Professional Documents
Culture Documents
Extreme Wireless Cloud Troubleshooting Student Guide Mar 2020
Extreme Wireless Cloud Troubleshooting Student Guide Mar 2020
Isaac de Abreu
Feb 2020
1
Welcome
2
Introductions
3
Lab Topology
VLAN info:
VLAN 1: 172.18.252.0/24
VLAN 2: 10.5.2.1/24 (AP Management) ETH0-4 WAN*
VLAN 8: 10.5.8.1/24 (Guest)
VLAN 10: 10.5.10.1/24 (Employee)
Management VLAN: 2 ETH0-4: 802.1Q Trunk ports
Trunk: all VLANs
Native VLAN: 1
DHCP info:
172.18.252.0/24
Trunk: all VLANs 10.5.2.1/24
10.5.8.1/24
10.5.10.1/24
4
Recommended Reading
ISBN-13: 978-1119425786
ISBN-10: 1119425786
Or here..
5
XIQ Help
? resource
6
XIQ Search
7
Troubleshooting Theory and Best Practices
8
Troubleshooting Best Practices (1/2)
Identify the issue by asking questions
9
Troubleshooting Best Practices (2/2)
Identifying the Issue
10
Wi-Fi on the OSI Model
Physical and Data Link Layer
An RF signal starts out as an electrical alternating current (AC) signal that is originally
generated by a transmitter.
This AC signal is radiated out of an antenna element in the form of an
electromagnetic wave. An RF signal is an alternating current (AC) that continuously
changes between a positive and negative voltage which can be represented as a sine
wave. An oscillation, or cycle, of this alternating current is defined as a single change
from up to down to up, or as a change from positive to negative to positive. All RF
signals are defined by various characteristics including wavelength, frequency,
11
amplitude and phase. Phase, frequency and amplitude shifts can all be used by
transmitting radios to modulate data.
11
Wi-Fi on the OSI Model
Physical and Data Link Layer
Header Trailer
with MAC
addressing
3-7 Data with
CRC
12
OSI Model
7 Application
1 Physical
13
OSI Model
7 Application
4 Transport
IP address, routing, ports firewalls
3 Network
2 Data Link
Wi-Fi: RF and configuration, drivers, WLAN
1 Physical security sessions, WLAN design, VLANs, etc.
14
The client is usually the culprit
15
Upgrade your clients first
Customer is willing to pay $$$ for WLAN infrastructure upgrades but not for
client upgrades?
Sadly… client-side technology updates are slow.
16
But… it’s backward compatible!
17
Upgrade your clients first
http://clients.mikealbano.com
18
Blame
19
Layer 1
70 % of WiFi problems are on this layer
7 Application
6 Presentation RF Interference
5 Session
Client radio and driver problems
Misconfigured client (supplicant)
4 Transport security settings
Power Over Ethernet (PoE)
3 Network
Firmware issues on Access Points (Bugs)
2 Data Link
1 Physical
20
Layer 1
RF Interference
21
Layer 1
PoE Power Budget
22
Layer 1
Bugs
23
Layer 2
Moving up the OSI Model
Roaming problems
Layer 2 retries
Authentication and association problems
2 Data Link
1 Physical
24
Layer 2
PSK Authentication Troubleshooting
Passphrase mismatch
PMKs never properly created
4-Way Handshake fails
25
Layer 2
802.1x/EAP
Root CA Server
Certificate Certificate
CA
EAP
EAP
Client RADIUS LDAP
26
Layer 2
802.1X/EAP Troubleshooting
Root CA Server
Certificate Certificate
CA
EAP
EAP
Client RADIUS LDAP
27
Layer 2
802.1X/EAP Troubleshooting
28
Layer 2
802.1X/EAP Troubleshooting
RADIUS LDAP
29
Layer 2
802.1X/EAP Troubleshooting
30
Radius Test Tool
Manage > Tools > Utilities > Radius Test
31
802.1X
Troubleshooting – RADIUS Test Tool Messages
32
Layer 2
802.1X/EAP Troubleshooting
Root CA Server
Certificate Certificate
CA
EAP
EAP
Client RADIUS LDAP
Zone 2 – Supplicant
33
Layer 2
802.1X/EAP Troubleshooting
34
Layer 2
802.1X/EAP Troubleshooting
Root CA Server
Certificate Certificate
CA
EAP
EAP
Client RADIUS LDAP
22:05:62 22:44:02
35
Layer 2
802.1X/EAP Troubleshooting
External RADIUS server could not accept the access request from the client.
Possible causes:
Expired password or user account
Wrong password
User does not exist in LDAP
User authentication or machine authentication
36
802.1X
Troubleshooting
External RADIUS server could not accept the access request from the client.
Possible causes:
Expired password or user account
Wrong password
User does not exist in LDAP
User authentication or machine authentication
37
Layer 2
Roaming Problems
BSSID #1 BSSID #2
AP #1 AP #2
Drivers (client problem)
Sticky Problems (bad design)
Layer 3 roaming
38
Layer 2
Fast Secure Roaming
RADIUS Server
Client Roams
39 ©2020 Extreme Networks, Inc. All rights reserved
39
Layers 3-7
7 Application
6 Presentation
5 Session
Not a Wi-Fi problem
Networking problem
4 Transport Firewall problem
Application problem
3 Network
2 Data Link
1 Physical
40
Client cannot get an IP address
VLAN 2 - Scope 192.168.20.0/24
SSID: Teacher – VLAN 5
VLAN 5 - Scope 192.168.30.0/24
VLAN 8 - Scope 192.168.30.0/24 SSID: Student – VLAN 8
802.1Q
Switch Router
VLANS 2, 8, 10 IP Helper 10.5.1.10 DHCP Server
10.5.1.10
Client
169.255.255.202
41
DHCP Probe
DHCP request
Lease offer
NAK
802.1Q
Switch Router
VLANS 2, 8, 10 IP Helper DHCP Server
10.5.1.10 10.5.1.10
Client
42
Opening a support case
43
Opening a Support Case
44
Techdata file
45
Locating the Tech Data
Manage >Tools > Utilities > Get tech data
46
Reboot kernel reports
47
Reboot Reason
Crash time: 1970-01-05_07-32-26(UTC)
reboot reason: hardware watchdog (confirmed)
Image Version: IQEngine 6.4r1 release build2090
Image Build time: Mon Dec 29 09:02:44 UTC 2014
Image Build cookie: 20141228-4478
48
Techdata text file
49
Show log buffer
50
Running config
51
Show Interfaces
52
Show L3 interfaces
53
Connected WIFI clients
54
Show Version
55
Find serial number and mac address
56
Find HiveManager details
57
Interference Alerts
58
Show ACSP neighbor
59
Show IP route
60
Rebooting APs
Rebooting the APs should always be the last resort. Prior to doing that, please do
the following to help us gather data:
Check reboots frequency per day by sorting by uptime
Enable KDDR (enabled by default in XIQ)
Enable Netdumps (necessary for hw watchdog issues)
Collect techdata
61
Netdump XIQ
Manage
Select an AP
Actions
Change Management Status
Update Netdump Settings
62
KDDR XIQ
63
Check the boot parameters
230P-2b66c0#show boot-param
boot parameters:
Device IP: 0.0.0.0
Netmask: 0.0.0.0
TFTP Server IP: 10.10.10.10
Gateway IP: 0.0.0.0
VLAN ID: 0
Native-VLAN ID: 0
Netboot: Disabled
Boot File:
Netdump: Enabled
Netdump File: 02301406190556.netdump
Region Code: World
Country Code: 826
64
Netdump output files
RAM Platforms
128 MB AP120, AP121, BR100
256 MB AP320, AP330, AP170, AP230, BR200
512 MB AP245X, AP250, AP370
Each Netdump produces a number of 32MB files. The number of files generated
varies by device platform and depends on the RAM.
Note
With Netdump enabled, an AP will take longer to reboot while it uploads the files to the TFTP
server
65 ©2020 Extreme Networks, Inc. All rights reserved
65
Co-operative Control Protocols
66
Cooperative Control
Auto Channel Selection Protocol (ACSP)
AP 149 Ch
67
Cooperative Control
AMRP (Auto Mobility Routing Protocol)
68
Cooperative Control
AMRP (Auto Mobility Routing Protocol)
AP 2
AP1
AP4
69 ©2020 Extreme Networks, Inc. All rights reserved
69
Cooperative Control
AMRP (Auto Mobility Routing Protocol)
AP 2
APs respond with an
encrypted broadcast of
whom they have heard
APs that see their info from
other APs know they have a
AP3
two-way neighbor
AP1 relationship with each other
AP4
70 ©2020 Extreme Networks, Inc. All rights reserved
70
View AMRP Neighbors In ExtremeCloud IQ
You can view the AP neighbor information in XIQ from the Maps or Manage
Device lists in Configuration and Manage Views
71 ©2020 Extreme Networks, Inc. All rights reserved
71
Cooperative Control
AMRP (Auto Mobility Routing Protocol)
AP 2
APs learn about their neighbors
AMRP APs communicate with each other
Neighbors
using AES encrypted packets
AP3 No tunnels are built or used for
cooperative control communication!
AP1
AP4
72
AMRP Link State Database
Has Links, Allowed VLANs, and Stations
Every AP has an AMRP link state database with a view of all links, allowed
VLANs, and attached stations
73 ©2020 Extreme Networks, Inc. All rights reserved
Every AP has a consistent view of the database similar to OSPF. The VLANs permitted
on an ethernet backhaul link also help determine if layer 3 roaming needs to be used
to preserve the IP address for a station as they roam.
73
AMRP Distributes Roaming Cache Information
AP 2 AAA/RADIUS Server
A station connects to AP 1
AP 1 authenticates the client
AP3 with 802.1X/EAP to the
RADIUS server
AP1
AP4
74
Hops: 0
SSID: Corp-Guest
Acct multi session id: 000e3b331047001977700a5454199a3268e3dc24
Additional auth flag: 0x0015
Auth flag: set
CWP flag: set
MAC based auth flag: not set
MDM flag: not set
Disconnected flag: not set
OS Name: Windows 7/Vista
Domain Name:
Mobile device policy original UPID: 88
WPA key mgmt: 2
R0KH: 0000:0000:0000
R0KH IP: 0.0.0.0
PMKR0 Name: 0000*
AUTH UPID: 88
New UPID: -1
VLAN from RADIUS or CWP pass-thru VLAN: -1
MDM enroll status: unknown
MDM compliance status: unknown
MDM client tag:
AirWatch:
Compliant status: Unknown
Original UPID: 0
Original VLAN: 0
74
AMRP Distributes Roaming Cache Information
AP 2 AAA/RADIUS Server
AP4
75
Hops: 0
SSID: Corp-Guest
Acct multi session id: 000e3b331047001977700a5454199a3268e3dc24
Additional auth flag: 0x0015
Auth flag: set
CWP flag: set
MAC based auth flag: not set
MDM flag: not set
Disconnected flag: not set
OS Name: Windows 7/Vista
Domain Name:
Mobile device policy original UPID: 88
WPA key mgmt: 2
R0KH: 0000:0000:0000
R0KH IP: 0.0.0.0
PMKR0 Name: 0000*
AUTH UPID: 88
New UPID: -1
VLAN from RADIUS or CWP pass-thru VLAN: -1
MDM enroll status: unknown
MDM compliance status: unknown
MDM client tag:
AirWatch:
Compliant status: Unknown
Original UPID: 0
Original VLAN: 0
75
AP Roaming Cache Synchronization
Client Details
User Profile – Identifies access policy PMK (Pairwise Master Key) from RADIUS
Operating System Session Time
DNS Address and DHCP Lease Info Captive Web Portal State
Voice Enterprise State (802.11r/k/v)
Hostname and Domain Name Mobile Device Management (MDM) State
IP Address and VLAN
Authentication State for Roaming
76
1800 3 3598 0 YNNN FT8021X
2 502e:5c38:6f3a 0019:7745:67e9 864 10 f59b* 44fa* -1
155 3566 0 YNNN N
76
AP Roaming Cache Synchronization
77
Roaming Cache
AP# show roam cache
Roaming Cache Table:
No. Supplicant Authenticator Size UID PMK PMKID Life Age TLC Hop ALDM FT
--- -------------- -------------- ---- --- ----- ----- -------- -------- -------- --- ---- ------
-
0 80e6:5023:4e78 08ea:447d:0ea8 864 10 c854* 6396* 1800 43 3558 1 YNNN N
1 e0f5:c64a:e025 0019:7745:67e8 864 10 n/a ef0f* 1800 3 3598 0 YNNN
FT8021X
2 502e:5c38:6f3a 0019:7745:67e9 864 10 f59b* 44fa* -1 155 3566 0 YNNN N
78 ©2020 Extreme Networks, Inc. All rights reserved
78
Roaming Cache Mac Entry
AP# show roam cache mac e0f5:c64a:e025 SSID: Extreme
Cookie Size: 864 Acct multi session id:
Supplicant Address(SPA): e0f5:c64a:e025 e0f5c64ae02508ea447d0ea85458735c52a311c3
User name: user1 Additional auth flag: 0x0014
User Profile ID: 10 Auth flag: set
VLAN ID: 10 CWP flag: not set
PMK(1st 2 bytes): n/a MAC based auth flag: not set
PMKID(1st 2 bytes): n/a MDM flag: not set
Session time: 1800 seconds Disconnected flag: not set
PMK Time left in cache: 3582 OS Name: Apple iOS
PMK age: 139 Domain Name:
Roaming cache update interval: 60 Mobile device policy original UPID: 10
last time logout: 149 seconds ago WPA key mgmt: 32
Authenticator Address: MAC=08ea:447d:0ea8, R0KH: 0019:7745:67e8
IP=10.1.1.30 R0KH IP: 10.1.1.28
Roaming entry is got from neighbor AP: 08ea:447d:0ea8PMKR0 Name: EF0F*
PMK is got(Flag): Locally AUTH UPID: 10
Station IP address: 10.10.1.27 New UPID: -1
Station hostname: iPad VLAN from RADIUS or CWP pass-thru VLAN: -1
Station default gateway: 10.10.1.1 MDM enroll status: unknown
Station DNS server: 10.10.1.1 MDM compliance status: unknown
Station DHCP lease time: 86257 seconds MDM client tag:
79 ©2020 Extreme Networks, Inc. All rights reserved
Hops: 0 . . .
79
CAPWAP and Provisioning
80
XIQ Services & Ports
Typically an Extreme device may utilise TCP ports 80, 443, 2083 and UDP port 12222 to
communicate with XIQ. However additional port could be required for more services.
http://docs.aerohive.com/330000/docs/help/english/ng/Content/reference/
services-source-and-destination-ports.htm
81
Some of the Basics
Note
Should any of these be misconfigured, several other items will fail and there may be no
accounting for the events or errors.
82 ©2020 Extreme Networks, Inc. All rights reserved
82
Device Redirection Services
ExtremeCloud IQ (XIQ)
Redirector
2
ExtremeCloud IQ 10011122600001
10011122600006
10011122600011
10011122600024
10011122600042
10011122600065
1 redirector.aerohive.com
Serial numbers must be
entered in your XIQ account
APs and Routers
83
ExtremeCloud IQ
Default provisioning flow
84
CAPWAP Call flow
CW Client CW Server
Run
State The CAPWAP client sends the CAPWAP server XIQ a CAPWAP ping but receives
no response within the neighbor-dead-interval
Idle When the client determines its neighbor is dead it transitions from the Run state
State to the Idle state
Discovery
State The client transitions to the Discovery state and begins sending Discovery
Request messages (broadcast and unicast).
Sulking When the client determines its neighbor is dead it transitions from the Run state
State to the Idle state
85
CAPWAP Call flow
CW Client CW Server
The CAPWAP client returns to the Discovery state and sends Discovery Request
Discovery
messages.
State
The CAPWAP server receives the Discovery Request message and responds with
Discovery Response.
The CAPWAP client and server perform a DTLS (Datagram Transport Layer Security)
handshake to establish a secure DTLS connection.
Note
If the Join Response indicates “failure”, the CAPWAP server enters a Reset state and
terminates the DTLS session
86 ©2020 Extreme Networks, Inc. All rights reserved
86
What if the AP is not connecting to XIQ?
1/4
1 Make sure the AP has an IP address
AH-0168c0#show l3 interface
Name IP Address Mode VLAN MAC State
----------- --------------- -------- ------ -------------- -----
mgt0 172.16.1.36 - 1 9c5d:1201:68c0 U
AH-0168c0#show ip route
Ref=references; Iface=interface;
U=route is up;H=target is a host; G=use gateway;
Destination Gateway Netmask Flags Metric Ref Use Iface
--------------- --------------- --------------- ----- ------ ------ --- -----
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgt0
127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lo
0.0.0.0 172.16.1.1 0.0.0.0 UG 0 0 0 mgt0
AH-0168c0#ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
64 bytes from 172.16.1.1: icmp_seq=1 ttl=64 time=0.618 ms
87
What if the AP is not connecting to XIQ?
2/4
3 Make sure the AP has DNS server addresses
AH-0168c0#show dns
DNS server configuration:
Domain name suffix:
Primary : 208.67.222.222
Secondary : 208.67.220.220
Tertiary : 0.0.0.0
88
What if the AP is not connecting to XIQ?
3/4
5 Show CAPWAP client
AH-0168c0#show capwap client
CAPWAP client: Enabled
CAPWAP transport mode: UDP
RUN state: Connected securely to the CAPWAP server
CAPWAP client IP: 172.16.1.36
CAPWAP server IP: 54.79.65.29
HiveManager Primary Name:retail-aus-01.aerohive.com
HiveManager Backup Name:
CAPWAP Default Server Name: redirector.aerohive.com
Virtual HiveManager Name: retail_test_2
Server destination Port: 12222
89
What if the AP is not connecting to XIQ?
90
What if the AP is not connecting to XIQ?
Information to send to Extreme Support
AH-0168c0#show log buffered
2016-06-11 12:42:44 info ah_cli: admin:<show log buffered >
2016-06-11 12:42:40 debug capwap: [capwap_info]: Leave the wait send phase state
2016-06-11 12:42:40 debug capwap: [capwap_info]: set timer type is maxdis_timer interval is 10
2016-06-11 12:42:40 debug capwap: [capwap_info]: Enter the wait send phase state: Discovery
event: waitting sndpkt timer: maxdis_timer
2016-06-11 12:42:40 debug capwap: [capwap_info]: ah_capwap_idle_timer timed out
2016-06-11 12:42:39 debug capwap: [capwap_info]: IDLE->Leave the Idle State.
2016-06-11 12:42:39 debug capwap: [capwap_info]: set timer type is idle_timerinterval is 1
2016-06-11 12:42:39 debug capwap: [capwap_info]: Clean frag buffer..
2016-06-11 12:42:39 debug capwap: [capwap_info]: IDLE->Enter the Idle State.
2016-06-11 12:42:39 debug capwap: [capwap_info]: START->Leave the Get HM IP State.
Run the following commands in sequence to obtain information to send to Extreme Support
1. No capwap client enable 6. Show log buffer / collect logs from the
2. _debug capwap info server after waiting for few minutes
3. logging server 172.16.1.28 7. Capwap ping <redirector> and <primary
4.Clear log all and secondary capwap servers>
5. Capwap client enable 8. Check serial numbers
91 ©2020 Extreme Networks, Inc. All rights reserved
91
What if the AP is not connecting to XIQ?
Before escalating to Extreme Support
Verify it is not a network or firewall issue by adding an AP to the XIQ VHM from
a network that has no firewall or other restrictions.
You can do this remotely by just removing one of the APs in your office from
you VHM and adding it to the customer's VHM.
If the server is experiencing a technical issue, the AP you add from another
network will have the same issue. If not, it is a customer site network issue.
92
CAPWAP
UDP 12222
XIQ will allow Extreme devices to connect on UDP port 12222 for CAPWAP
communication.
CAPWAP on UDP port 12222 is the default behavior for most devices.
93
CAPWAP - UDP 12222
For Layer 2 and Layer 3 firewalls, Aerohive devices need to be able to reach the
following CAPWAP server host names on UDP port 12222:
94
CAPWAP process for XIQ
CW Master CW Server
Redirector
CW Server
Datacenter Cloud
95
ExtremeCloud IQ in NAM
96
Check tech data
97
Show capwap client
98
Check XIQ Update Errors
99
Device States
100
Device State
New
Serial number of the device has been entered into XIQ and the redirector
The device has not yet establishes a CAPWAP connection to XIQ
101
Device State
Setting Up
102
Device State
Managed
103
Device State
Unmanaged
104
Make sure the DNS resolution is working
redirector.aerohive.com
hmng-prd-va-cwpm-01.aerohive.com
hmng-prd-va-cwps-01.aerohive.com
cloud-va.aerohive.com
105
Capture at the AP will indicate what the failure is
106
DHCP option 43
107
DHCP discover
108
DHCP offer – sub option 225
109
DHCP offer – sub option 226
110
Configuring Windows Server based DHCP server
111
Configuring Windows Server based DHCP server
112
Configuring Windows Server based DHCP server
113
Configuring Windows Server based DHCP server
114
Configuring Windows Server based DHCP server
115
Configuring Windows Server based DHCP server
116
IQEngine upgrade using device GUI
AH-0168c0#show l3 interface
Name IP Address Mode VLAN MAC State
----------- --------------- -------- ------ -------------- -----
mgt0 172.16.1.36 - 1 9c5d:1201:68c0 U
117 ©2020 Extreme Networks, Inc. All rights reserved
117
ExtremeCloud IQ software upgrade
1
XIQ uses HTTPS for software downloads. Look in techdata or log buffer for
the log below:
2016-05-17 09:57:20 info ah_cli: admin:<save image https://cloud-
va.aerohive.com:443/afs-webapp/IQEngine/images/AP130-6.5r3a.img.S admin VHM-FCZGBGVJ
password *** basic no-prompt>
118
XIQ Software Upgrade
119
Configuration Rollback
120
New Configuration Updates
Administrator updates - complete or
delta configuration of XIQ APs
XIQ sends New Configuration (NC)
Update & adds configuration rollback
Complete Upload via SCP settings to configuration for AP
Delta Upload via CAPWAP
The current config (CC) becomes the
rollback config (RB) & the new config
(NC) is then loaded
If the XIQ AP cannot contact XIQ with
CAPWAP after the config update, the
XIQ AP will start a 10-minute
configuration rollback timer
New Current Rollback After the timer expires, the XIQ AP will
reboot and use the rollback
configuration to regain connectivity
back to XIQ
©2020 Extreme Networks, Inc. All rights reserved
121
AP Port Types
Configured under ‘Device Templates’
Uplink Port
Use this option when connecting the
AP to the WAN.
Access Port
Use this option when the AP is
working in client access mode and is
connected to a forwarding device
like a switch that supports multiple
VLANs.
Trunk Port
Use this option when connecting the
AP in bridge mode to a forwarding
device such as a switch that supports
multiple VLANs
122
Sh Int MGT0
123
Configuration Push successful?
124
Successful Config Push
125
Syslog server
Syslog Server
Having Syslog server enabled is always a Best
Practice
Syslog server will be the central point for
numerous logs from your network
Make sure NTP is configured as well
126
IQAgent Architecture
HiveAgent
127
Switches Automatically Contact XIQ
AP 2 Access Switch
128
Switch Management
129
IQAgent Upgrade
Happens when switch connects to redirector
130
Show XIQ Status
(AH-22081604150072) #show hivemanager status
131
Show Network
Interface Status............................... Up
IP Address..................................... 172.16.1.53
Subnet Mask.................................... 255.255.255.0
Default Gateway................................ 172.16.1.1
IPv6 Administrative Mode....................... Enabled
IPv6 Prefix is ................................ fe80::ba7c:f2ff:fe01:6970/64
Burned In MAC Address.......................... B8:7C:F2:01:69:70
Locally Administered MAC address............... 00:00:00:00:00:00
MAC Address Type............................... Burned In
Configured IPv4 Protocol....................... DHCP
Configured IPv6 Protocol....................... None
IPv6 AutoConfig Mode........................... Disabled
Management VLAN ID............................. 1
132
Restarting IQAgent
133
Lab Topology
VLAN info:
VLAN 1: 172.18.252.0/24
VLAN 2: 10.5.2.1/24 (AP Management) ETH0-4 WAN*
VLAN 8: 10.5.8.1/24 (Guest)
VLAN 10: 10.5.10.1/24 (Employee)
Management VLAN: 2 ETH0-4: 802.1Q Trunk ports
Trunk: all VLANs
Native VLAN: 1
DHCP info:
172.18.252.0/24
Trunk: all VLANs 10.5.2.1/24
10.5.8.1/24
10.5.10.1/24
134
Lab #1:
CAPWAP and Discovery
You are deploying new APs & need to push your StudentX policy to them
for the first time. The policy push is failing, & the APs keep going offline.
Your Task: Fix your configuration so that you can successfully push the
StudentX policy to your device.
All issues should be fixed from within the StudentX policy for proper evaluation!
135
RF Troubleshooting
136
General Information
Interference % increases when the utilisation (Tx and Rx) of the neighbour on the
same channel increases.
137
General Information
In order to achieve a decent performance you will need to have low channel
utilisation, low retries and high SNR.
138
Common RF Issues
Interference
Mismatch Transmit Power
Near-Far or Hidden Node
139
Layer 2 Retransmissions
CRC passes
Transmitting radio sends a unicast frame
Receiver radio sends L2 ACK frame
The mortal enemy of WLAN performance is layer 2 retransmissions that occur at the
MAC sublayer. As you have learned, all unicast 802.11 frames must be acknowledged.
If a collision occurs or any portion of a unicast frame is corrupted, the cyclic
redundancy check (CRC) will fail and the receiving 802.11 radio will not return an ACK
frame to the transmitting 802.11 radio. If an ACK frame is not received by the original
transmitting radio, the unicast frame is not acknowledged and will have to be
retransmitted.
Excessive layer 2 retransmissions adversely affect the WLAN in two ways. First, layer 2
retransmissions increase overhead and therefore decrease throughput. Many
different factors can affect throughput, including a WLAN environment with abundant
layer 2 retransmissions. Second, if application data has to be retransmitted at layer 2,
the timely delivery of application traffic becomes delayed or inconsistent.
Applications such as VoIP depend on the timely and consistent delivery of the IP
packet. Excessive layer 2 retransmissions usually result in latency and jitter problems
for time-sensitive applications such as voice and video. When discussing VoIP, latency
and jitter often get confused. Latency is the time it takes to deliver a VoIP packet from
the source device to the destination device. A delay in the delivery (increased
latency) of a VoIP packet due to layer 2 retransmissions can result in echo problems.
Jitter is a variation of latency. Jitter measures how much the latency of each packet
varies from the average. If all packets travel at exactly the same speed through the
network, jitter will be zero. A high variance in the latency (jitter) is the more common
140
result of 802.11 layer 2 retransmissions. Jitter will result in choppy audio
communications and reduced battery life for VoWiFi phones.
140
Layer 2 Retransmissions
CRC fails
Transmitting radio sends a unicast frame
No ACK frame sent be receiver
Transmitting radio sends L2 retransmission
The mortal enemy of WLAN performance is layer 2 retransmissions that occur at the
MAC sublayer. As you have learned, all unicast 802.11 frames must be acknowledged.
If a collision occurs or any portion of a unicast frame is corrupted, the cyclic
redundancy check (CRC) will fail and the receiving 802.11 radio will not return an ACK
frame to the transmitting 802.11 radio. If an ACK frame is not received by the original
transmitting radio, the unicast frame is not acknowledged and will have to be
retransmitted.
Excessive layer 2 retransmissions adversely affect the WLAN in two ways. First, layer 2
retransmissions increase overhead and therefore decrease throughput. Many
different factors can affect throughput, including a WLAN environment with abundant
layer 2 retransmissions. Second, if application data has to be retransmitted at layer 2,
the timely delivery of application traffic becomes delayed or inconsistent.
Applications such as VoIP depend on the timely and consistent delivery of the IP
packet. Excessive layer 2 retransmissions usually result in latency and jitter problems
for time-sensitive applications such as voice and video. When discussing VoIP, latency
and jitter often get confused. Latency is the time it takes to deliver a VoIP packet from
the source device to the destination device. A delay in the delivery (increased
latency) of a VoIP packet due to layer 2 retransmissions can result in echo problems.
Jitter is a variation of latency. Jitter measures how much the latency of each packet
varies from the average. If all packets travel at exactly the same speed through the
network, jitter will be zero. A high variance in the latency (jitter) is the more common
141
result of 802.11 layer 2 retransmissions. Jitter will result in choppy audio
communications and reduced battery life for VoWiFi phones.
141
Layer 2 Retransmissions
Cause
CRC fails
RF interference (Layer 1)
Low SNR (Layer 1) (bad design)
142
Layer 2 Retransmissions
Effect
Latency goes up
The mortal enemy of WLAN performance is layer 2 retransmissions that occur at the
MAC sublayer. As you have learned, all unicast 802.11 frames must be acknowledged.
If a collision occurs or any portion of a unicast frame is corrupted, the cyclic
redundancy check (CRC) will fail and the receiving 802.11 radio will not return an ACK
frame to the transmitting 802.11 radio. If an ACK frame is not received by the original
transmitting radio, the unicast frame is not acknowledged and will have to be
retransmitted.
Excessive layer 2 retransmissions adversely affect the WLAN in two ways. First, layer 2
retransmissions increase overhead and therefore decrease throughput. Many
different factors can affect throughput, including a WLAN environment with abundant
layer 2 retransmissions. Second, if application data has to be retransmitted at layer 2,
the timely delivery of application traffic becomes delayed or inconsistent.
Applications such as VoIP depend on the timely and consistent delivery of the IP
packet. Excessive layer 2 retransmissions usually result in latency and jitter problems
for time-sensitive applications such as voice and video. When discussing VoIP, latency
and jitter often get confused. Latency is the time it takes to deliver a VoIP packet from
the source device to the destination device. A delay in the delivery (increased
latency) of a VoIP packet due to layer 2 retransmissions can result in echo problems.
Jitter is a variation of latency. Jitter measures how much the latency of each packet
varies from the average. If all packets travel at exactly the same speed through the
network, jitter will be zero. A high variance in the latency (jitter) is the more common
143
result of 802.11 layer 2 retransmissions. Jitter will result in choppy audio
communications and reduced battery life for VoWiFi phones.
143
Adjacent Channel Interference
Ch 1 Ch 2
Ch 6
Ch 1 Ch 1
Ch 3 Ch 4 Ch 11
144
Why does ACI Occur?
145
Co-Channel Interference
Ch 1 Ch 1
Ch 6
Ch 1 Ch 1
Ch 1 Ch 1
Ch 11
146
Why does CCI Occur?
Ch 6
Ch 6
Ch 1 Ch 1 Ch 1 Ch 1
Ch 11
Ch 11
147
Other sources of Interference
802.11
2.4GHz/5Ghz
Non 802.11 Non 802.11
2.4GHz 5Ghz
148
Interference
Common Issues
149
Interference
Troubleshooting
There are 5 things that need to be checked in order to identify and address this
issue:
150
Interference
Troubleshooting Alarms
151
Interference
Troubleshooting Alarms
“show log buffer” or “show interface wifiX counter” on the CLI window or AP tech-
data give you the information in AP logs.
show log buff | include interference -> to filter logs related to interference
2016-06-23 17:33:32 info ah_dcd: wifi0: Interference alert cleared
2016-06-23 17:22:32 notice ah_dcd: wifi0: Interference alert raised
2016-06-23 17:21:32 info ah_dcd: wifi0: Interference alert cleared
2016-06-23 17:14:32 notice ah_dcd: wifi0: Interference alert raised
2016-06-23 17:11:32 info ah_dcd: wifi0: Interference alert cleared
2016-06-23 17:06:32 notice ah_dcd: wifi0: Interference alert raised
If you notice there are many of them, you may need to investigate the RF
environment. You may have co-channel interference or external interference
issues.
The next step is to check the Channel Utilisation (CU).
152 ©2020 Extreme Networks, Inc. All rights reserved
152
Interference
Troubleshooting Channel Utilisation
153
Interference
Troubleshooting Channel Utilisation
154
Interference
Troubleshooting Channel Utilisation
“show interface wifi0” on the CLI window or AP tech-data gives you channel utilisation
information for this particular interface. Check both wifi0 and wifi1 for high total utilisation
AP-330-1#show Interface wifi0 | in total ( filter the output to show total utilisation)
Tx utilization=2%; Rx utilization=46%; Interference utilization=4%; Total
utilization=52%;
155
Interference
Troubleshooting Retransmission
156
Interference
Troubleshooting XIQ Retransmission
157
Interference
Troubleshooting Retransmissions
You can also check the retransmission statistics on tech data or CLI.
If you have access to the CLI you can clear the statistic first and check it again.
Type clear interface wifi0 counter wait for 1 minute then issue the following
command: show interface wifi0 counter | include retr
If the number of retries increase significantly (Tx/Rx or both) there is a strong indication
that there is interference.
AP-330-1#clear interface wifi0 counter
AP-330-1#sh int wi0 count | in retr
6 rx Retries
11% rx retry rate
71 tx retries
57 tx retries
17 unicast data tx retries
3 unicast tx retries
37% tx retry rate
36% unicast data tx retry rate
7 too many hw retries
158
Interference
Troubleshooting ACSP Neighbour
“show acsp neighbour” on the CLI window or AP tech-data will display the AP neighbour
information including CU of each neighbour.
#show acsp neighbour
wifi0(5) ACSP neighbor list:
Bssid Mode Ssid/Hive Chan Rssi(dBm) Aerohive AP CU CRC STA Channel-width
885b:dd28:5414 Access idm 1 -43 yes 34 0 0 20
885b:dd28:5415 Access sniff 1 -47 yes 34 0 0 20
c413:e200:3254 Access testdotx 1 -52 yes 12 0 3 20
c413:e200:3255 Access 1111ppsk 1 -51 yes 12 0 3 20
c413:e200:3256 Access chromecast 1 -50 yes 10 0 3 20
c413:e200:3257 Access 2.4GHz 1 -51 yes 12 0 3 20
08ea:4495:dd94 Access idm 1 -42 yes 0 0 1 20
08ea:4495:dd95 Access sniff 1 -43 yes 0 0 1 20
Based on the XIQ and CLI information, there are 2 other APs using the same
channel with very strong signal within the area. This introduces CCI. When users
start using the wireless the Rx and Tx utilisation will increase and the total CU
will also be high. This can result in performance issue.
The next step is to check the Spectrum Analysis.
159 ©2020 Extreme Networks, Inc. All rights reserved
159
Interference
Troubleshooting Spectrum Analysis
160
Interference
Solution for Co-Channel Interference
Address the AP placements. Tweaking the configuration will not help if the APs
are not placed properly.
Perform survey and adjust the coverage:
Reduce ACSP Max Tx power
Increase basic data rate. Beacons are sent on the lowest configured basic
data rate. An AP need to “shout” in order to transmit on a lower data rate that
creates a big cell. (6, 9, 12-Basic, 18, 24, 36, 48, 54) – These rates work for
most standard deployment.
Eliminate non 802.11 interference sources where possible. This will provide a
cleaner RF environment for the APs to operate in.
Shutting down some 2.4GHz radio may help as well, especially in a high density
environments.
Enable DFS to provide more channels to 5GHz band.
Use 5Ghz wherever possible especially where the 2.4Ghz band is crowded. Also
consider Dual 5ghz if possible.
161 ©2020 Extreme Networks, Inc. All rights reserved
161
Interference
Solution for External Interference
162
Mismatch in Tx-Power
AP may not always hear the client Results in poor performance and
Client may be forced to use lower data network utilization
rate to transmit depending on the The WiFi bar looks full!
client’s location Another bad design example!
163 ©2020 Extreme Networks, Inc. All rights reserved
163
Mismatch in Tx-Power
AP may not always hear the client, depending the client’s location.
Client may be forced to use lower data rate to transmit.
The impacts: high Tx-retransmission, higher client’s airtime, near-far, hidden-
node.
164 ©2020 Extreme Networks, Inc. All rights reserved
164
Mismatch in Tx-Power
165
Mismatch Tx-Power
Reported Issues AP’s Tx Power > Client’s Tx Power
166
Mismatch Tx-Power
Reported Issues AP’s Tx Power < Client’s Tx Power
Dis-associated clients
Packet loss
Poor performance
Roaming issues
Bad voice quality and one way communication
167
Mismatch Tx-Power
Troubleshooting things to check
RSSI
Retransmissions Tx-Power Settings RSSI
168
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Check Tx / Rx Retries
In this report you can compare the number of Tx and Rx retries on the AP that is
reported to have the issue.
169 ©2020 Extreme Networks, Inc. All rights reserved
169
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Check Tx / Rx Retries
You can issue the following command on the CLI to check the retransmission. This
information is also available on the tech data “show interface wifi1 counter”
It is seen that the Tx retransmission is higher than Rx. Next is to check the AP Tx
Power and Client’s RSSI.
170
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Tx Power Setting
In order to confirm if the high retransmission is related to
the mismatch issue, check Tx Power settings, client’s RSSI
and channel utilisation.
You can issue the following command on the CLI to check
Manage > Devices the AP Tx Power. This information is also available on the
tech data
AP-130-01#show acsp
Interface Channel select state Primary channel Channel width Power ctrl state Tx power(dbm)
--------- --------------------- ---------------- ------------- --------------------- -------------
Wifi0 Enable 1 20 Enable 11
Wifi1 Enable 44 40 Disable(User disable) 20
As seen in the above examples, the 5GHz Tx Power is set to maximum (20dBm).
This indicates that the high Tx retries may be related to the mismatch Tx-Power
issue. Next to is to check the Client’s RSSI.
171 ©2020 Extreme Networks, Inc. All rights reserved
171
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Client’s RSSI
On the wireless clients monitor tab you can see the signal strength of the client.
172
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Client’s RSSI
Some wireless clients may be set to use lower Tx Power in order to extend
battery life. It may be also set automatically by the TPC elements sent by the AP.
You can verify this on the show interface wifi1 output.
AP-130-01#sh int w1 | include control
Tx range=300m; Noise floor=-93dBm; Tx power control=10dBm
You can see from the above information that the AP forced the client to reduced
it’s max Tx Power by 10 dBm. This will let the client to have around 4 dBm Tx
Power assuming it’s maximum is 14 dBm.
173
Mismatch Tx-Power
Troubleshooting AP’s Tx Power < Client’s Tx Power – Check Tx/ Rx Retries
In this report you can compare the number of Tx and RX retries on the AP that is
reported to have the issue.
174 ©2020 Extreme Networks, Inc. All rights reserved
174
Mismatch Tx-Power
Troubleshooting AP’s Tx Power < Client’s Tx Power – Check Tx/ Rx Retries
You can also check the value of the retries on the CLI or Tech Data
AP130#show interface wifi0 counter | in retr
1438 rx Retries
16% rx retry rate
731 tx retries
729 tx retries
9% tx retry rate
You can see in the previous graph and CLI output that the 2.4GHz Rx-Retries is
higher than the Tx-Retries. This is a strong indication that the AP power may be
too low compared to the client’s.
Next step is to check the Tx Power setting and client’s RSSI.
175
Mismatch Tx-Power
Troubleshooting AP’s Tx Power < Client’s Tx Power – Check Tx/ Rx Retries
AP130#show acsp
Interface Channel select state Primary channel Channel width Power ctrl state Tx
power(dbm)
--------- --------------------- ---------------- ------------- --------------------- -----
--------
Wifi0 Enable 1 20 Disable(User disable) 1
Wifi1 Enable 40 20 Disable(User disable) 4
The above examples show that the Tx Power is set to a very low value. This
indicates that the high Rx retries may be related to the mismatch Tx-Power issue.
Next to is to check the Client’s RSSI.
176 ©2020 Extreme Networks, Inc. All rights reserved
176
Mismatch Tx-Power
Troubleshooting AP’s Tx Power < Client’s Tx Power – Check Tx/ Rx Retries
The client is detected with high signal. Next, check the AP’s RSSI value that is
detected by the client.
177 ©2020 Extreme Networks, Inc. All rights reserved
177
Mismatch Tx-Power
Troubleshooting AP’s Tx Power < Client’s Tx Power – Tx Power
178
Mismatch Tx-Power
Solutions
179
Mismatch Tx-Power
Solutions
180
Hidden-Node Problem
181
Identify The Problem…
182
Hidden Node
Reported Issues
183
Hidden Node
Troubleshooting
Things to check:
Retransmissions
Collision Status
Client’s RSSI
184
Hidden Node
Diagnostics Retransmission
185
Hidden Node
Troubleshooting Collision
The best place to check the collision status is from the CLI / Tech Data
The above interface statistic shows that the collision is high. This is a strong
indication that you may have a hidden node issue.
The next step is to check the clients’ RSSI
186 ©2020 Extreme Networks, Inc. All rights reserved
186
Hidden Node
Troubleshooting RSSI
In this example one of the clients is either far from the AP or located behind an
obstacle. In this situation these two clients may not see each other.
187
Hidden Node
Solution
MT [4]1
There are many ways can be done in order to resolve the hidden node issue.
Ensure stations only connect to a nearby AP
Implement IEEE 802.11 RTS/CTS
Reduce AP’s Tx power to match the client’s Tx Power
Increase the basic data rate: Ensure stations to connect to a near by AP only
Rather than using high Tx and low data rate, add additional APs if there is not enough
coverage.
There are many ways can be done in order to resolve the hidden node
issue. RTS/CTS instead! ?? (Note by Marko) Needs Clarification
188
Slide 188
189
Software Defined Radio Profile (SDR)
Initial ACSP Process
ACSP
Starts
WiFi0:
2.4GHz
WiFi1: 5Ghz SD RF Redundancy Above WiFi0 stays on
Channels are Starts Detection Algorithm threshold? NO 2.4GHz
assigned to
both radios YES
Power Selection
Assign WiFi0 Ensure channel Final channels & Tx-
for WiFi0 &
to 5GHz separation Powers are assigned
WiFi1
ACSP-SDR
Completed
190
SDR Optimisation
191
SDR Optimisation
192
SDR Optimisation
193
Software Defined Radio Profile (SDR)
Periodic Checking
SDR
Starts
NO
WiFi0 stays on
Periodic Above
RF Redundancy the current band,
checking threshold
Detection Algorithm NO channel and Tx-
enabled? 3 times?
YES Power
YES
SDR
Completed
194 ©2020 Extreme Networks, Inc. All rights reserved
194
Software Defined Radio Profile (SDR)
Scheduled Checking
SDR
Starts
NO
WiFi0 stays on
Scheduled
RF Redundancy Above the current band,
checking
Detection Algorithm threshold? YES channel and Tx-
enabled?
YES Power
NO
SDR
Completed
195 ©2020 Extreme Networks, Inc. All rights reserved
195
5 GHz Channels
149
153
157
161
165
169
173
177
181
100
104
108
112
116
120
124
128
132
136
140
144
36
40
44
48
52
56
60
64
68
72
76
80
84
88
92
96
20 MHz
38 46 54 62 38 46 54 62 102 110 118 126 134 142 151 159 167 175 40 MHz
196
Troubleshooting DFS
Even after enabling dynamic channel selection and DFS channels, you may see
your 5 GHz radios ending up on channels 36, 40, 44 and 48.
This is most likely because of detected radar presence.
You can use CLI commands to verify the cause.
197
Troubleshooting DFS
198
Troubleshooting DFS
show interface wifi1 dfs command will show any detected radar events.
If detected, the AP will go off the DFS channels for 30 minutes.
This back off period can be reduced using Zero-Wait DFS.
199
Troubleshooting DFS
200
Lab #2:
RF Issues
All issues should be fixed from within the StudentX policy for proper evaluation!
201
Network Performance Troubleshooting
202
Best Practices For Broadcast and Multicast
203
Filter unnecessary traffic from Switches
Broadcast, Multicast and Unknown
204
Broadcast and Multicast Issues
205
Broadcast and Multicast Issues
Switch Port Configuration Issues
Generally switch ports that are connected to access points (AP) are configured as
trunk ports to carry VLANs required by the WLAN. However, there are instances
where the ports may be configured to carry all the VLANs, unnecessarily. In these
situations broadcast and multicast traffic from all VLANs may be forward to the
APs’ ports. This can potentially increase the load on an AP’s CPU.
206
Broadcast and Multicast Issues
Troubleshooting Switch port configuration issues
207
Broadcast and Multicast Issues
Troubleshooting Switch Port Configuration
show user-profile
User Profile Table
Total Entries = 2
208
Broadcast and Multicast Issues
Troubleshooting Switch Port Configuration
209
Broadcast and Multicast Issues
Solution to Switch Port Configuration Issues
SSID SSID
Red Blue
VLAN Blue
VLAN Red
Dot1q Trunk
VLAN Management
Check switch configuration and ensure it carries VLANs used by the WLAN and
Management only.
210
Broadcast and Multicast Issues
Common mistakes in allocating VLANs for WLANs
211
Broadcast and Multicast Issues
Troubleshooting VLAN Allocation Issues
212
Broadcast and Multicast Issues
Troubleshooting VLAN Allocations Issues
213
Broadcast and Multicast Issues
Troubleshooting VLAN Allocations Issues
Subnet size: The bigger the subnet size the more device can be allocated – this
may increase BC/MC
VLAN: VLAN1 is mainly used by other devices in the network – this may also
increase BC/MC
214 ©2020 Extreme Networks, Inc. All rights reserved
214
Broadcast and Multicast Issues
Troubleshooting VLAN Allocations Issues
215
Broadcast and Multicast Issues
Troubleshooting VLAN Allocations Issues
216
Broadcast and Multicast Issues
VLAN Allocation Issues solution
217
Broadcast and Multicast Issues
VLAN Allocation Issues – Solution
L3 Networks
VLAN 102 VLAN 104 VLAN 202 VLAN 204 VLAN 302 VLAN 304
VLAN 103 VLAN 105 VLAN 203 VLAN 205 VLAN 303 VLAN 305
218
Troubleshooting Tools
219
VLAN Probe
VLAN or DHCP probe
220
VLAN Probe Example
221
Remote Sniffer
Optional settings:
222
Remote Sniffer Example
223
Wi-Fi Interface Capture *
224
Wi-Fi Interface Capture *
Location can be an SCP or TFTP server. An HTTP URL may also be used.
225
Wi-Fi Interface Capture Example
226
TCP Service Test
227
CAPWAP PING
CAPWAP PING can be used to test UDP connectivity to a XIQ or the Redirector
228
Delay Execute
Interval after the delay to apply the entered commands, 1-60 seconds
Enter the configuration commands and exit delay execute mode:
no exec delay-execute
229
Delay Execute Example
230
SSH Client & Device WAN Access
exec bypass-wan-hardening
231
Authentication Tools – RADIUS Test
[ {pap|chap|ms-chap-v2} ]
232
Authentication Tool – NTLM Auth
Used to test Active Directory integration from the Aerohive RADIUS server.
233
Authentication Tools - LDAP Search
234
Port Mirroring
235
Real-time client information
236
System processes
237
Available commands
This will display all commands, when | include is added the command list may be
queried
show cmds
show cmds | include aaa
238
Forwarding Engine Debugging
239
Forwarding Engine Debugging Process
Basic debug will display the packets route through a device with the IP, port
numbers and interfaces. Detail also has MAC, QoS & IP session, user profile
information
240
Forwarding Engine Debugging Example
241
Authentication and Roaming
242
Topics
Pre-shared Key
Private Pre-shared Key
802.1X & Active Directory
Roaming & Authentication
243
Client Monitor XIQ
244
Pre-shared Key Association
SSID: test1-psk
Key method: WPA2-PSK
Encryption: CCMP (AES)
Supported rates and capabilities
Client
Beacons The AP broadcasts beacons advertising the SSID ‘test1-psk” and its security and network
capabilities on the 2.4Ghz & 5Ghz bands.
Probe Request If the client sends a probe request to discover available SSIDs, the AP responds with the same
Probe Response information as that in its beacons
Authentication Request
The client sends an authentication request, and because WPA2 uses open authentication, the
Authentication Response response always accepts the request
Association Request The client sends its capabilities, and the AP replies if these are acceptable or not. If they are, it
creates an association ID and sends it to the client
Association Response
Four-way handshake The AP and client exchange the pre-shared key and other information to derive keys to encrypt
unicast traffic. (Later, they derive encryption keys for multicast and broadcast traffic as well
245
Successful PSK Authentication
Client Monitor
246
Incorrect Pre-shared Key
247
PSK Client Not Connecting
248
Successful RADIUS authentication
249
Incorrect user credentials
250
Misconfigured RADIUS secret
251
RADIUS certificate issue
252
Expired Server Certificate
253
Inconsistent Roaming Patterns
2 3
AP2
Client roams to AP 2 Client experiences poor voice
quality when turning the corner
AP3
4
1 Client eventually
roams to AP 3
Client starts connection to AP 1
AP1
254
What is the ‘proper design’?
It depends if roaming is a key consideration
XIQ APs
The APs can bring up a mesh to route around a problem, even if mesh is not being
used by default.
What is the MBTF of a protocol?
255
What is the proper design?
It depends
XIQ APs
The APs can bring up a mesh to route around a problem, even if mesh is not being
used by default.
What is the MBTF of a protocol?
256
Lab #3
802.1X Troubleshooting
You are receiving complaints that users are unable to connect to the
Corporate WiFi.
All issues should be fixed from within the StudentX policy for proper evaluation!
257
Private pre-shared key (PPSK)
258
PPSK in Cloud vs AP
259
ID Manager
RADIUS
Windows NPS
radsec
IDM
260
ID Manager
XIQ Classic vs XIQ
261
If an ID Manager certificate is invalid
262
ID Manager RadSec Proxy Test
263
ID Manager port test
ID Manager RadSec protocol uses TCP port 2083. Tool below verifies reachability:
Test successful.
264
Show users on AP
AH-006700-2#show user
265
Check AP Time
266
Show AP Time Zone
Select Device>Actions>Advanced>CLI Access
267
RADIUS Test Tool
268
Connect the Windows client to 802.1X SSID
269
Show AAA RADIUS-server
Local RADIUS: Enabled
Local RADIUS ACCT: Disabled
Auth Port: 1812
Acct Port: 1813
Proxy: Disabled
Auto Shared Secret: Enabled
Station Auth Type: tls peap ttls leap md5
CA: Default_CA.pem
Server Cert: Default-Server_cert.pem
Private Key: Default-Server_key.pem
Group Map: memberOf
Remote Retry Period: 30 secs
Local Check Period: 300 secs
Require Message Authenticator: No
Ldap Retry Interval: 600 secs
primary active-directory (active):
Admin User: hiveapadmin
Full Domain Name: testneta.local
TLS Enabled: yes
1st domain info (default):
Domain Name TESTNETA
Server: 172.16.1.28
BindDN: hiveapuser@testneta.local
Library SIP: Disabled
primary library SIP parameters:
Port: 6001
270 ©2020 Extreme Networks, Inc. All rights reserved
270
ROAMING cache sharing
271
Load balancing and roaming
272
High density and roaming
273
Client device association history
274
Show Auth
Authentication Entities:
if=interface; UID=User profile group ID; AA=Authenticator Address;
PMK=Pairwise Master Key; PTK=Pairwise Transient Key;
GMK=Group Master Key; GTK=Group Transient Key;
Auth flag: M=Mac-Based-Auth passed; X=802.1X passed; C=CWP passed; F=Using failure-UPID;
if=wifi1.1; idx=18; AA=08ea:4489:e2e8; SSID=galen; default-UID=1;
Protocol-suite=open; MAC-based-auth=Enabled;
No. Supplicant UID PMK PTK Life State Reauth-itv Flag FT-Roam
--- -------------- ---- ----- ----- ----- -------------- ---------- -------- -------
0 109a:ddb8:6d4b 1 n/a 0000* -1 open 0 0007: M N
Local Cache Table empty:
PMK-R0 and PMK-R1 Cache Table empty:
275
Lab #4
Guest network Troubleshooting
You are receiving complaints that the Guest WiFi is not working.
276
Private pre-shared key
Frame analysis using WIRESHARK and XIQ APs
277
Problem Statement
The IEEE continuously expands the 802.11 standard. Chipset vendors incorporate
new feature-sets to capitalize upon the new features provided for in the standard.
Drivers for Wireshark and other capture tools lag behind the technology. In some
cases years may pass between the adoption of a new technology and the ability
to capture frames demonstrating that new technology.
278
The Solution
279
Packet Capture within XIQ
280
Download PCAP File and Open with Wireshark
281
Packet Capture Using the CLI
Identify the AP to be used as a remote sniffer
1
282
Obtain the console access Admin credentials
283
Connect to the AP using SSH
284
Configure the AP as a remote sniffer
285
Configure Wireshark
Launch Wireshark
On the top navigation, click Capture
Click Options
286
Configure Wireshark
287
Configure Wireshark
288
Configure Wireshark
289
Configure Wireshark
290
Configure Wireshark
291
Creating a New User
Global settings
XIQ administration sidebar menu will appear
Click Add
292
Creating a New User
293
Creating a New User - Internal
When creating a new admin, Role Based Access Control offers two choices:
Create a new admin: Additional admins from within your organization
Grant access to external admin: Additional admins from outside the organization
(resellers, distributors…)
To create an internal admin account, select ⦿ Create a new admin account
294 ©2020 Extreme Networks, Inc. All rights reserved
294
Creating a New User
Internal
295
Creating a New User
Internal
296
Creating a New User
Internal
297
Creating a New User - Internal
298
Creating a New User
External
Access can also be granted to outside users: Admin/users from outside the
organization (resellers, distributors…)
To create an external admin account, select ⦿ Grant access to external admin
Note
External users must have existing XIQ accounts. XIQ Accounts are checked against their email
address & will be marked by the EXT Icon next to their name
299 ©2020 Extreme Networks, Inc. All rights reserved
299
Role Based Access Control
300
Role Based Access Control
301
Role Based Access Control
302
Role Based Access Control
303
Role Based Access Control
Administrator
This role provides full access to all configuration,
monitoring, & administrative functions. It is the only role
that has access to account and license management.
Operator
This role provides full access to most functions including
network and device configuration. However, it does not
allow access to user account and license management.
Monitor
Monitor role provides full access to troubleshooting and
read-only access to monitoring & configuration functions.
304
Role Based Access Control
Help Desk
Help Desk role provides full access to the Troubleshoot tab
& search access to the User 360 View and Client 360 View.
Guest Management
This role provides access to create network credentials.
Observer
Observer role provides read-only access to most function except
for account and license management.
305
Private pre-shared key
XIQ Troubleshooting Tool
306
Help Desk View
Issue List
307
Help Desk View
Diagnosis
Event History
308
Help Desk View
Diagnosis
Case number can be assigned to match with external Help Desk systems
Note
Client Monitor feature is ON by default for all clients!
309 ©2020 Extreme Networks, Inc. All rights reserved
309
Issue Escalation
Select ‘Escalate’
310
Issue Escalation
311
Issue Escalation
312
Issue Resolution
313
Issue Resolution
314
Issue Resolution
315
Issue Resolution
Unresolved Issues
Resolved Issues
316
Issue Types
317
Search by MAC
318
Search by Hostname
319
Troubleshoot Now
320
SSH Proxy
321
Overview
322
SSH for APs and Switches
Access
Point
SSH client
323 ©2020 Extreme Networks, Inc. All rights reserved
323
SSH for APs and Switches
Access
Point XIQ does not participate in the
conversations during the SSH session
and has no knowledge of the content
inside the SSH tunnel
XIQ manages the time-out and will
terminate any SSH sessions upon time
SSH tunnel
out
Any admin with sufficient privilege
can proactively terminate any SSH
session via the NG graphical user
interface (GUI)
SSH client
324 ©2020 Extreme Networks, Inc. All rights reserved
324
SSH Proxy Session
Access
Point
Admin selects a device in XIQ
XIQ contacts the SSH proxy server to
get available port, generate
credentials and create user
Via CAPWAP, XIQ sends the SSH
proxy server IP address, random port,
username and credential to the AP
SSH proxy servers
Admin
325 ©2020 Extreme Networks, Inc. All rights reserved
325
SSH Proxy Session
Access
Point Managed AP or switch initiates SSH
session via the random port to an
allocated SSH proxy server in cloud
SSH tunnel Port numbers used for the SSH
session are random.
Outbound ports that need to open on
remote customer firewall: 22, 10000 –
15000
326
SSH Proxy Session
Access
Point
SSH
SSH client
SSH proxy servers
327
SSH Proxy
Administrator Role
328
SSH Proxy
Global Settings
329
SSH Proxy
Global Settings
330
SSH Proxy
Device Settings
331
SSH Proxy
Device Settings
Click SSH
Security warning and device SSH
settings appear
332
SSH Proxy
Device Settings
333
SSH Proxy
SSH Session being setup
334
SSH Proxy
Active SSH Session
SSH Active
Time remaining
SSH proxy IP address
Randomized SSH port
335
SSH Proxy
SSH client
336
SSH Proxy
SSH client
337
SSH Proxy or Supplemental CLI
Best Practice
Use the Supplemental CLI object to configure CLI commands not available in the XIQ GUI
338 ©2020 Extreme Networks, Inc. All rights reserved
338
SSH Status
From monitor view, an SSH status column counts how much time is left before the
session time outs
339
Device Management Settings
Global
340
Device Management Settings
Global
341
Device Credential Settings
Single Device
Device CLI passwords can also be set for each independent device
Manage > Devices
Click the Host Name of the device
342
Device Credential Settings
Single Device
343
Device Credential Settings – Policy
344
Thank You
345
WWW.EXTREMENETWORKS.COM
346