solution
Uncheck CTS/RTS.
5. Summary andPrecautions
Summary: Other faultscaused by the CRT traffic control function.
(1) You cannot use CRT tolog on to the console.
(2) After CRT-basedlogon, the operation window is blank, the system outputs no information but thecursor flashes. The system has no response after you press Enter.
(3) After CRT-basedlogon, the operation window is blank, the system outputs no information but thecursor flashes. After you press Enter, the cursor moves but the system stilloutputs no information.
(4) After CRT-basedlogon, the system outputs information, but has no response after your pressEnter and does not allow you to perform any operation.
(5) After HyperTerminal-based logon, the Data Traffic Control in COM attributesettings must be set to None.
2.5 How many APs can different AC Model manage?
A WALL-AP occupies only0.5 license. "<=4000" means up to4,000 WALL-APs are supported.
Run the show ac-c command in AC todisplay license occupation information. The meaning of four, normal, half, andzero is described below.
four: The APoccupies four licenses. Currently, only APs of the model AM5528 and AM5528(ES)occupy four licenses each. APs of the model AM5514 only occupy two licenseseach.
normal: Anordinary AP occupies only one license, including AP220-E, AP320-I, and AP520.
half: AWALL-AP occupies only 0.5 license.
zero: The APoccupies no license. The AP is AP(MAP552(SR)) and APD-M.
2.6 How to view the number of licenses occupied bydifferent AP model on AC?
AC#show ap-config product
ProductID HardwareVersion Count Used Wtp
-------------------- ---------------- -------- --------
AM5528 1.00 245 980.0
AP520 1.00 906 906.0
AP630(IDA) 1.50 33 33.0
AP630(IODA) 1.00 83 83.0
2.7 How to migrate a wireless AC license to anotherdevice (unbinding license)
(1) Upgrade the device version to RGOS 11.1(5)B9 or a later version.
For authentication code:
Run the AC(config)#no set license activation-keycommand to unbind the authorized code. (The activation-key is a 32-bitactivation code.)
For authentication file:
Run the AC#license unbind authorizedfile name command to unbind the authorized file to get the verificationcode.
You can run the show licenseunbind-code or show apmg debug unbind command to display theverification code.
Note: after activationcode of the unbound license is deleted, the license cannot be installed on thedevice again.
(2) Submit the device serial number, thelicense activation code, and verification code on Ruijie authentication system(http://pa.ruijie.com.cn:8001/main_wireless.jsf)to unbind the license on the authorization system. Contact Ruijie TAC toapprove the unbinding.
(3) To bind the license again, submit theserial number of the new device and authorization code to register the license.A new activation code is obtained.
(4) Install the newactivation code to the new AC.
For More details, pleaserefer to WLANLicense Activation Guide:
2.8 Can multiple temporary licenses be imported tothe same device?
You can apply for a temporary license for anAC three times. The application is automatically reviewed and approved. Onlyone temporary license of the same specifications can be imported into an AC.The second license overwrites the first. Multiple temporary licenses ofdifferent specifications can coexist in one AC. For example, when two temporarylicenses can manage 32 APs are applied for the same AC, only one license can beimported to the AC. When a license can manage 32 APs and a license canmanagement 128 APs are applied for the same AC, both licenses can be importedto the AC.
2.9 How to bind a license on VAC
(1) When VAC deployment is not finished yet,the procedure is same to that of normal AC
(2) When VAC deployment is finished, theprocedure is basically the same. Bind the corresponding license authorizationcode to the device according to its serial number.
For authentication code, use set licensecommand to bind the authentication code on main AC.
For authentication files, all theauthorization files must be imported to the main AC and operated by running thefollowing commands.
AC#license auto-installflash: LIC-WLAN-AP-51200000001765223.lic
The authorization files can be automaticallyuploaded.
If the authorization file is operated on thestandby AC, the message "% Can’t execute this command in redundancyslave" is prompted.
(3) AC#license install means that theauthorization file is only installed in this host.
2.10 Will APs go offline immediately if the licenseis unblind from AC?
No. The AP will not go offline unless it goesoffline actively or the AC is restarted. As long as the current AP does notactively go offline and the AC is not restarted, the AP will always be online.
2.11 Will online Aps be kicked offline when thelicenses are insufficient after temporary authorization expires?
No. APs will not be kicked offline due todeletion of temporary or formal authorization. The system judges whether thelicenses are sufficient only when the AP is getting online. APs that go offlineafter authorization expire cannot go online again.
General Wireless Functions
3.1 Wireless Fit AP Deployment
3.1.1 The CAPWAP tunnel cannot be created.
(1) Communication betweenthe AP and the AC is abnormal.
The AP fails to get the IP address.
The AP fails to get the Option 138 field.
The AP fails to ping the AC to create thetunnel.
The CAPWAP UDP ports 5246 and 5247 arediscarded or filtered out by an intermediate device.
(2) The AC and AP arein abnormal status.
The AP cannot goonline due to a high AC CPU usage.
show cpu
The AC license isinsufficient.
show ac-config
show license
show ap-config summary
The AC and AP versionspan is large (recommend to use same version for AP and AC).
The AP name is notunique.
19 16:37:19: CD-AC4 %APMG-6-AP_ADD: AddAP(1414.4b5d.03af) fail. Online-AP(1414.4b5d.097f) with same name(XS10A4-1) hasexist in this AC
Modifies name of online AP.
Collect the followinginformation and contact Ruijie TAC.
(1) Collect the following information on the AC:
show version
show running
show ac-config
show license
show ap-config summary
show capwap sta
show cpu
show memory
show ip route
show ip interfacebrief
(2) Collect the following information on the AP:
show version
show ap-mode
show capwap sta
show ip route
show log
show capwap clientstate
3.1.2 How to check the reason why the AP is rejectedfrom going online.
When the link is normal and the AC hasreceived the packet from the AP but the capwap tunnel cannot be establishedbetween the AP and the AC, run the show ap-config summary deny-apcommand to display the specific cause or in combination with the logs displayedon the AC.
Ruijie#show ap-config summary deny-ap
Deny ap num: 1
Mac Address AP Name Reason
------------------------------------------------------ -----------------
1414.4b71.98a1 By conflict
By bind-ap-mac //The AP-MAC binding is rejected. The MAC whitelist bind-ap-mac isenabled on the AC but the MAC of this AP does not exist in ap-config.
By wtp-limit //Indicates that the maximum number of online APs has reached. Acommon cause is that the license is insufficient or the maximum number ofonline APs has reached. It is rarely caused by the wtp-limit configuration.
By conflict //Indicates that the AP name conflicts with the MAC name.It is because the AP name has already existed on the AC or other APs of thisMAC are online or configured.
By deny-flag //The AC denies the AP to join it. A common cause is thatdeny-join is configured during networking and debugging.
By ap-auth //Indicates that the AP certification is restricted.Certification by the certificate, serial number or password is enabled on theAC but the AP does not carry any certification information.
By user-class //Indicates the APs belong to different classes. For example,SMB-AP can only access SMB-AC but cannot access ordinary ACs.
By overdue-ap //Indicates the AC has an expired AP. This problem is temporarygenerally. The AC will automatically clears expired APs and then the expiredAPs can join the AC again.
By master-ap-mac //Indicates that the satellite AP does not carry the master AP MAC. Thisproblem is temporary generally and is caused by quick AP join during startup ofthe satellite AP.
By unknown //Indicates an unknown cause.
By radio num //Indicates that interconnection is not supported because the APhas too many RF interfaces. For example, the B7-version AC does not supportAM5528.
By vendor id //Indicates that the interconnection is not supported because theAP of another vendor is used.
By new-ap-limit //Indicates that the number of the new APs reaches the upper limit. Forexample, WS5708 supports up to 100 B9-version APs of wave 2.
By local-limit //Indicates that the number of APs connected to the AC is limited due tothe AC protection in VAC scenario. It is possibly because the switch load isunbalanced or the working ACs are insufficient.
By hot-backup //Indicates a hot-backup limit. For example, the AP uses the APvirtualization technology which does not support the hot-backup function. Buthot-backup is enabled for this AP in the configuration.
By total-ap-num //The total number of APs (online + offline) and AP tunnels has reachedthe upper limit. Delete unwanted offline APs.
By none-radio //The AP is rejected because it does not carry radio. This problemis temporary generally and is caused by quick AP join during startup.
When the packet interaction between the APand the AC is abnormal, capture packets from the intermediate line to locatethe packet loss point and troubleshoot the wired network.
3.1.3 The AC cannot distribute the configuration tothe AP.
[Symptom]
The AC cannot distribute the configuration tothe AP.
[Environment]
The AP goes online to the AC across thepublic network.
[Possible Causes]
(1) The AP does not go online.
(2) The software version conflicts.
(3) The extranet is restricted.
(4) The software has a fault (due to causessuch as large version span).
[troubleshooting Steps]
(1) Remotely view whether the AP version isconsistent with the AC version and whether the AP has gone online successfully.
(2) Run the show ap-conf run commandto check whether the AP has joined the group and whether the active/standbyconfigurations are consistent.
(3) Ping the AP to the AC. If the packagesize is 1500 bytes, the AC cannot be pinged. The dichotomic test result showsthat the maximum package size that can be pinged is 1410 bytes. Modify thecontrol tunnel MTU to 1410 to solve the problem:
ac-controller
capwap ctrl-mtu 1410
[Summary and Precautions]
In the cross-NAT go-online environment, thefollowing problems may occur: the AC configuration cannot be issued, the tunnelcannot be established or is repeatedly established, and the terminal cannot beaccessed. After troubleshooting, check whether the large-package communicationbetween the AP and the AC is normal. For repeated tunnel establishment, checkwhether the NAT entry aging time of the egress is too short by testing the tunnelkeepalive time.
3.1.4 In the cross-public-network scenario, only partof APs can go online on the AC.
[Symptom]
In cross-public-network mode, only part ofAPs can go online on the AC.
[Troubleshooting Steps]
(1) Check the network topology, wireless configurationand version.
A. Deploy the APs and the AC (a single AC, noactive-standby ACs) across the public network. In hot-backup mode, checkwhether configurations of the active and standby ACs are the same.Configurations of normal APs and failed APs are exactly the same and the bind-ap-macconfiguration is not set.
B. Requests of local users are locallyforwarded, and gateway of APs and wireless users and the DHCP address pool areon the local aggregation switch. Troubleshot the local device.
C. The AC, normal APs and abnormal APs areall of the latest version, and online APs are of the same model. It means thatthe problem is not caused by the version and public network line of thecarrier.
(2) Log on to the failed AP to check the APmode and confirm whether any IP address is obtained. Check whether the largepacket can be communicated on the tunnel used for the AP to ping the AC.
Onsite check finds that the failed APs are infit mode, the IP address can be obtained, and the large packet can be communicatedon the tunnel.
(3) After check, we do not find anyconfiguration difference between the access switch and the normal and failed APinterfaces, and the switch is in normal status.
(4) Collect logs and debugs on the failed APsand the AC.
The failed APs are always sending discoveryrequest packets. However, after the show capwap statistics command isrun on the AC, the number of received discovery request packets does notincrease. It is suspected that the discovery request packets are discarded byintermediate link. Since the APs go online cross the public network and thereare normal and failed APs, the problem is not caused by the public networkline. It may be caused by the local device.
(5) Check the local device topology, egressEG, aggregation switch, access AC, and APs and capture packets at the uplinkinterface of the aggregation switch. Discovery request packets of failed APsare found. It is suspected that the packets are discarded at the egress EGdevice. Because we cannot directly capture packets for analysis at the egress,it is suspected that the application cannot identify the packets or the packetsare discarded because traffic of packets from the APs to the AC is too large,and thus some tunnels between APs and the AC cannot be created.
(6) Add the AP network segment to the egressdevice free of auditing and flow control, and place resources of users at thissegment to the EG key channel for preferential forwarding. The test resultshows that the failed APs can go online normally. After the resources are movedout of the key channel, the APs go offline after a period of time and cannot goonline again.
[Cause]
Traffic on the key channel of the egresstraffic control device is too large and thus the interaction packet forcreating a tunnel between the AP and the AC is discarded.
[Solution]
Add traffic in the AP IP address segment tothe key channel of EG egress, to ensure that the AP packets are preferentiallyforwarded.
[Other Operation Commands]
Ø On the AC, run the debug apmgjoin command to check whether the discovery request packet is received.
Ø On the AP, run the debugcapwap client fsm command to check whether the packet is successfully sent.
Ø On the AP, run the debugcapwap packet command to check whether the discover response packet isreceived. The prompt is displayed later.
If no response packet is received, run thefollowing command on the AC:
debug efmp packet filter ipv4_sport range 5246 5247 counter30
Ø If the AP tunnel cannot becreated, run the following command on the AC to see whether a prompt isdisplayed:
debug efmp packet filter ipv4_sip host AP IP address ipv4_sport eq
10000 counter 10
run-system-shell
dmesg
Ø On the AC, run the show capwap aptunnel id detail command to see the following information:
If the data port changes frequently, thetraffic table is aging. You are recommended to adjust the channel keepalivetime to a smaller value.
ap-config xxx
echo-interval xx (default: 30s; minimum:5s; maximum: 255s)
3.1.5 The AC and AP versions are the same but the AP cannotgo online on the AC and the progress stops at Join.
[Symptom]
The AC and AP versions are the same but theAP cannot go online on the AC.
[Analysis]
1. View the log to check the CAPWAP tunnel status of the AP. The resultshows the AP has communicated with the AC and its status after the join statusis:
DTLS Teardown;
*Jan1 00:01:10: %CAPWAP-6-STATE_CHANGE:(peer - 1) [1.1.1.1] capwap state changed, from <DTLS Setup> to<Join>
*Jan1 00:01:10: %CAPWAP-6-STATE_CHANGE:(peer - 1) [1.1.1.1] capwap state changed, from <Join> to <DTLSTearDown>
2. After confirming the link between the ACand the AP is normal, run the show ap-config summary deny-ap command.The result shows that the fault reason is "By conflict", which meansthe AP name is not unique in the system and thus the AP cannot join the AC.
3. After you restore the default settings ofthe AP or change its name, the AP goes online successfully.
[Summary]
During the go-online process of the AP, theCAPWAP tunnel status is idle-->discover-->DTLS Setup-->Join-->config-->DataCheck-->Run respectively. When the CAPWAP tunnel reaches the Run status, theAP has gone online successfully.
If the progress stops when the CAPWAP tunnelreaches the Join status, run the show ap-config summary deny-ap commandto display the reason for access denying (the reason is not displayed when theAC version is 11.x and the AP version is 10.x due to a large version span).
The following are common causes for that theprogress stops when the CAPWAP tunnel reaches the Join status:
(1) The AP name conflicts.
(2) The versions are inconsistent.
(3) The license is incorrect.
(4) The line has a fault.
(5) The AC has security restrictions, forexample, bind-ap-mac.
3.1.6 An offline AP is still displayed as"Online" on the AC.
[Symptom]
An offline AP is still displayed as"Online" on the AC.
[Analysis]
(1) Run the show run and showap-configrun commands to display the configuration and check whetherecho-interval is changed. (The default value is 30s.)
2. The result shows that the parameter valueis still the default value. On the AC, run the show capwap index detailcommand several times. The keepalive value remains unchanged. It is suspectedthat the AP status is not updated on the AC because the keepalive function isdisabled. Run the show capwap [ip addr] detail | inc Echo command. Theresult shows that the echo-interval is 0s.
AC-branch(config-ap)#show capwap10.121.121.129 detail | in Echo
Echo interval is 0 secs, Dead interval is 0secs Expire 4294967237 secs
3. Run the show cli record command todisplay the AC historical command records. The result shows that echo-intervaldisable is set for the AP-Group of the AP. Delete the configuration, theproblem is solved.
[Summary]
This fault is caused by incorrectconfiguration of the hidden command. echo-interval disable is used to disablethe echo function of the CAPWAP tunnel. After configuration, the AP echofunction is disabled and the status of the AP is still displayed as"Run" after the AP goes offline. Besides, echo-interval disable is notdisplayed in the show run command.
The default echo interval between an AP andan AC is 30s. If the AC does not receive any echo packet from the AP within30s, the AP goes offline.
The AP keeps alive the tunnel by sending anecho request every 30s. After receiving the echo request, the AC sends an echoresponse. If receiving no echo response within a certain period of time, the APresends the echo request. The first retransmit starts at the 3rd second. Whenthe time reaches the half of the echo interval, the AP deems that the tunnel isdisconnected. The AP performs five retransmits within the 30s echo interval,that is, the 3rd second, 6th second, 12th second, 15th second, and 15th second.
Even if the echointerval is changed to another value, the calculation method for the retransmittime and count is still the same. The echo interval range is 5-255s, which isconfigured by the echo-interval *command in AP or AP group configuration mode.
3.1.7 Most APs cannot go online, online APs often gooffline and the tunnel status frequently changes.
I. Symptom
Most APs cannot go online, online APs oftengo offline and the tunnel status frequently changes.
II. Troubleshooting Steps
(1) Check the network topology, wirelessconfiguration, version, and log.
The version configurations are consistent.
Oct 16 00:24:27: %CAPWAP-5-RETRANS_MAX: (*2)(peer - 47) [172.17.6.30 : 10000] reach maximum retransmit count [5], msg is[configuration update request], seq is [1], elem length is [34].
Oct 16 00:24:27: %CAPWAP-6-PEER_NOTIFY_DOWN:(*2) Peer <172.17.6.30 : 10000 : 5869.6cea.d18d> DOWN, reason<Retransmit MAX>.
The intermediateline may have a fault.
(2) Log on to the failed AP to check the APmode and confirm whether any IP address is obtained. Check whether the largepacket can be communicated on the tunnel used for the AP to ping the AC.
Packet loss is rare during AC ping on the AP.The intermediate line may have a loop or thebroadcast traffic is too large.
(3) Log on to the AC and run the clearcounters command to clear the interface traffic statistics. After showint counters summary is collected for three consecutive times, thebroadcast packets at the interconnected interface increases quickly, as shownin the following figure:
(4) Log on to the interconnected core devicesand run the clear counters command to clear the interface trafficstatistics. After show int counters summary is collected for threeconsecutive times, the following figures are displayed:
A great amount of broadcast packets increaseat the Te1/3/20, indicating that a loop may exist.
(5) After confirming that the deviceconnected to the Te1/3/20 interface is the AP of the access switch, down theTe1/3/20 interface to check whether all the APs under the Te1/3/20 interface goonline one after another and the network is recovered.
(6) Log on to the access switch and enableRLDP. It is found that one interface is in down state. Check connection statusof the associated device. The result shows that the switch is a private switchand has a loop.
III. Cause
The switch connected to the access switch hasa loop at a single port.
IV. Solution
shutdown the loop interface.
V. Summary
(1) When a tunnel cannot be established or isestablished repeatedly for some APs, a loop may exist. Even if no loop exists,packet loss is impossible when you ping the AC on the AP.
(2) After a similar fault occurs, check thefault scope and active-standby configuration consistency.
(3) If the load balancing policy isincorrectly configured in VAC, the AP may often go online and offlinefrequently or cannot go online.
(4) In case a loop exists, enable the treegeneration or RLDP function and query the switch logs to check the informationof the failed port having the loop.
3.1.8 Troubleshooting Method and Fault InformationCollection for Tunnel Establishment Failure Due to the AP Fault
Troubleshooting Method and FaultInformation Collection for Tunnel Establishment Failure Due to the AP Fault
(1) Check the module and version of the APand AC, and networking topology and solution.
(2) Run the following command to checkwhether the communication on loopback0 (or capwap ctrl-ip x.x.x.x) between theAP and the AC is normal:
(3) Check the logs on the AP and AC andcollect the debug information about the AP and AC.
Log on to the AP:
show log //Collects the APlogs.
more ap_down.txt //Displaysthe cause for AP offline.
show capwapstatistic //Collects the AP tunnel establishment statusinformation. The information can be collected for multiple times, up toconsecutive three times.
show capwap client state
//When the AP does not identify efmp, enabledebug efmp for the run-system-shell configuration.
run-system-shell cd sbin
./efmp_demo &
exit
Collect the Debug Information
terminal monitor
debug capwap client fsm
debug capwap packet
debug efmp packet filter ipv4_sport range5246 5247 count 30
Log on to the AC:
show log
show ap-config summary deny-ap
terminal monitor
debug capwap [apip] packet
debug apmg join
debug efmp packet filter ipv4_sport eq 5247ipv4_sip host [apip] count 10
(4) If no log or debug information isreturned from the device end, troubleshoot the intermediate line. Run the tracerouteip tunnel ip source [apip] command to trace the tunnel IP address recordroute on the AP to view which devices the AP packet has passed.
(5) Perform segmented packet capturing in thedichotomic method to check the sending and receiving of the packet that is usedfor establishing a tunnel between the AP and the AC and locate the packet losspoint.
3.1.9 Can the AP and the user be in the same VLAN in thefit AP local forwarding mode?
Yes. The following configurations must beset:
Ruijie(config)# ap-config ap-name
Ruijie(config-ap)# ap-vlan vlan-id (Thevlan-id must be the ID of VLAN of the AP and wireless user and must beconfigured; otherwise, the wireless user cannot obtain the IP address.)
ap-vlan command parsing: In local forwarding mode, the vlan-id configured by this commandmust be same to that allocated by STA. The actual VLAN of STA is assigned bythe access switch of the AP instead of the VLAN configured by this command orassigned by the vlan-group. If the ap-vlan command is not configured, VLAN 1 isused by default.
Note: In localforwarding mode, even when the wireless user resides on VLAN 1, ap-vlan id mustbe configured on the AP. Otherwise, the wireless user can obtain the IP addressof the AP network segment but cannot obtain the IP address of VLAN 1.
3.1.10 How to check whether the forwarding mode is local forwarding on theAP?
Run the following command on AP 11.x:
Ruijie#debug fwd dump-mode
wlan 1 tunnel local
Besides, you can query the MAC address tableof the connected AP interface on the access switch of the AP. In localforwarding mode, the MAC address table of the wireless user is displayed.
3.1.11 When the wireless user resides on VLAN 1 while the AP resides onanother VLAN in local forwarding mode, the IP address of the AP VLAN isobtained by the wireless user?
When the wireless user resides on VLAN 1 inlocal forwarding mode, the ap-vlan of the AP must be configured on the AC.
Ruijie(config)#ap-config 5869.6c84.b278 ---5869.6c84.b278 is the AP name.
Ruijie(config-ap)#ap-vlan 11 ---11is the AP VLAN ID.
3.2 Wireless Security Functions
3.2.1 Will own Ruijie APs be countered if the wirelessAP countering is enabled?
No in fit mode but yes in fat mode.
The becon frame contains a friendly flagwhich is used to judge whether the AP is a friendly AP. If the APs are all associated with the Ruijie AC,the friendly flags are the same by default, and Ruijie APs are not countered.When the friendly flags are modified to be different, countering is enabled forAPs on Ruijie AC. By default, the friendly flag for allRuijie APs is the same and thus Ruijie APs are not deemed as rogue APs. Theconfiguration method of the friendly flag is as follows:
3.2.2 How to display rogue APs?
Run the showwids detected rogue ap command.
3.2.3 How to display all SSID in the environment?
Run the show wids detectedall command.
3.2.4 How to judge whether an AP is under countering?
1. Symptom
Users in Building 12 in old campus cannot beassociated with China UNICOM-WLAN SSID. Users associated with this SSID areoften disconnected and cannot visit the Internet.
Onsite Problem Locating:
In the dormitory with poor user experience,we found that after the computer is connected to China UNICOM-WLAN SSID, theSSID signal often disappears, the ping packet loss rate is high, and thecomputer is often disconnected from the Internet.
2. Possible Cause
The AP countering function is configured.
3.Troubleshooting Steps
We used a professional tool (Ominpeek) tocapture packets in the corridor on the second floor. A great amount ofdeauthentication (Deauth) packets were found, as shown in Figure 1. We locatedthe AP (MAC address: 9614 4B1B 34FA) of the broadcast Deauth packet and foundthat it is an AP of China Unicom. After searching on the AC, we found that thei-Share AP was deployed here, covering the surrounding six rooms. But the logshows that the AP does not send any Deauth packet. Then it is confirmed that itis not this AP that sends the invalid Deauth packet.
After analysis, we suspected that there was arogue AP. The rogue AP sent dissociated Deauth packets to the associated usersin the name of China UNICOM AP, as shown in Figure 2. According to signal strengthcomparison, the signal strength of normal packet was about 26%, while that ofthe Deauth packet sent by the rogue AP was 100%, as shown in Figure 3.Therefore, we confirmed the existence of the rogue AP and knew that the rogueAP was close to the test place, resulting in frequent disconnection of userswithin the coverage of this rogue AP from the WLAN.
Figure 1: Too many Deauth packets
Figure 2: The rogue AP broadcasting Deauthpackets in the name of China UNICOM MAC
Figure 3: Signal length of normal packetslower than that of Deauth packets
4. Collecting the Fault Information
Locating the Rogue AP
During onsite survey, we found an AP ofanother carrier near the test place and the data light of this AP flashed veryfast, indicating transmission of a great amount of data. This AP was suspectedto be a rogue AP.
To confirm it, we powered off this AP andcaptured packets at the air interface on site. The result showed that thepercentage of deauth packets decreased immediately from 0.239% to 0.031%, asshown in Figure 4.
Figure 4: Decreasing of deauth packets afterthe rogue AP is powered off
Then, the users can be associated with the APand access the WLAN. No ping packet is lost.
After the carrier's AP is restored, theproblem occurs again. Therefore, it can be confirmed that the carrier's AP is arogue AP and the AP countering function is enabled.
3.3 Wireless Rate Limit Functions
3.3.1 How to display the rate limit configuration
If the AC configuration is as follows:
wlan-config 1 ruijie
wlan-based per-user-limitdown-streams average-data-rate 10 burst-data-rate 10
Method is shown as follow: (same for the ACand the AP)
Command description:
show dot11 ratelimit {wlan | ap | user }
wlan: Indicates displaying all rate limitinformation of all WLANs.
ap: Indicates displaying all rate limitinformation of all APs.
user: Indicates displaying all rate limitinformation of all users.
3.3.2 What is the unit of the rate limit parameter inthe rate limit command?
8 kbps.
For example, to set the download rate to 80kbps, the command is
Ruijie(config-wlan)#wlan-basedper-user-limit down-streams average-data-rate 10 burst-data-rate 10.
3.3.3 Precautions for Rate Limit in Local ForwardingMode
In local forwarding mode, you can only limitthe download traffic but cannot limit the upload traffic from STA to STA,because the traffic from STA to STA passes through the express forwarding pathonly once.
3.3.4 Can rate limit be set for WLAN-based users inlocal forwarding mode?
No. Because rate limit configured by the wlan-basedtotal-user-limit command is realized on the AC, the configuration is onlyapplicable for WLAN-based users in centralized forwarding mode.
3.3.5 Does the AP support multiple rate limits?
AP supports multiple rate limits.
When wlan-based per-ap, ap–based total-user,and netuser are configured simultaneously, the final rate limit is the effectwhen these three configurations take effect at the same time.
3.3.6 Which rate limit mode has a higher priority onthe AC?
The AC supports AP-based, STA-based, andWLAN-based rate limit modes. The modes are described as follows:
(1) The rate limit modes wlan-basedper-user-limit, wlan-based per-ap-limit intelligent, ap-based per-user-limit,ap-based total-limit intelligent, and netuser all function on STA but only oneof them can work on STA at a time. The priority is wlan-based per-user-limit> wlan-based per-ap-limit intelligent > wlan-based per-user-limit >ap-based total-limit intelligent > ap-based per-user-limit.
(2) The rate limit modes wlan-basedtotal-limit, wlan-based per-ap-limit, and ap-based total-limit and theSTA-based rate limit modes function on different objects and thus can takeeffect simultaneously,
3.3.7 What’s intelligent rate limit?
AP in 11.x version supports intelligent ratelimit. When wlan-based per-ap or ap-based total-user intelligent rate limit isconfigured, the AP intelligently assigns the total rate to all online users onaverage.
Command:
wlan-based per-ap-limit { down-streams | up-streams } intelligent
ap-based total-user-limit{ down-streams | up-streams } intelligent
ConfigurationMethod:
Before configuring intelligent rate limit ofa certain range, you need to configure the total rate limit in the range.Currently, the following two intelligent rate limit modes are supported:
In wlan-based per-ap-limit mode, thewlan-based total rate limit is configured for the WLAN of all the APs in theAC. If wlan-based per-ap-limit is configured and intelligent rate limit isenabled, all the APs intelligently allocate the total bandwidth to all the STAsin the WLAN on average.
In ap-based total-user-limit mode, atotal rate limit is configured to the specified AP. If ap-basedtotal-user-limit is configured and intelligent rate limit is enabled, this APintelligently allocates the total bandwidth to all the STAs in this AP.
Example:
(1) When the per-ap-limit downlink rate limitof WLAN 1 on the AC is set to 1000 kbps and the intelligent rate limit isenabled, all the APs associated with WLAN 1 allocate 1000 kbps to all STAs ofWLAN 1 on average. If five STAs are associated with WLAN 1, then the downlinkrate limit is 200 kbps.
Ruijie(config)#wlan-config 1
Ruijie(config-wlan)#wlan-based per-ap-limitdown-streams average-data-rate 1000 burst-data-rate 1000
Ruijie(config-wlan)#wlan-based per-ap-limitdown-streams intelligent
(2) When the ap-based total-user-limit uploadrate limit of AP 320 is set to 500 kbps on the AC and the intelligent ratelimit is enabled, AP 320 allocates the 500 kbps to all STAs of AP 320. If fiveusers are associated with AP 320, the upload rate limit of each user is 100kbps.
Ruijie(config)#ap-config ap320
Ruijie(config-ap)#ap-based total-user-limitup-streams average-data-rate 500 burst-data-rate 500
Ruijie(config-ap)#ap-based total-user-limitup-streams intelligent
3.4 Wireless Web Authentication Functions
3.4.1 How to view the information of authenticatedusers in Web authentication mode?
WS#show web-auth user ?
all Process all users ------Displays allthe authentication users.
escape Web-auth user escape ------Display escaped users who connect WeChat accounts to Wi-Fithrough MCP.
ip User ip address ------Displaysauthentication information of an IP address.
mac User MAC ------Displaysauthentication information of an MAC address.
name User name ------Displaysauthentication information of a user.
3.4.2 How to force a web-auth user offline?
WS#clear web-auth user ?
all Process all users
ip User ip address
mac User MAC
name User name
Note: Before going online, the clearedterminal must be authenticated again.
3.4.3 How to display the HTTP redirectionconfiguration
Ruijie#show http redirect
HTTP redirection settings:
server: 172.20.1.100 // Indicates the IP address of the Portal server.
port: 80
homepage: http://172.20.1.100:8888/eportal/index.jsp //Indicates the authentication homepage URL of the Portal server.
session-limit: 255
timeout: 3
Direct sites:
Address MASK ARPBinding
---------------- ---------------------------
172.18.10.1 255.255.255.255 Off // Indicates that the resourcescan be accessed without authentication.
Direct hosts:
Address Mask Port Binding ARP Binding
---------------------------------------- ---------------- ------------------------
192.168.20.1 255.255.255.255 Off // Indicatesthat users do not to be authenticated.
3.4.4 How to display Web authentication configurations
Ruijie#show web-auth portal
Portal Servers Settings:
------------------------------------------------------------
Ip: 172.18.159.48
Key: ruijie
ref: 2
------------------------------------------------------------
Ip: 172.18.159.46
Key: ruijie
ref: 1
portalv2 list show
------------------------------------------------------------
Ip: 172.18.159.48
port: 50100
ref: 2
URL format: default
Status: Enable
Ip: 172.18.159.46
port: 50100
ref: 1
URL format: default
Status: Enable
3.4.5 How to display the template and port parametersconfigured by the device on the AC?
WS#sh web-auth template
Name: zzs2
BindMode: ip-mac-mode
Type: v2
Port: 50100
Ip: 2.2.2.2
Url: http://2.2.2.2/eportal/index.jsp
The Portal server uses the local port 50100to monitor and authenticate non-response packets send by the device and uses thetarget port 2000 to send all packets to the authentication device.
NAS uses the local port 2000 to monitor allpackets send by the Portal server and uses the target port 50100 to sendnon-response packets to the Portal server.
3.4.6 How does the traffic Detection of WebAuthentication work
Traffic detection is enabled in Webauthentication mode by default. When a user having passing Web authenticationhas no traffic passing through the device within the specified no trafficperiod, the device deems that the user has gone offline and kicks the user out.
AP 11.x supports global no traffic detection and wlansec no trafficdetection. The wlansec no traffic detection has a higher priority. When wlansecno traffic detection takes effect, global no traffic detection does not takeeffect.
In global no traffic detection mode, if theuser has no traffic in eight hours, the user is kicked off by default. Thecommand is as follows:
Ruijie(config)# offline-detectinterval xx threshold yy
xx indicates the time, which is an integerranging from 1 to 65535, and the unit is minute. The default value is 8 hours.
yy indicates the traffic size, which is aninteger ranging from 0 to 4,294,967,294, and the unit is byte. The defaultvalue is 0.
In wlansec no traffic detection mode, if theuser has no traffic in 15 minutes, the user is kicked off by default. Thecommand is as follows:
The wlansec no trafficdetection has a higher priority. Therefore, usershaving no traffic in 15 minutes are kicked out in 15 minutes by default.
WS(config)#wlansec 7 -------It is the actual authenticatedwlansec serial number.
WS(config-wlansec)#web-auth offline-detect ?
flow Configure no flow threshold
interval Configure no flow interval
3.4.7 Does built-in Web authentication support pushingadvertisement without authentication or pushing advertisement afterauthentication?
No.
3.4.8 Can an account be logged on by only a singleuser in local built-in Web authentication mode?
No. To control the number of simultaneouslogons to the terminal, a separate authentication server should be configuredand the server should support this function.
3.4.9 the traffic keepalive detection is based on theuser MAC address or user name in Web authentication mode?
It is based on the user MAC address.
3.4.10 What are the protocol and port used by wireless second-generationWeb authentication?
The protocol is UDP.
The packet target port of the Portal serveris port 2000, which means that the port used by the AC to send packets is port2000.
3.4.11 Is wireless user data encrypted at the air interface in wireless Webauthentication?
If only Web authentication is enabled, thedata is not encrypted at the air interface. You can configure WPA2 to encryptthe data.
3.4.12 Can the Portal server IP address be configured to a domain name onthe AC?
Yes. The URL should be added to the URLwhitelist. On AC 11.1(5)b8 or a later version, you are recommended to run the free-urlurl xx command to make the configuration in global mode.
For example, run the WS(config)#free-urlurl www.google.com command to add www.google.com in the whitelist.
3.4.13 Does the AC support https redirection and which redirection portneed to be configured?
Currently, only ACs of 11.1(5)B8p3,11.1(5)B9P5, office-wifi and later versions support https redirection. Theredirection ports 433 and 8433 must be configured as follows:
Ruijie(config)#http redirectport 443
Ruijie(config)#http redirectport 8443
3.4.14 If the terminal uses a static IP address in Web authentication mode,can the IP address of the terminal be uploaded to the server?
The AC 11.1(5)b8p3 and later versions allowyou to run the dot1x get-static-ip enable command toupload the static IP address of the wireless terminal to the server.
3.4.15 How to bypass specific devices in Web authentication mode?
In some applications, after connecting to awireless network, users can access some network resources (for example,intranet websites) without authentication. You can run the http redirectdirect-site x.x.x.x command (x.x.x.x is the IP address offree-authenticated resources) to add the IP address of these websites to thefree-authenticated network resource list.
3.4.16 How to fix when “the authentication device does not exist” erroroccurs during Web authentication?
After confirming that the AC is added to theserver and the authentication key configurations are consistent, check whetherthe AC can ping the server and modify the source IP address of the Portalserver and RADIUS server according to actual situation. Add the VLAN of IPaddresses of servers that can be pinged.
Ruijie(config)#ip portal source-interfacevlan 1
Ruijie(config)#ip radius source-interfacevlan 1
3.5 The built-in Portal Web authentication pagecannot pop up?
(1) Communication between the STA and the AC:The STA shall be able to learn the MAC address of the gateway. Run the httpredirect direct-arp command to configure the direct communication ARP.
(2) The built-in portal server monitors port8081 and http redirect port 8081 is configured for the AC by default.The configuration cannot be deleted.
(3) The AC management address cannot beconfigured as free-authenticated address.
3.6 A timeout connection error is reported when thebuilt-in portal web authentication fails.
(1) If the communication between the AC andthe RADIUS server fails, check whether the routes are different becausemultiple IP addresses are set for the RADIUS server.
(2) No AC is added to the RADIUS server.Check whether the SAM is added with an AC.
(3) The RADIUS key configuration isinconsistent. Check whether the SAM is added to the AC for more than two times(the IP address of the uplink interface of the AC is added).
(4) The proxy is enabled for the InternetExplorer but the built-in Portal does not support the proxy. Disable the proxyof the Internet Explorer.
3.6.1 Error code analysis for User Offline in SecondGeneration Web Authentication Mode
01: The user actively goes offline.
02: The port is disconnected. On a wirelessnetwork, STAMG notifies STA to go offline. In this case, contact STAMG owner tolocate the cause.
03: The service is unavailable mainly due toconnection interruption.
04: Idle status times out. The user having notraffic is kicked out.
05: Session times out. The duration reaches.
06: The administrator resets the port or session to kick out usersfrom the RADIUS server, kick out escaped users after restoring the Portalserver, or run the clear command to delete users.
07: The administrator restarts NAS.
08: The port has an error and required tointerrupt the session
09: NAS has an error and requiredinterrupting the session.
10: NAS requires interrupting the session dueto other reasons.
11: NAS is restarted accidentally.
12: NAS thinks there is no need to retain theport and interrupts the session.
13: NAS interrupts the session to allocatethis port.
14: NAS interrupts the session to suspend theport.
15: NAS fails to provide the requiredservice.
16: NAS interrupts the current session to call back the new session.
17: Information entered by the user isincorrect.
18: The host requires interrupting thesession.
103: The IP or MAC address has changed oroccupied.
115: The service is switched over.
122: The traffic is exhausted.
250: The low-traffic user is kicked out. Itis a unique attribute of Ruijie AP and the cause is same to code 4.
500: Authentication times out. The RADIUSauthentication packet is not responded within the time limit. This attribute isavailable for wireless wlog module and will be provided for SNC later.
501: Authentication is denied by the RADIUSserver. This attribute is available for wireless wlog module and will beprovided for SNC later.
502: The number of users on the device hasreached the upper limit. This attribute is available for wireless wlog moduleand will be provided for SNC later.
3.6.2 Definition of errcode in the Portal Protocol
(1) When the Type value is set to 2, inack_challenge:
ErrCode = 0: The AC informs the Portal serverthat the Challenge request is successful.
ErrCode = 1: The AC informs the Portal serverthat the Challenge request is denied because the portal packet has an error orthe user does not exist on the AC.
ErrCode = 2: The AC informs the Portal serverthat the link is created. When another authentication request is sent after theuser has passed authentication, errcode2 is returned.
ErrCode = 3: The AC informs the Portal serverthat a user is being authenticated and the request should be sent later. The AChas sent an authentication request to the RADIUS server but RADIUS server doesnot send response. If the Portal server sends req_challeage during this periodof time, errcode3 is returned.
ErrCode = 4: The AC informs the Portal serverthat the user's Challenge request fails because the AC has an inner error.
Note: When the ErrCode is not 0, see theErrID value to find the cause.
(2) When the Type value is set to 4, inack_auth:
ErrCode = 0: The AC informs the Portal serverthat the user authentication is successful.
ErrCode = 1: The AC informs the Portal serverthat the user authentication request is denied because the portal packet has anerror (due to incorrect req_id or portal attribute) or the RADIUS serverreturns the authentication rejection packet.
ErrCode = 2: The AC informs the Portal serverthat the link has been created.
ErrCode = 3: The AC informs the Portal serverthat a user is being authenticated and the request should be sent later.
ErrCode = 4: The AC informs the Portal serverthat the user's authentication request fails because of an error.
Note: When the ErrCode is not 0, see theErrID value to find the cause.
3.6.3 The URL cannot be redirected
If this problem occurs, check whether theHTTP packet sent by the terminal is intercepted, processed, and redirected bythe AC.
The following are common causes:
(1) The STA cannot access the Internet orcommunication is abnormal. You can add the STA to free-authentication test tocheck whether the terminal can obtain the correct IP address and learn thegateway ARP.
(2) The terminal cannot parse the domain nameor the page cannot be redirected to the entered IP address. For example, if theaccess domain name or IP address is notin the direct-pass list of AC, the domain name must beable to be parsed.
(3) The user is not a free-authenticated user. Packetsof free-authenticated users are certainly not interrupted by the AC.
(4) No user VLAN is configured for the AC andthus the packet is discarded by the AC after it is forwarded to the AC.
(5) An https IP address is entered but httpsredirection is not configured.
(6) The addresses conflict. The terminal ofwhich the IP address is same to that of an online AP but the MAC address isdifferent cannot be redirected. You can run the web-auth sta-preemptionenable command to solve the problem.
(7) The web-auth dhcp-check is configured butip dhcp snooping is not enabled on the AC.
(8) The portal server is not called underwlansec on the AC.
(9) The AC version is too low. Upgrade the ACto the latest version which is available on Ruijie official website.
3.6.4 The Portal page cannot popup.
(1) After obtaining the URL redirected by the AC, the terminal directlyuses the URL to access the Portal page. If the Portal page is not displayed,check the interconnectivity between the terminal and the Portal Server. If theterminal can ping the Portal server, check whether intermediate devices filterout the http packets.
(2) The problem occurs when the parameter orformat of the URL does not conform to the requirement of the Portal Server. Payspecial attention during connection to a third-party server.
Some servers require checking the URLparameter or format, or specify the value of some parameter. Confirm whetherthe parameter or format is supported by the AC and the AC is configuredaccordingly.
3.6.5 The web-authentication user is forced offline.
(1) The dhcp snooping entry shows that theterminal IP address conflicts. Inthis case, authenticated users are forced to go offline.
(2) Different terminals use the same username.
(3) The traffic keepalive time thresholdreaches.
(4) When a user is disconnected from thewireless network for five minutes, the user's Web authentication entry isdeleted by default.
(5) The accounting-update is not enabled orits configuration is different on the AC and the server.
(6) The user is forced by the server to gooffline (due to the RADIUS extended attribute).
3.6.6 Web authentication fails and the server fails toreceive auth_req response packets from the device.
Possible Cause:
The authentication request packet sent by thePortal server does not arrive at the AC and is discarded by intermediatedevices.
Troubleshooting Method:
(1) When packets can be captured, createimages for packets at uplink port of the AC to see whether the authenticationrequest packet arrives at the AC. If not, when auth-req is resent by the Portalserver, the AC returns ack_auth and the error code indicates that the user isbeing authenticated.
(2) The problem is generally because packetsfrom the Portal server are not allowed to pass through due to firewall betweenthe AC and the Portal server.
3.7 Wireless Bridge
3.7.1 How many bridges does AP630 support?
One root AP supports four none-root AP.
3.7.2 Is asso-rssi supported in a bridgingenvironment?
No currently. The processing method inbridging mode is different from that when an ordinary terminal is connected tothe underlying layer. The asso-rssi function is applicable for wireless usersin normal access mode.
3.7.3 How to clear non-root AP configurations?
When the AP is online, run the followingcommand:
ap-config xx
station-role root-ap radio 2
Or
ap-config xx
wds pre-config delete
The command must be run when the AP isonline.
3.7.4 What are precautions for multi-hop bridging?
In multi-hop bridging mode, to guarantee the bridging link quality,channels for each of hops must be different.
For example, set channel 60 for the firsthop, channel 100 for the second hop, and channel 149 for the third hop.
3.7.5 What is the signal strength requirement toguarantee the bridging link and video transmission quality?
Use the multi-hop bridging scenario in AP630series products as an example.
The bridging uplink of the root bridge iscalled as the main link. To ensure the main link stability, the uplink RSSImust be at least 30. The link between the root bridge and a non-rootbridge is called as a single link. To ensure the single link stability, theuplink RSSI must be at least 25. If the signal strength is lower than thespecified value, adjust or change the AP location, to avoid that the videocannot be transmitted due to too low bridging performance caused by weaksignal.
3.7.6 How to fix when modification to the non-root APdo not take effect on the AC?
All the commands for modifying the non-rootbridge configuration take effect only after the wds config commitcommand is run.
In ap-config mode, run the wdsconfig [ clear | commit ] radio radio-id command. The parameters aredescribed below:
clear: Clears WDS configuration that does nottake effect.
commit: Commits WDS configuration that doesnot take effect. After the operation, the bridge is disconnected and thenconnected.
radio radio-id: Indicates the radio IDconfigured on the AC.
If the AP is in non-root mode, its radioenters the wds edit mode. At this time, most of wds commands do not take effectimmediately. You can run the show ap-config wds-config command to display theconfigurations. After confirming that the configurations are correct, run thiscommand to commit the modification.
3.7.7 Is local forwarding mode supported when fitAP630s are bridged? Can multiple VLANs be bridged transparently?
Yes. The root bridge AP and non-root bridge AP must bridge VLANstransparently (run the bridge-vlan x command in ap-config mode).Assuming vlanx and vlany are VLANs required by non-root APs, the configurationmethod is as follows:
ap-config root bridge ap name
bridge-vlan x
bridge-vlan y
exit
ap-config non-root bridge ap name
bridge-vlan x
bridge-vlan y
exit
3.8 Cross-AC Roaming Functions
3.8.1 How to check whether a user is roaming
On the AC, run the show ac-configclient detail command. The user status is Roam.
AC#show ac-config client detaila088.b413.c754
MacAddress :a088.b413.c754
IPAddress :::
WlanId :1
VlanId :111
RoamState :Roam
Associated Ap Information:
APName :AP-01
APIP :192.168.97.10
3.8.2 View all roaming users
Ruijie# show mobility user
STA-MAC IPv4-Address IPv6-Address WLAN TYPE ROC-VLAN RIC-VLAN
-------------- --------------- ----------------------- ------ ------ --------- --------
00:26:0c:ef:6d:12 20.0.0.2 1 LC 2 2
00:40:0c:ef:6d:33 20.0.0.5 2 RIC 3 3
00:40:0c:ef:6d:44 20.0.0.6 3 ROC 2 4
LC indicates users roaming inside the AC. RICindicates users roaming to the AC. ROC indicates users roaming from the AC.
3.8.3 What is Wireless Layer-2 Roaming
Wireless roaming is a process in which awireless client switches from one AP to another AP of the same SSID.
Before and after Layer-2 roaming, the clientresides on the same VLAN and the IP address remains the same.
Layer-2 and Layer-3 roaming in the same ACare enabled by default in Ruijie APs.
3.8.4 What is Wireless Layer-3 Roaming
Wireless roaming is a process in which awireless client switches from one AP to another AP of the same SSID.
Before and after Layer-3 roaming, the clientresides on different VLANs but the IP address remains the same.
Layer-2 and Layer-3 roaming in the same ACare enabled by default in Ruijie APs.
3.8.5 What is Cross-AC Wireless Roaming
Wireless roaming is a process in which a wirelessclient switches from one AP to another AP of the same SSID.
When the two APs are managed by two differentACs, the process in which the wireless user switches from one AP to another APis called as cross-AC roaming.
In cross-ac roaming, a tunnel must be createdbetween the two ACs (home AC and foreign AC) to switch the roamed data.
To enable cross-AC roaming, you must makerelevant configurations on the AC. For details, see Roaming ConfigurationCases.
3.8.6 Does fat AP support Layer-2 roaming?
No.
If all APs are in the same broadcast domainand all downlink clients use the same DHCP server to get the IP address, when aclient is automatically associated with another AP, its effect is similar toroaming. At this time, the STA wireless network is temporarily disconnected andthen reconnected to obtain the IP address. If STA gets the IP address from thesame DHCP, the IP address obtained is same. It seems that the STAroams.
3.8.7 How to confirm whether a wireless usersuccessfully roams?
If a wireless user successfully roams,
(1) The wireless network is notdisconnected.
(2) The user's IP address remainsunchanged.
(3) Only one to two packets are lostduring roaming.
(4) On the AC, run the show ac-configclient detail command. The user status is Roam.
AC#show ac-config client detaila088.b413.c754
MacAddress :a088.b413.c754
IPAddress :::
WlanId :1
VlanId :111
RoamState :Roam
Associated Ap Information:
APName :AP-01
APIP :192.168.97.10
3.8.8 What are precautions for deploying wirelessroaming?
(1) The signal is not interrupted and signalbetween APs overlaps each other.
(2) The AP power must be appropriate.
(3) The adjacent AP channels must bedifferent to avoid same frequency interference and packet loss.
(4) Move the wireless client during roamingtest. Roaming fails when the AP is closed.
(5) Set the roaming aggressiveness of wireless NIC to the maximum.
3.8.9 How to reduce the client roaming frequency?
Client roaming depends on the signal strengthenand the distance between the client and the AP. There are two methods to adjustthe client roaming frequency:
(1) Adjust the wireless transmit power of theAP.
(2) Adjust the roaming aggressiveness ofwireless NIC to a lower value.
3.8.10 Does the STA roam when it switches signal between APs of same SSIDbut different WLAN-IDs?
Yes. The STA can roam in this situation
3.8.11 How to enable Layer-2 roaming on AP version 11.x?
There are two kind of Layer-2 roaming:roaming with roaming table entry and roaming without roaming table entry
In wireless AC 11.1(5)b8 and later versions,no Layer-2 roaming entry is generated by default. Which means the roaming userwill be considered as a new user, the user cannot sense the roaming progress.
To generate the roaming entry in specialcases, run the roaming layer2 with-entry command in global configmode.
Case study inwhich Layer-2 roaming is enabled (roaming entry needs to be generated):
Fault symptom: In local forwarding mode,connect the AP to the switch interface and enable Layer-2 roaming. The terminalroams between APs and re-authentication is required each time the terminalroams. When a Huawei wireless network is used, frequent re-authentication doesnot occur.
Fault analysis: Layer-2 roaming is enabledfor Huawei wireless network. After Layer-2 roaming occurs, the data istransmitted to the home AP which contains the user authentication informationat the uplink port. Thus, re-authentication is not required.
Solution: Run the roaming layer2with-entry command in global mode to enable Layer-2 roaming and roamingentry generation for Ruijie APs.
3.8.12 Can Layer-3 roaming be disabled on the AC?
In AP 11.x ( AC 11.1(5)b8 and laterversions), Layer-3 roaming can be disabled by the following command:
ruijie(config)#roaminglocal-unroam Disables Layer-3 roamingin local forwarding mode.
ruijie(config)#roamingcentral-unroam Disables Layer-3 roaming incentralized forwarding mode.
ruijie(config)#no roamingsupport wlan x Disables Layer-3 roaming for a single WLAN.
3.8.13 Which port is used for roaming?
In cross-AC roaming mode, UDP 5248 is used.In local forwarding mode, the UDP 5249 is used. In Layer-3 roaming mode, whendata roams, a virtual tunnel is created between the new AP and old AP, and theUDP 5249 is used.
3.8.14 How to view the roaming trace of terminal of which MAC address isxxx on the AC?
AC# show mobility user roam-track520a.124a.0001
----- ------------------------------- ---------------------
ID AC-Info AP-Info Online-time(d:h:m:s)
----- ------------------------------- ---------------------
1 -HOMEAC- 001a.a94e.d41E/2 0:00:10:49
2 -HOMEAC- 001a.a94e.d42A/2 0:01:38:05
3 -HOMEAC- 001a.a94e.d40d/2 7:02:18:07
Fields are explains as follows:
Field Description
ID Roamingsequence
AC-Info Informationof the AC
AP-Info Informationof the AP
Online-time(d:h:m:s) Onlineduration
3.9 Common 5G Preferential Access Problems
3.9.1 How to check whether the band-select function isenabled
Run the show band-selectconfiguration command to see whether 5G preferential access is enabled.
3.9.2 What are the influences when band-select isconfigured for AP?
AP does not respond to request from 2.4Gfrequency band before identifying STA. Thus, single-band 2.4G STA cannot detectWLAN in two second.
After AP identifies STA, dual-band STA doesnot respond to request of 2.4G frequency band but STA can still detect WLANpassively. In other words, some dual-band STAs can detect WLAN of 2.4Gfrequency band.
After AP identifies STA, dual-band STAresponds to only one of N (which can be configured) authentication requests of2.4G frequency band. Generally, if a dual-band STA detects that WLAN has theBSSID at both the 2.4G frequency band and 5G frequency band, whenre-authentication request at one frequency band is not responded, it will tryanother frequency band. However, some dual-band STAs may always sendauthentication request to the same frequency band. Assuming that a dual-bandSTA sends M authentication requests to 2.4G frequency band before trying 5Gfrequency band, when N is larger than M, the STA can connect to 5G frequencyband; otherwise, the STA connects to 2.4G frequency band. Whichever frequencyband is used, if the dual-band STA try the 2.4G frequency band first, there isalways min (M,N) requests are neglected, resulting in prolonged STA connectiontime. The prolonged STA connection time depend on the STA driver. For example,if STA sends authentication requests at an interval of 00 ms and four authenticationrequests are neglected, the STA connection time is prolonged by 400 ms.
3.9.3 What is the AP action when Band Select (5Gpreferential access) is enabled?
Before STA is identified:
AP does not respond to request of 2.4Gfrequency band.
AP responds to request of 5G frequency band.
After STA is identified:
Single-band 2.4G STA responds to only one ofmultiple requests and can connect to the WLAN.
Single-band 5G STA responds to all requestsand can connect to the WLAN.
Dual-band STA does not respond to request of2.4G frequency band but responds to 5G frequency band. It can connect to WLANof 5G frequency band. It responds to only one of multiple requests from 2.4Gfrequency band and can connect to the WLAN.
3.9.4 Default 5G Preferential Access Parameters
| Parameter | Default Value |
| Band Select | Disabled |
| Acceptable lower limit of STA RSSI | -80 dBm |
| Count of denies request of associating dual-band STA with 2.4G frequency band | 4 |
| Count of restrained STA | 2 |
| Aging scanning period of STA information | 500 ms |
| Aging time of dual-band STA information | 60s |
| Aging time of restrained STA information | 20s |
3.9.5 How to adjust 5G Preferential Access Parameters
Ruijie(config)#band-select acceptable-rssi value //Indicates acceptable lower limit ofSTA RSSI.
Ruijie(config)#band-select probe-count value //Indicates count of restrained STA.
Ruijie(config)#band-select scan-cycle period //Indicates aging scanning period of STAinformation.
Ruijie(config)#band-select age-out dual-band value //Indicates aging time of dual-band STAinformation.
Ruijie(config)#band-select age-out suppression value //Indicates aging time ofrestrained STA information.
3.10 Wireless Load Balancing
3.10.1 How to View the Flow Balancing Group
Run the show ac-config flow-balance summarycommand to display the flow balancing group.
3.10.2 How to enable the flow-based load Balancing in local forwardingscenario?
In local forwarding mode, you can run thefollowing command to enable flow balancing:
Ruijie(config-ac)#flow-balance-groupradio-flow ?//Indicates the flow information of the flow balancing groupreported by AP.
WORD Flow balance group name
Data packets in local forwarding mode do notpass through the AC and thus the AC cannot get the flow information. Loadbalancing must be judged by the traffic information reported by AP.
3.10.3 How many load balancing groups can an AC support now?
Up to 80 number-based balancing groups and 80flow-based balancing groups.
3.10.4 How many APs at most can each load balancing group support?
10.
3.10.5 How to enable load balancing between AP radios on AC?
Under AP-config mode:
inter-radio-balance flow-balance enable //Based on flow
inter-radio-balance num-balance enable //Basedon the number of users
You can configure the inter-radio loadbalancing parameters (optional) on AC based on actual requirements duringnetwork optimization.
Run the inter-radio-balance flow-balancedual-band enable-load en-num threshold thrs-num command to configure theenabling threshold of flow-based load balancing between radios of differentbands. The lower the threshold, the easier the flow balancing can be enabledand the more even the flow is allocated.
Run the inter-radio-balance flow-balancesame-band enable-load en-num threshold thrs-num command to configure theenabling threshold of flow-based load balancing between radios of same band.The lower the threshold, the easier the flow balancing can be enabled and themore even the flow is allocated.
Run the inter-radio-balance num-balancedual-band enable-load en-num threshold thrs-num command to configure theenabling threshold of number-based load balancing between radios of differentbands. The lower the threshold, the easier the flow balancing can be enabledand the more even the flow is allocated.
Run the inter-radio-balance num-balancesame-band enable-load en-num threshold thrs-num command to configure theenabling threshold of number-based load balancing between radios of same band.The lower the threshold, the easier the flow balancing can be enabled and themore even the flow is allocated.
3.11 Common Multicast Problems
3.11.1 How to adjust the wireless multicast packet sending rate
In fat mode:
Ruijie(config)#interface dot11radio 1/0
Ruijie(config-if-Dot11radio 1/0)#mcast_rate54 ----->Adjusts the multicast rate to 54Mbps.
In fit mode:
Ruijie(config)#wlan-conf 1 wireless
Ruijie(config-wlan)#mcast_rate54 ----->Adjusts the multicast rate to 54 Mbps.
3.11.2 Howto configure the multicast-to-unicast function
The multicast-to-unicast function is used tomake multicast video smoother.
Configuration reference:
(1) Enable the multicast routing protocol ina Layer-3 device in the same broadcast domain.
(2)
In fit (ap-config) mode, run the followingcommand:
Ruijie(config)# ip igmpsnooping ----->Enables igmp snooping for all VLANS. Toenable this function for certain VLANs, run the ip igmp snooping vlan 1command.
Ruijie(config)#ap-config xxx
Ruijie(config-ap)# igmp snoopingmcast-to-unicast enable
Ruijie(config-ap)# igmp snoopingmcast-to-unicast group-range ip-addr ip-addr ----->(Optional)Defines the multicast-to-unicast scope.
In fat mode, run the following command:
Ruijie(config)#ip igmpsnooping ----->Enables igmp snooping forall VLANS. To enable this function for certain VLANs, run the ip igmpsnooping vlan 1 command.
Ruijie(config)#ip igmp snoopingmcast-to-unicast enable
3.11.3 Does AC support Layer-3 multicast?
No. But AC can transparently transmit Layer-2multicast packets.
3.11.4 How to check whether CAPWAP multicast is enabled on AC or AP
Ruijie# show ip multicast wlan
Global multicast state: enable // Enablesglobal multicast mode.
Multicast mode:multicast239.0.0.1 // Enables CAPWAP multicast mode.
Thank you. We will inform you of our response as soon as possible. 
