Extreme Wireless Cloud Troubleshooting Student Guide Mar 2020

ExtremeWireless Cloud Troubleshooting
Isaac de Abreu
Feb 2020
©2020 Extreme Networks, Inc. All rights reserved
1
Welcome
Introductions Facilities Agenda Questions Resources
2 ©2020 Extreme Networks, Inc. All rights reserved
2
Introductions
 What is your name?

 What is your organization’s name?
 Customer or Partner?
 Have you used XIQ in the past?
 How long in Wi-Fi?
3
Lab Topology
VLAN info:
VLAN 1: 172.18.252.0/24
VLAN 2: 10.5.2.1/24 (AP Management) ETH0-4 WAN*
VLAN 8: 10.5.8.1/24 (Guest)
VLAN 10: 10.5.10.1/24 (Employee)
Management VLAN: 2 ETH0-4: 802.1Q Trunk ports
Trunk: all VLANs
Native VLAN: 1
DHCP info:
172.18.252.0/24
Trunk: all VLANs 10.5.2.1/24
10.5.8.1/24
10.5.10.1/24
DNS Server: 10.5.1.10

Lab Credentials: Domain name: ah-lab.local
XIQ: ahtechtraining@gmail.com/Aerohive4Rulz! Internet
XIQ: 10.5.1.20 or
RADIUS shared secret: aerohive123 hivemanager.ah-lab.local
AD Test User: userX/Aerohive1
4
Recommended Reading
CWNA Certified Wireless Network

Administrator Official Study Guide
5th Edition
by David D. Coleman and David A. Westcott
ISBN-13: 978-1119425786
ISBN-10: 1119425786
Click here to order
Or here..
5
XIQ Help
 Please, please, please, consult our Help if you have

a question about a feature or product behaviour.
 The answer will be there more often than not
 Our Help is our best feature and is an invaluable
? resource
6
XIQ Search
7
Troubleshooting Theory and Best Practices
8
Troubleshooting Best Practices (1/2)
Identify the issue by asking questions
When? Where? Affecting one or Recurring? Recent Changes?

many clients?
9
Troubleshooting Best Practices (2/2)
Identifying the Issue
 Recreate problem  Test to verify the problem is resolved

 Locate and isolate the cause  Document the problem and the
 Formulate a plan for solving the solution
problem  Provide feedback to the user
 Implement the plan
10
Wi-Fi on the OSI Model
Physical and Data Link Layer
 802.3 Uses Cables to transmit EM signals

 802.11 Uses RF Medium to transmit EM signals
Note
Key Term: Medium
Wired communications travel across what is known as bounded medium. An example

of a bounded medium would be an Ethernet cable that contains or confines the signal
(small amounts of signal leakage can occur). Wireless communications travel across
what is known as unbounded medium. Unbounded medium does not
contain the signal, which is free to radiate into the atmosphere in all directions
(unless restricted or redirected by some outside influence). Because of the
unbounded nature of RF communications, the different physical environments in
every indoor or outdoor deployment will result in different coverage and capacity
capabilities that are unique to the site. Unlike a bounded wired cable, RF is an ever-
changing physical medium that will change along with the physical environment in
which RF propagates. The good news is that RF communications still do abide by the
laws of physics, meaning that a functional WLAN can be designed with the proper
knowledge of RF characteristics and behaviors.
An RF signal starts out as an electrical alternating current (AC) signal that is originally
generated by a transmitter.
This AC signal is radiated out of an antenna element in the form of an
electromagnetic wave. An RF signal is an alternating current (AC) that continuously
changes between a positive and negative voltage which can be represented as a sine
wave. An oscillation, or cycle, of this alternating current is defined as a single change
from up to down to up, or as a change from positive to negative to positive. All RF
signals are defined by various characteristics including wavelength, frequency,
11
amplitude and phase. Phase, frequency and amplitude shifts can all be used by
transmitting radios to modulate data.
11
Wi-Fi on the OSI Model
Physical and Data Link Layer
Header Trailer
with MAC
addressing
3-7 Data with
CRC
 The MAC sublayer manages access to the physical medium

 The LLC sublayer manages the flow of multiple simultaneous network protocols
over the same network medium
 Devices operating no higher than Layer 2 include: network interface cards
(NICs), Layer-2 Ethernet switches, and wireless access points
MAC Service Data Unit (MSDU)

When the Network layer (layer 3) sends data to the Data-Link layer, that data is
handed off to the LLC and becomes known as the MAC Service Data Unit (MSDU). The
MSDU contains data from the LLC and layers 3–7. A simple definition of the MSDU is
that it is the data payload that contains the IP packet plus some LLC data.
There are three major 802.11 frame formats. 802.11 management and control frames
do not carry upper-layer information. Only 802.11 data frames carry an MSDU
payload in the frame body. The 802.11-2007 standard states that the maximum size
of the MSDU is 2,304 bytes. The maximum frame body size is determined by the
maximum MSDU size (2,304 octets) plus any overhead from encryption.
MAC Protocol Data Unit (MPDU)

When the LLC sends the MSDU to the MAC sublayer, the MAC header information is
added to the MSDU to identify it. The MSDU is now encapsulated in a MAC Protocol
Data Unit (MPDU). A simple definition of an MPDU is that it is an 802.11 frame. The
802.11 frame, as seen above, contains a layer 2 header, a frame body, and a trailer,
which is a 32-bit CRC known as the frame check sequence (FCS). At this point, the
frame is ready to be passed onto the Physical Layer, which will then further prepare
the frame for transmission.
12
OSI Model
7 Application
6 Presentation  Troubleshoot the WLAN just like you would

5 Session
troubleshoot a wired network
 Move up the OSI model
4 Transport  802.11 technology only operates at Layer 1
and 2
3 Network
 If the problem does not exist in the first two
layers, it is not a Wi-Fi problem
2 Data Link
1 Physical
13
OSI Model
7 Application
6 Presentation RADIUS, Active Directory, DNS, DHCP, NTP and

user applications
5 Session
4 Transport
IP address, routing, ports firewalls
3 Network
2 Data Link
Wi-Fi: RF and configuration, drivers, WLAN
1 Physical security sessions, WLAN design, VLANs, etc.
14
The client is usually the culprit
Bad drivers Compatibility issues Improperly

configured supplicant
15
Upgrade your clients first
 Customer is willing to pay $$$ for WLAN infrastructure upgrades but not for
client upgrades?
 Sadly… client-side technology updates are slow.
16
But… it’s backward compatible!
 Legacy client devices often cannot

connect when new 802.11 technology
is introduced
 Client drivers do not know how to
handle new Information e.g. Elements
in Beacons
 Example: Fast BSS Transition IE
17
Upgrade your clients first
http://clients.mikealbano.com
18
Blame
Your Wi-Fi sucks!
19
Layer 1
70 % of WiFi problems are on this layer
7 Application
6 Presentation  RF Interference
5 Session
 Client radio and driver problems
 Misconfigured client (supplicant)
4 Transport security settings
 Power Over Ethernet (PoE)
3 Network
 Firmware issues on Access Points (Bugs)
2 Data Link
1 Physical
20
Layer 1
RF Interference
 Spectrum analysis will find RF inference

 Learn basic Wi-Fi shapes: (HR)-DSSS, OFDM
 Learn to recognize narrow band and wide band interferers.
 Bring a hammer with you.
21
Layer 1
PoE Power Budget
 Careful PoE budget planning is a must

 APs will randomly reboot if a switch power budget has been exceeded and the
APs cannot draw their required power
 PoE problems will grow with the introduction of 4x4:4 MIMO APs that require
more than 15.4 Watts.
 802.3at (PoE+)
22
Layer 1
Bugs
 Often occurs after AP firmware

updates
 Supply the WLAN vendor with packet
captures and tech data logs
23
Layer 2
Moving up the OSI Model
 Roaming problems
 Layer 2 retries
 Authentication and association problems
2 Data Link
1 Physical
24
Layer 2
PSK Authentication Troubleshooting
 Passphrase mismatch
 PMKs never properly created
 4-Way Handshake fails
25
Layer 2
802.1x/EAP
Root CA Server
Certificate Certificate
CA
EAP
EAP
Client RADIUS LDAP
 802.1X: Port based access control  Extensible Authentication Protocol

 Authorization Framework (EAP)
 Supplicant  Server certificate and Root CA
 Authenticator certificate
 Authentication Server  Tunneled authentication using SSL/TLS
 Integrates with LDAP
26
Layer 2
802.1X/EAP Troubleshooting
Root CA Server
CA
EAP
EAP
Client RADIUS LDAP
Zone 1 – Backend Communications
27
Layer 2
Unable to reach RADIUS server
28
Layer 2
RADIUS LDAP
shared secret secret shared

192.168.100.10 10.5.1.10
Port: 1812 Port: 1645
 Shared secret mismatch  Authentication port mismatch (default

 Incorrect IP settings on AP or RADIUS is 1812)
server  LDAP communications error
29
Layer 2
 Unable to reach RADIUS server. Possible causes:

 Shared secret mismatch
 Incorrect IP settings on AP or RADIUS server
 Authentication port mismatch
 LDAP communications error
30
Radius Test Tool
Manage > Tools > Utilities > Radius Test
31
802.1X
Troubleshooting – RADIUS Test Tool Messages
Check the RADIUS configuration the Network policy
Check the shared secret
RADIUS working: You can also verify the RADIUS Attributes
32
Layer 2
Root CA Server
CA
EAP
EAP
Client RADIUS LDAP
Zone 2 – Supplicant
33
Layer 2
This shows what a successful connection should look like
34
Layer 2
Root CA Server
CA
EAP
EAP
Client RADIUS LDAP
22:05:62 22:44:02
 SSL tunnel fails = Certificate problem  Incorrect clock settings

 Expired Server Certificate  Mismatched EAP types
 Root Certificate installed in wrong store
35
Layer 2
External RADIUS server could not accept the access request from the client.
Possible causes:
 Expired password or user account
 Wrong password
 User does not exist in LDAP
 User authentication or machine authentication
36
802.1X
Troubleshooting
External RADIUS server could not accept the access request from the client.
Possible causes:
 Expired password or user account
 Wrong password
 User does not exist in LDAP
 User authentication or machine authentication
37
Layer 2
Roaming Problems
BSSID #1 BSSID #2
AP #1 AP #2
 Drivers (client problem)
 Sticky Problems (bad design)
 Layer 3 roaming
Roaming client station
38
Layer 2
Fast Secure Roaming
RADIUS Server
 Do clients support Opportunistic Key

Caching (OKC)?
 Do clients support 802.11r and 802.11k
mechanisms?
Client Roams
39
Layers 3-7
7 Application
6 Presentation
5 Session
 Not a Wi-Fi problem
 Networking problem
4 Transport  Firewall problem
 Application problem
3 Network
2 Data Link
1 Physical
40
Client cannot get an IP address
VLAN 2 - Scope 192.168.20.0/24
SSID: Teacher – VLAN 5
VLAN 5 - Scope 192.168.30.0/24
VLAN 8 - Scope 192.168.30.0/24 SSID: Student – VLAN 8
802.1Q
Switch Router
VLANS 2, 8, 10 IP Helper 10.5.1.10 DHCP Server
10.5.1.10
Client
169.255.255.202
41
DHCP Probe
DHCP request
Lease offer
NAK
802.1Q
Switch Router
VLANS 2, 8, 10 IP Helper DHCP Server
10.5.1.10 10.5.1.10
Client
SSID: Teacher – VLAN 5

SSID: Student – VLAN 8
42
Opening a support case
43
Opening a Support Case
 Describe the problem

 Provide a detailed description, including, Extreme and client station hardware and
software versions, problem locations, frequency
 Details of troubleshooting or issue replication carried out
 Depending on the problem a video can be useful, particularly for GUI issues
 Provide existing data
 Attach tech data, client monitor logs, support logs, database backups, packet captures,
network & topology diagrams
 Proactively grant remote access to Extreme Networks
 Asking the customer before escalating the case can save time
44
Techdata file
45
Locating the Tech Data
Manage >Tools > Utilities > Get tech data
46
Reboot kernel reports
47
Reboot Reason
Crash time: 1970-01-05_07-32-26(UTC)
reboot reason: hardware watchdog (confirmed)
Image Version: IQEngine 6.4r1 release build2090
Image Build time: Mon Dec 29 09:02:44 UTC 2014
Image Build cookie: 20141228-4478
Watchdog Exception on CPU #0

Oops: Exception in kernel mode, sig: 4 [#1]
SMP NR_CPUS=2 P1020 RDB
Modules linked in: iptable_nat ipt_MASQUERADE ipt_REDIRECT ipt_NETMAP xt_conntrack xt_u32 ipt_ULOG xt_dscp xt_iprange
nf_conntrack_netlink nfnetlink nf_nat_tftp nf_conntrack_tftp nf_nat_ftp nf_nat nf_conntrack_ftp ipt_REJECT xt_TCPMSS xt_MARK
xt_CLASSIFY xt_mark xt_DSCP ipt_LOG iptable_raw iptable_mangle iptable_filter ip_tables rndis_host GobiNet GobiSerial cdc_ether
ptumlusbnet dgworks PTUMLDiag PTUMLCsp cdc_acm sierra option usbserial cdc_ncm sierra_net usbnet ah_fe_hook fe awe ath_pktlog umac
ath_dev ath_spectral ath_rate_atheros ath_dfs ath_hal asf adf eth_drv ah_sec ah_board0 kmpi ah_systop
====CPU #0 (myself)====begin====
NIP: d539f4c4 LR: d53a096c CTR: c030b98c
REGS: cfff7f10 TRAP: 3202 Not tainted (2.6.32)
MSR: 00021000 <ME,CE> CR: 24000028 XER: 00000000
TASK = ce44e550[7] 'events/0' THREAD: ce470000 CPU: 0
GPR00: 02000100 ce473f20 ce44e550 cbe78b20 ce473f68 cf9641e0 00000000 ffffffff
GPR08: d527c000 02000000 cbe78ce0 d527c010 0000003c 10028494 0ff87e00 00000000
GPR16: 00000000 000000da 00000030 00000004 00000024 0ff46f9c c03af6a8 c03af6e0
GPR24: c03e2dbc c06a4794 ce470000 00029000 cbe78800 cbe78d5c 00000008 cbe78b20
NIP [d539f4c4] gfar_halt+0xd4/0x10c [eth_drv]
LR [d53a096c] stop_gfar+0x88/0x1e4 [eth_drv]
Call Trace: . . . . .
48
Techdata text file
49
Show log buffer
50
Running config
51
Show Interfaces
52
Show L3 interfaces
53
Connected WIFI clients
54
Show Version
55
Find serial number and mac address
56
Find HiveManager details
57
Interference Alerts
58
Show ACSP neighbor
59
Show IP route
60
Rebooting APs
Rebooting the APs should always be the last resort. Prior to doing that, please do
the following to help us gather data:
 Check reboots frequency per day by sorting by uptime
 Enable KDDR (enabled by default in XIQ)
 Enable Netdumps (necessary for hw watchdog issues)
 Collect techdata
61
Netdump XIQ
 Manage
 Select an AP
 Actions
 Change Management Status
 Update Netdump Settings
62
KDDR XIQ
63
Check the boot parameters
230P-2b66c0#show boot-param
boot parameters:
Device IP: 0.0.0.0
Netmask: 0.0.0.0
TFTP Server IP: 10.10.10.10
Gateway IP: 0.0.0.0
VLAN ID: 0
Native-VLAN ID: 0
Netboot: Disabled
Boot File:
Netdump: Enabled
Netdump File: 02301406190556.netdump
Region Code: World
Country Code: 826
64
Netdump output files
RAM Platforms
128 MB AP120, AP121, BR100
256 MB AP320, AP330, AP170, AP230, BR200
512 MB AP245X, AP250, AP370
Each Netdump produces a number of 32MB files. The number of files generated
varies by device platform and depends on the RAM.
Note
With Netdump enabled, an AP will take longer to reboot while it uploads the files to the TFTP
server
65
Co-operative Control Protocols
66
Cooperative Control
Auto Channel Selection Protocol (ACSP)
AP 2 DA Ch 153  APs coordinate with each to determine the

best channel and power levels for the
environment using the Auto Channel
Selection Protocol (ACSP)
AP3 Ch 44  With ACSP, each AP reports their channel,
power, client loads, FCS errors, neighbor APs
AP 1 Ch 36 and more to their neighbors to help APs
coordinate which channels and power levels
to select
AP 149 Ch
67
Cooperative Control
AMRP (Auto Mobility Routing Protocol)
AMRP is the foundation of

cooperative control, runs on
all Extreme APs and is
Access Switch
AP 2 similar to OSPF on wired
networks, except it operates
at layer 2 and must:
 Self organize and locate
AP3 neighbors
 Determine best path routes
AP1 Data Center over wire, GRE, and IPsec VPN
tunnels, and over wireless
mesh
 Consolidates and distributes
layer 2 routing information for
Access Switch
clients within roaming range
AP4
68
Cooperative Control
AP 2
Each APs sends an encrypted

broadcast discovery packet
onto the LAN
AP3
AP1
AP4
The Aerohive Mobility Routing Protocol is the foundation of cooperative control

AMRP is similar to OSPF on wired networks except it operates at layer 2 and has to do
much more than just pass routes
Each APs sends an encrypted AMRP (Aerohive Mobility Routing Protocol) broadcast
discovery packet on to the LAN
APs respond with an encrypted broadcast of who they have heard
APs that see their info from other APs know they have a two-way neighbor
relationship with each other
69
Cooperative Control
AP 2
 APs respond with an
encrypted broadcast of
whom they have heard
 APs that see their info from
other APs know they have a
AP3
two-way neighbor
AP1 relationship with each other
AP4
The Aerohive Mobility Routing Protocol is the foundation of cooperative control

AMRP is similar to OSPF on wired networks except it operates at layer 2 and has to do
much more than just pass routes
Each APs sends an encrypted AMRP (Aerohive Mobility Routing Protocol) broadcast
discovery packet on to the LAN
APs respond with an encrypted broadcast of who they have heard
APs that see their info from other APs know they have a two-way neighbor
relationship with each other
70
View AMRP Neighbors In ExtremeCloud IQ
You can view the AP neighbor information in XIQ from the Maps or Manage
Device lists in Configuration and Manage Views
71
Cooperative Control
AP 2
 APs learn about their neighbors
AMRP  APs communicate with each other
Neighbors
using AES encrypted packets
AP3  No tunnels are built or used for
cooperative control communication!
AP1
AP4
72
AMRP Link State Database
Has Links, Allowed VLANs, and Stations
AP1# show amrp node all

=================================================================
eth0 -> 0019:7745:67c0 met 1 flag 0x0
Flag: E/W - Ethernet/Wifi, A/B - Access/Backhaul, * - Default
Interface Life LRT TTL Flag Allowed-vlan
-----------------------------------------------------------------
0019:7745:67c0 00:08:09 00:00:01 00:00:02 EB* 1 10
0019:7745:67e8 00:08:09 n/a 00:02:32 WA
Ethernet link:
0019:7745:67c0 -> DA 08ea:447d:0e80
Wifi backhaul link:
1 STA associated:
STA UPID VLAN Interface Life
-----------------------------------------------------------------
80e6:5023:4e78 10 10 n/a 00:01:59
Every AP has an AMRP link state database with a view of all links, allowed
VLANs, and attached stations
Every AP has a consistent view of the database similar to OSPF. The VLANs permitted
on an ethernet backhaul link also help determine if layer 3 roaming needs to be used
to preserve the IP address for a station as they roam.
73
AMRP Distributes Roaming Cache Information
AP 2 AAA/RADIUS Server
 A station connects to AP 1
 AP 1 authenticates the client
AP3 with 802.1X/EAP to the
RADIUS server
AP1
AP4
02-A-700a40#show roam cache mac 000e:3b33:1047

Cookie Size: 864
Supplicant Address(SPA): 000e:3b33:1047
User name: 14087721440
User Profile ID: 88
VLAN ID: 8
PMK(1st 2 bytes):4bdf
PMKID(1st 2 bytes):9c2c
Session time: 43200 seconds
PMK Time left in cache: 3585

PMK age: 5416
Roaming cache update interval: 60
last time logout: 5641 seconds ago
Authenticator Address: MAC=0019:7770:0a54, IP=10.5.1.116
Roaming entry is got from neighbor AP: 0019:7770:0a54
PMK is got(Flag): Locally
Station IP address: 10.5.8.101
Station hostname: LAB3-PC02
Station default gateway: 10.5.8.1
Station DNS server: 10.5.1.10
Station DHCP lease time: 8965 seconds
74
Hops: 0
SSID: Corp-Guest
Acct multi session id: 000e3b331047001977700a5454199a3268e3dc24
Additional auth flag: 0x0015
Auth flag: set
CWP flag: set
MAC based auth flag: not set
MDM flag: not set
Disconnected flag: not set
OS Name: Windows 7/Vista
Domain Name:
Mobile device policy original UPID: 88
WPA key mgmt: 2
R0KH: 0000:0000:0000
R0KH IP: 0.0.0.0
PMKR0 Name: 0000*
AUTH UPID: 88
New UPID: -1
VLAN from RADIUS or CWP pass-thru VLAN: -1
MDM enroll status: unknown
MDM compliance status: unknown
MDM client tag:
AirWatch:
Compliant status: Unknown
Original UPID: 0
Original VLAN: 0
74
AMRP Distributes Roaming Cache Information
AP 2 AAA/RADIUS Server
 The RADIUS server validates

the user and responds with
the secure key info needed
AP3
for the client and AP
 The AP applies policy and
AP1
builds a roaming cache
entry
AP4
02-A-700a40#show roam cache mac 000e:3b33:1047

Cookie Size: 864
Supplicant Address(SPA): 000e:3b33:1047
User name: 14087721440
User Profile ID: 88
VLAN ID: 8
PMK(1st 2 bytes):4bdf
PMKID(1st 2 bytes):9c2c
Session time: 43200 seconds
PMK Time left in cache: 3585

PMK age: 5416
Roaming cache update interval: 60
last time logout: 5641 seconds ago
Authenticator Address: MAC=0019:7770:0a54, IP=10.5.1.116
Roaming entry is got from neighbor AP: 0019:7770:0a54
PMK is got(Flag): Locally
Station IP address: 10.5.8.101
Station hostname: LAB3-PC02
Station default gateway: 10.5.8.1
Station DNS server: 10.5.1.10
Station DHCP lease time: 8965 seconds
75
Hops: 0
SSID: Corp-Guest
Acct multi session id: 000e3b331047001977700a5454199a3268e3dc24
Additional auth flag: 0x0015
Auth flag: set
CWP flag: set
MAC based auth flag: not set
MDM flag: not set
Disconnected flag: not set
OS Name: Windows 7/Vista
Domain Name:
Mobile device policy original UPID: 88
WPA key mgmt: 2
R0KH: 0000:0000:0000
R0KH IP: 0.0.0.0
PMKR0 Name: 0000*
AUTH UPID: 88
New UPID: -1
VLAN from RADIUS or CWP pass-thru VLAN: -1
MDM enroll status: unknown
MDM compliance status: unknown
MDM client tag:
AirWatch:
Compliant status: Unknown
Original UPID: 0
Original VLAN: 0
75
AP Roaming Cache Synchronization
Client Details
Pre-Roam Sync of Roaming

Cache of Client
 User Profile – Identifies access policy  PMK (Pairwise Master Key) from RADIUS
 Operating System  Session Time
 DNS Address and DHCP Lease Info  Captive Web Portal State
 Voice Enterprise State (802.11r/k/v)
 Hostname and Domain Name  Mobile Device Management (MDM) State
 IP Address and VLAN
 Authentication State for Roaming
01-AP330-PL-Office#show roam cache

Roaming Cache Table:
UID=User profile group ID; PMK=Pairwise Master Key;

TLC=PMK Time Left in Cache; Life=PMK Life;
A=authenticated; L=CWP Logged In; D=Disconnected;
M=managed by MDM
Roaming for this AP: enabled

Maximum Caching Time: 3600 seconds
Caching update interval: 60 seconds
Caching update times: 60
Roaming hops: 1
Broadcast way: access backhaul
No. Supplicant Authenticator Size UID PMK PMKID

Life Age TLC Hop ALDM FT
--- -------------- -------------- ---- --- ----- ----- --
------ -------- -------- --- ---- -------
0 80e6:5023:4e78 08ea:447d:0ea8 864 10 c854* 6396*
1800 43 3558 1 YNNN N
1 e0f5:c64a:e025 0019:7745:67e8 864 10 n/a ef0f*
76
1800 3 3598 0 YNNN FT8021X
2 502e:5c38:6f3a 0019:7745:67e9 864 10 f59b* 44fa* -1
155 3566 0 YNNN N
76
AP Roaming Cache Synchronization
 Voice QoS and Firewall Session State

 Layer 2 Firewall Session State
 ALG and Application State from DPI on AP
Post Roam session sync for Client  Layer 3-7 Firewall and QoS Session state
77
Roaming Cache
AP# show roam cache
Roaming Cache Table:

TLC=PMK Time Left in Cache; Life=PMK Life; A=authenticated; L=CWP Logged In; D=Disconnected;
M=managed by MDM

Roaming hops: 1
No. Supplicant Authenticator Size UID PMK PMKID Life Age TLC Hop ALDM FT
--- -------------- -------------- ---- --- ----- ----- -------- -------- -------- --- ---- ------
-
0 80e6:5023:4e78 08ea:447d:0ea8 864 10 c854* 6396* 1800 43 3558 1 YNNN N
1 e0f5:c64a:e025 0019:7745:67e8 864 10 n/a ef0f* 1800 3 3598 0 YNNN
FT8021X
2 502e:5c38:6f3a 0019:7745:67e9 864 10 f59b* 44fa* -1 155 3566 0 YNNN N
78
Roaming Cache Mac Entry
AP# show roam cache mac e0f5:c64a:e025 SSID: Extreme
Cookie Size: 864 Acct multi session id:
Supplicant Address(SPA): e0f5:c64a:e025 e0f5c64ae02508ea447d0ea85458735c52a311c3
User name: user1 Additional auth flag: 0x0014
User Profile ID: 10 Auth flag: set
VLAN ID: 10 CWP flag: not set
PMK(1st 2 bytes): n/a MAC based auth flag: not set
PMKID(1st 2 bytes): n/a MDM flag: not set
Session time: 1800 seconds Disconnected flag: not set
PMK Time left in cache: 3582 OS Name: Apple iOS
PMK age: 139 Domain Name:
Roaming cache update interval: 60 Mobile device policy original UPID: 10
last time logout: 149 seconds ago WPA key mgmt: 32
Authenticator Address: MAC=08ea:447d:0ea8, R0KH: 0019:7745:67e8
IP=10.1.1.30 R0KH IP: 10.1.1.28
Roaming entry is got from neighbor AP: 08ea:447d:0ea8PMKR0 Name: EF0F*
PMK is got(Flag): Locally AUTH UPID: 10
Station IP address: 10.10.1.27 New UPID: -1
Station hostname: iPad VLAN from RADIUS or CWP pass-thru VLAN: -1
Station default gateway: 10.10.1.1 MDM enroll status: unknown
Station DNS server: 10.10.1.1 MDM compliance status: unknown
Station DHCP lease time: 86257 seconds MDM client tag:
Hops: 0 . . .
79
CAPWAP and Provisioning
80
XIQ Services & Ports
Typically an Extreme device may utilise TCP ports 80, 443, 2083 and UDP port 12222 to
communicate with XIQ. However additional port could be required for more services.
http://docs.aerohive.com/330000/docs/help/english/ng/Content/reference/
services-source-and-destination-ports.htm
81
Some of the Basics
 Domain Name System (DNS)  Syslog

 Name to IP address resolution  Track events
 Service to IP address resolution  Track alarms
 Network Time Protocol (NTP)  Track errors
 Internal time synchronization
 External time synchronization
Note
Should any of these be misconfigured, several other items will fail and there may be no
accounting for the events or errors.
82
Device Redirection Services
ExtremeCloud IQ (XIQ)
Redirector
2
ExtremeCloud IQ 10011122600001
10011122600006
10011122600011
10011122600024
10011122600042
10011122600065
1 redirector.aerohive.com
Serial numbers must be
entered in your XIQ account
APs and Routers
83
ExtremeCloud IQ
Default provisioning flow
1 Device connects to XIQ

2 XIQ upgrades the software
3 XIQ uploads the configuration
84
CAPWAP Call flow
CW Client CW Server
Run
State The CAPWAP client sends the CAPWAP server XIQ a CAPWAP ping but receives
no response within the neighbor-dead-interval
Idle When the client determines its neighbor is dead it transitions from the Run state
State to the Idle state
Discovery
State The client transitions to the Discovery state and begins sending Discovery
Request messages (broadcast and unicast).
Sulking When the client determines its neighbor is dead it transitions from the Run state
State to the Idle state
85
CAPWAP Call flow
CW Client CW Server
The CAPWAP client returns to the Discovery state and sends Discovery Request
Discovery
messages.
State
The CAPWAP server receives the Discovery Request message and responds with
Discovery Response.
The CAPWAP client and server perform a DTLS (Datagram Transport Layer Security)
handshake to establish a secure DTLS connection.
Join The Client sends a Join Request

State
The Server sends a Join Response
Note
If the Join Response indicates “failure”, the CAPWAP server enters a Reset state and
terminates the DTLS session
86
What if the AP is not connecting to XIQ?
1/4
1 Make sure the AP has an IP address
AH-0168c0#show l3 interface
Name IP Address Mode VLAN MAC State
----------- --------------- -------- ------ -------------- -----
mgt0 172.16.1.36 - 1 9c5d:1201:68c0 U
2 Find the default gateway and make sure it is reachable
AH-0168c0#show ip route
Ref=references; Iface=interface;
U=route is up;H=target is a host; G=use gateway;
Destination Gateway Netmask Flags Metric Ref Use Iface
--------------- --------------- --------------- ----- ------ ------ --- -----
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgt0
127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lo
0.0.0.0 172.16.1.1 0.0.0.0 UG 0 0 0 mgt0
AH-0168c0#ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
64 bytes from 172.16.1.1: icmp_seq=1 ttl=64 time=0.618 ms
87
2/4
3 Make sure the AP has DNS server addresses
AH-0168c0#show dns
DNS server configuration:
Domain name suffix:
Primary : 208.67.222.222
Secondary : 208.67.220.220
Tertiary : 0.0.0.0
4 Make sure the Redirector can be resolved and is reachable

AH-0168c0#capwap ping redirector.aerohive.com
CAPWAP ping parameters:
Destination server: redirector.aerohive.com (54.172.0.252)
Destination port: 12222
Count: 5
Size: 56(82) bytes
Timeout: 5 seconds
--------------------------------------------------
CAPWAP ping result:
82 bytes from 54.172.0.252 udp port 12222: seq=1 time=274.493 ms
88
3/4
5 Show CAPWAP client
AH-0168c0#show capwap client
CAPWAP client: Enabled
CAPWAP transport mode: UDP
RUN state: Connected securely to the CAPWAP server
CAPWAP client IP: 172.16.1.36
CAPWAP server IP: 54.79.65.29
HiveManager Primary Name:retail-aus-01.aerohive.com
HiveManager Backup Name:
CAPWAP Default Server Name: redirector.aerohive.com
Virtual HiveManager Name: retail_test_2
Server destination Port: 12222
6 Make sure the primary CAPWAP server is reachable

AH-0168c0#capwap ping retail-aus-01.aerohive.com
CAPWAP ping parameters:
Destination server: retail-aus-01.aerohive.com (54.79.65.29)
Destination port: 12222--------------------------------------------------
CAPWAP ping result:
82 bytes from 54.79.65.29 udp port 12222: seq=1 time=21.855 ms
89
7 Restart the CAPWAP process

AH-0168c0#no capwap client enable
AH-0168c0#
AH-0168c0#capwap client enable
8 Reboot the device

AH-0168c0#reboot
90
Information to send to Extreme Support
AH-0168c0#show log buffered
2016-06-11 12:42:44 info ah_cli: admin:<show log buffered >
2016-06-11 12:42:40 debug capwap: [capwap_info]: Leave the wait send phase state
2016-06-11 12:42:40 debug capwap: [capwap_info]: set timer type is maxdis_timer interval is 10
2016-06-11 12:42:40 debug capwap: [capwap_info]: Enter the wait send phase state: Discovery
event: waitting sndpkt timer: maxdis_timer
2016-06-11 12:42:40 debug capwap: [capwap_info]: ah_capwap_idle_timer timed out
2016-06-11 12:42:39 debug capwap: [capwap_info]: IDLE->Leave the Idle State.
2016-06-11 12:42:39 debug capwap: [capwap_info]: set timer type is idle_timerinterval is 1
2016-06-11 12:42:39 debug capwap: [capwap_info]: Clean frag buffer..
2016-06-11 12:42:39 debug capwap: [capwap_info]: IDLE->Enter the Idle State.
2016-06-11 12:42:39 debug capwap: [capwap_info]: START->Leave the Get HM IP State.
Run the following commands in sequence to obtain information to send to Extreme Support
1. No capwap client enable 6. Show log buffer / collect logs from the
2. _debug capwap info server after waiting for few minutes
3. logging server 172.16.1.28 7. Capwap ping <redirector> and <primary
4.Clear log all and secondary capwap servers>
5. Capwap client enable 8. Check serial numbers
91
Before escalating to Extreme Support
 Verify it is not a network or firewall issue by adding an AP to the XIQ VHM from
a network that has no firewall or other restrictions.
 You can do this remotely by just removing one of the APs in your office from
you VHM and adding it to the customer's VHM.
 If the server is experiencing a technical issue, the AP you add from another
network will have the same issue. If not, it is a customer site network issue.
92
CAPWAP
UDP 12222
 XIQ will allow Extreme devices to connect on UDP port 12222 for CAPWAP
communication.
 CAPWAP on UDP port 12222 is the default behavior for most devices.
93
CAPWAP - UDP 12222
For Layer 2 and Layer 3 firewalls, Aerohive devices need to be able to reach the
following CAPWAP server host names on UDP port 12222:
CAPWAP server host names in the NAMs:

 Global Redirector: redirector.aerohive.com
 CAPWAP Master: hmng-prd-va-cwpm-01.aerohive.com
 CAPWAP Servers: hmng-prd-va-cwps-xx.aerohive.com
CAPWAP server host names in EMEA, APAC and ANZ:

 Global Redirector: redirector.aerohive.com
 CAPWAP Master: hmng-prd-ie-cwpm-01.aerohive.com
 CAPWAP Servers: hmng-prd-ie-cwps-xx.aerohive.com
94
CAPWAP process for XIQ
CW Master CW Server
Redirector
CW Server
Datacenter Cloud
 Device connects to redirector

 Redirector redirects device to CW
Master of Data Center Cloud
 Device connects to CW Master
 CW Master redirects device to
designated CW Server
 Device connects to CW Server
95
ExtremeCloud IQ in NAM
96
Check tech data
3) 2016-05-17 09:59:23 info

ah_cli: admin:<save users https://cloud-va.aerohive.com:443/afs-
webapp/configuration/2379/885BDD00D400-userFull.config admin VHM-FCZGBGVJ
password *** basic>
2) 2016-05-17 09:59:19 info

ah_cli: admin:<save config https://cloud-va.aerohive.com:443/afs-
webapp/configuration/2379/885BDD00D400-deviceFull.config current admin VHM-
FCZGBGVJ password *** basic no-prompt>
1) 2016-05-17 09:57:20 info

ah_cli: admin:<save image https://cloud-va.aerohive.com:443/afs-
webapp/IQEngine/images/AP130-6.5r3a.img.S admin VHM-FCZGBGVJ password ***
basic no-prompt>
97
Show capwap client
show capwap client
98
Check XIQ Update Errors
99
Device States
The Management Status of an Extreme XIQ Device has 4 possible states:

 New  Managed
 Setting Up  Unmanaged
100
Device State
New
 Serial number of the device has been entered into XIQ and the redirector
 The device has not yet establishes a CAPWAP connection to XIQ
101
Device State
Setting Up
Initial CAPWAP discovery and synchronization process
102
Device State
Managed
 Full interaction between the device and XIQ

 XIQ can push updates or firmware to managed devices
 Monitoring information from the devices is available to XIQ
 Managed devices count against licensing enforcement
103
Device State
Unmanaged
 To change the managed devices to unmanaged:

 ☑ Select the devices
 Action > Change Management Status > Unmanage Devices
 Click Yes when the warning pop-up message appears
 Devices will be in an unmanaged state
104
Make sure the DNS resolution is working
redirector.aerohive.com
hmng-prd-va-cwpm-01.aerohive.com
hmng-prd-va-cwps-01.aerohive.com
cloud-va.aerohive.com
105
Capture at the AP will indicate what the failure is
106
DHCP option 43
IQEngine 6.5r3 and above support

 DHCP discover DHCP option 43 with sub-option 225
 option 60 : aerohive and 226 which can be utilized to direct
an AP to a local XIQ
 DHCP offer
 option 43 Configuration required:
 Sub option 225 : XIQ hostname  DHCP option 60
 Sub option 226 : XIQ IP Address  DHCP option 43
107
DHCP discover
Boot file name not given

Magic cookie: DHCP
 Option: (53) DHCP Message Type (Discover)
 Option: (61) Client Identifier
 Option: (12) Host Name
 Option: (81) Client Fully Qualified Domain Name
 Option: (60) Vendor class identifier
Length: 8
Vendor class identifier: AEROHIVE
 Option: (50) Requested IP Address
 Option: (55) Parameter Request List
Length: 11
Parameter Request List Item: (1) Subnet Mask
108
DHCP offer – sub option 225
109
DHCP offer – sub option 226
110
Configuring Windows Server based DHCP server
In the DHCP Server right click IPv4 and click

‘Define Vendor Classes’
111
112
 Add Display Name

 Optionally add a description
 Define the vendor class identifier, ASCII field
should be AEROHIVE
113
Right click IPv4 and click ‘Set Predefined Options’

Select the option class configured for the vendor class, “Aerohive Device”
Click Add to define a sub-option, which can be either a FQDN (225) or IP address
(226)
114
 Enter a meaningful Name

 Data type, String for option 225 or IP address for option 226
 The applicable code
 Description
115
Once completed enter a value, either the XIQ FQDN or IP address
116
IQEngine upgrade using device GUI
AH-0168c0#show l3 interface
Name IP Address Mode VLAN MAC State
----------- --------------- -------- ------ -------------- -----
mgt0 172.16.1.36 - 1 9c5d:1201:68c0 U
117
ExtremeCloud IQ software upgrade
1
XIQ uses HTTPS for software downloads. Look in techdata or log buffer for
the log below:
2016-05-17 09:57:20 info ah_cli: admin:<save image https://cloud-
va.aerohive.com:443/afs-webapp/IQEngine/images/AP130-6.5r3a.img.S admin VHM-FCZGBGVJ
password *** basic no-prompt>
2 Use _test tcp-service command

AH-0168c0#exec _test tcp-service host 52.200.53.254 port 443
Testing TCP connection for host=52.200.53.254, port=443, timeout=10 seconds
Test successfully.
cloud-va.aerohive.com resolves to several IP addresses, check connectivity

3
for all IP addresses
Use nslookup to verify which IP addresses are in use.
118
XIQ Software Upgrade
 If the AP is stuck at setting up stage,

 remove the AP from XIQ
 factory reset
 upgrade to the latest software version locally
 add the serial number to XIQ
 Connect the AP to the network
119
Configuration Rollback
Configuration rollback is enabled by

default.
Occurs after Updates when Hive Device
can not establish CAPWAP connectivity
with HiveManager
 Wait time is 10 minutes
Can view countdown via CLI with this
command
 show config rollback {_detail}
120
New Configuration Updates
 Administrator updates - complete or
delta configuration of XIQ APs
 XIQ sends New Configuration (NC)
Update & adds configuration rollback
Complete Upload via SCP settings to configuration for AP
Delta Upload via CAPWAP
 The current config (CC) becomes the
rollback config (RB) & the new config
(NC) is then loaded
 If the XIQ AP cannot contact XIQ with
CAPWAP after the config update, the
XIQ AP will start a 10-minute
configuration rollback timer
New Current Rollback  After the timer expires, the XIQ AP will
reboot and use the rollback
configuration to regain connectivity
back to XIQ
121
AP Port Types
Configured under ‘Device Templates’
 Uplink Port
 Use this option when connecting the
AP to the WAN.
 Access Port
 Use this option when the AP is
working in client access mode and is
connected to a forwarding device
like a switch that supports multiple
VLANs.
 Trunk Port
 Use this option when connecting the
AP in bridge mode to a forwarding
device such as a switch that supports
multiple VLANs
122
Sh Int MGT0
Check IP Addressing is correct
Check VLAN assignment
123
Configuration Push successful?
124
Successful Config Push
125
Syslog server
 Syslog Server
 Having Syslog server enabled is always a Best
Practice
 Syslog server will be the central point for
numerous logs from your network
 Make sure NTP is configured as well
Make sure Syslog, NTP and DNS are all configured

and functional.
126
IQAgent Architecture
HiveAgent
IQAgent Process Manager (“iqagent”)

HiveAgent Process
 Small process that is used to start the main
iqagent process.
 Monitors the iqagent process, restarting it if
HiveAgent it is hung or has crashed.
Process Config File  Facilitates upgrade of the iqagent.
Manager
127
Switches Automatically Contact XIQ
AP 2 Access Switch
 Switches obtain their IP

address from DHCP by
AP3 default
 Switches Locate XIQ from
AP1 Data Center information provided by
using DHCP, DNS, a Cloud
HTTPS request-to-switch
redirector, or HTTPS
Access Switch Management Broadcast
AP4
128
Switch Management
 HTTPS / NTP / DNS – Open through  Reset Config

firewall  XIQ - DHCP/DNS
 Management Interface
 Time – Uses HTTPS not CAPWAP, so time
must be valid
129
IQAgent Upgrade
Happens when switch connects to redirector
130
Show XIQ Status
(AH-22081604150072) #show hivemanager status
IQAgent Version.............................. 0.2.78

IQAgent Status............................... CONNECTED TO HIVEMANAGER
IQAgent AssociationUrl....................... https://cloud-va.aerohive.com/hac-
webapp/rest/v1/association
IQAgent AssociationMethod.................... REDIRECTOR
IQAgent PollUrl.............................. https://cloud-va.aerohive.com/hac-
webapp/rest/v1/poll/22081604150072
IQAgent RedirectorFQDN....................... cloud-rd.aerohive.com
(AH-Switch) #hivemanager address hmng1114.testneta.local
(AH-Switch) #show hivemanager status
IQAgent Version.............................. 0.2.82

IQAgent Status............................... UPGRADE IN PROGRESS
IQAgent AssociationUrl....................... https://hmng1114.testneta.local/hac-
webapp/rest/v1/association
IQAgent AssociationMethod.................... CLI
IQAgent PollUrl.............................. https://hmng1114.testneta.local/hac-
webapp/rest/v1/poll/23481606180315
131
Show Network
(AH-Switch) #show network
Interface Status............................... Up
IP Address..................................... 172.16.1.53
Subnet Mask.................................... 255.255.255.0
Default Gateway................................ 172.16.1.1
IPv6 Administrative Mode....................... Enabled
IPv6 Prefix is ................................ fe80::ba7c:f2ff:fe01:6970/64
Burned In MAC Address.......................... B8:7C:F2:01:69:70
Locally Administered MAC address............... 00:00:00:00:00:00
MAC Address Type............................... Burned In
Configured IPv4 Protocol....................... DHCP
Configured IPv6 Protocol....................... None
IPv6 AutoConfig Mode........................... Disabled
Management VLAN ID............................. 1
132
Restarting IQAgent
(AH-Switch) # application stop iqagent

(AH-Switch) # application start iqagent
(AH-Switch) # show hivemanager status
iqagent Version.............................. 0.2.82
iqagent Status............................... CONNECTING TO HIVEMAMAGER
iqagent AssociationUrl....................... https://10.100.1.20/hacwebapp/
rest/v1/association
iqagent AssociationMethod.................... IP_DHCP
133
Lab Topology
VLAN info:
VLAN 1: 172.18.252.0/24
VLAN 2: 10.5.2.1/24 (AP Management) ETH0-4 WAN*
VLAN 8: 10.5.8.1/24 (Guest)
VLAN 10: 10.5.10.1/24 (Employee)
Management VLAN: 2 ETH0-4: 802.1Q Trunk ports
Trunk: all VLANs
Native VLAN: 1
DHCP info:
172.18.252.0/24
Trunk: all VLANs 10.5.2.1/24
10.5.8.1/24
10.5.10.1/24
DNS Server: 10.5.1.10

Lab Credentials: Domain name: ah-lab.local
XIQ: ahtechtraining@gmail.com/Aerohive4Rulz! Internet
XIQ: 10.5.1.20 or
RADIUS shared secret: aerohive123 hivemanager.ah-lab.local
AD Test User: userX/Aerohive1
134
Lab #1:
CAPWAP and Discovery
You are deploying new APs & need to push your StudentX policy to them
for the first time. The policy push is failing, & the APs keep going offline.
Your Task: Fix your configuration so that you can successfully push the
StudentX policy to your device.
All issues should be fixed from within the StudentX policy for proper evaluation!
135
RF Troubleshooting
136
General Information
Tx Channel % : Transmit utilisation

Rx Channel % : Receive utilisation
Interference % : interference from both 802.11 and non 802.11
Total Utilisation % : Tx channel % + Rx channel % + interference %
Interference % increases when the utilisation (Tx and Rx) of the neighbour on the
same channel increases.
137
General Information
RSSI = Signal strength heard by a device

Noise= Noise floor
SNR = Signal to Noise Ratio (RSSI – Noise)
Retries %: The percentage of retransmission (both Rx and Tx)
In order to achieve a decent performance you will need to have low channel
utilisation, low retries and high SNR.
138
Common RF Issues
 Interference
 Mismatch Transmit Power
 Near-Far or Hidden Node
139
Layer 2 Retransmissions
CRC passes
Transmitting radio sends a unicast frame
Receiver radio sends L2 ACK frame
The mortal enemy of WLAN performance is layer 2 retransmissions that occur at the
MAC sublayer. As you have learned, all unicast 802.11 frames must be acknowledged.
If a collision occurs or any portion of a unicast frame is corrupted, the cyclic
redundancy check (CRC) will fail and the receiving 802.11 radio will not return an ACK
frame to the transmitting 802.11 radio. If an ACK frame is not received by the original
transmitting radio, the unicast frame is not acknowledged and will have to be
retransmitted.
Excessive layer 2 retransmissions adversely affect the WLAN in two ways. First, layer 2
retransmissions increase overhead and therefore decrease throughput. Many
different factors can affect throughput, including a WLAN environment with abundant
layer 2 retransmissions. Second, if application data has to be retransmitted at layer 2,
the timely delivery of application traffic becomes delayed or inconsistent.
Applications such as VoIP depend on the timely and consistent delivery of the IP
packet. Excessive layer 2 retransmissions usually result in latency and jitter problems
for time-sensitive applications such as voice and video. When discussing VoIP, latency
and jitter often get confused. Latency is the time it takes to deliver a VoIP packet from
the source device to the destination device. A delay in the delivery (increased
latency) of a VoIP packet due to layer 2 retransmissions can result in echo problems.
Jitter is a variation of latency. Jitter measures how much the latency of each packet
varies from the average. If all packets travel at exactly the same speed through the
network, jitter will be zero. A high variance in the latency (jitter) is the more common
140
result of 802.11 layer 2 retransmissions. Jitter will result in choppy audio
communications and reduced battery life for VoWiFi phones.
140
CRC fails
Transmitting radio sends a unicast frame
No ACK frame sent be receiver
Transmitting radio sends L2 retransmission
retransmitted.
141
141
Cause
CRC fails
 RF interference (Layer 1)
 Low SNR (Layer 1) (bad design)
142
Effect
 Throughput goes down
 Latency goes up
retransmitted.
143
143
Adjacent Channel Interference
Ch 1 Ch 2
Ch 6
Ch 1 Ch 1
Ch 3 Ch 4 Ch 11
Bad Design Good Design
 “Why is my connection dropping?”  Cooperative Control will try to cope:

 “Why can’t I connect?”  ACSP chooses the optimal channel
 Adjacent channel use pattern
 Your APs  ACSP cannot cope with bad design!
 Neighbor APs  ACI is considered destructive
144
Why does ACI Occur?
 Improper Channel configuration  Ideally, we wouldn’t even be talking about

 Auto-configured COTS devices 2.4GHz
 Lack of knowledge  Still in use due to backward compatibility
 Typically on 2.4GHz
145
Co-Channel Interference
Ch 1 Ch 1
Ch 6
Ch 1 Ch 1
Ch 1 Ch 1
Ch 11
Bad Design Good Design
 “Why is my WiFi so slow?”  Cooperative Control will try to cope:

 “Several APs on the same Channel”  ACSP chooses the optimal channel
 Your APs pattern
 Neighbor APs
Note
ACSP cannot cope with bad design
146
Why does CCI Occur?
Ch 6
Ch 6
Ch 1 Ch 1 Ch 1 Ch 1
Ch 11
Ch 11
 No more channels to reuse  Clients carrying power between cells

 Too many Access Points  Today, these are often worse than the
 Crowded RF spectrum APs!
 Radio power too high  Client population tends to be large!
Note
While CCI is not as destructive as ACI, it can still bring the network to its knees!
147
Other sources of Interference
802.11
2.4GHz/5Ghz
Non 802.11 Non 802.11
2.4GHz 5Ghz
2.4GHz Client 5GHz Client
 Non-WiFi devices are sources of interference too

 WiFi spectrum is shared with different devices which are not designed to work
with each other
 Holds true for both 5GHz and 2.4GHz!
148
Interference
Common Issues
 Slow Performance  Loss of connectivity

 Packet loss  Roaming issues
 Clients unable to obtain IP address  Bad voice quality
 Clients are unable to connect
149
Interference
Troubleshooting
There are 5 things that need to be checked in order to identify and address this
issue:
 Interference Alarm Messages  ACSP neighbours

 Total Channel Utilisation (CU)  RF Spectrum
 Retransmissions
150
Interference
Troubleshooting Alarms
Manage > Alarms

When an issue is reported you may need to check if there are alarms related to
interferences. You can check this on the XIQ or CLI / Tech Data.
151
Interference
Troubleshooting Alarms
“show log buffer” or “show interface wifiX counter” on the CLI window or AP tech-
data give you the information in AP logs.
show log buff | include interference -> to filter logs related to interference
2016-06-23 17:33:32 info ah_dcd: wifi0: Interference alert cleared
2016-06-23 17:22:32 notice ah_dcd: wifi0: Interference alert raised
show interface wifi1 counter | in interference

278 interference raise alert
277 interference clear alert
If you notice there are many of them, you may need to investigate the RF
environment. You may have co-channel interference or external interference
issues.
The next step is to check the Channel Utilisation (CU).
152
Interference
Troubleshooting Channel Utilisation
Dashboard > Diagnostics

The diagnostics tab on the Dashboard can provide general information such as
channel utilisation and retries that can help identify if there is an issue related to
interference.
153
Interference
Dashboard Diagnostics -> Channel-Utilisation

In this example you can see that the total channel utilisation in the last hour is
quite high on 2.4 GHz radio. Ideally total channel utilisation should not be greater
than 40%.
154
Interference
“show interface wifi0” on the CLI window or AP tech-data gives you channel utilisation
information for this particular interface. Check both wifi0 and wifi1 for high total utilisation
AP-330-1#show Interface wifi0 | in total ( filter the output to show total utilisation)
Tx utilization=2%; Rx utilization=46%; Interference utilization=4%; Total
utilization=52%;
 High Rx Utilisation = high traffic from clients.

 High Tx Utilisation = high traffic to clients.
 High Interference = nearby APs are using the same channel, or other sources of
interference are present.
 Check for retransmissions.
155
Interference
Troubleshooting Retransmission
 High Tx-Retries = the AP does not

hear the ACK from the clients. As a
result, it re-transmits the packet back
to the clients.
 High Rx-retries = the client does not
hear the ACK from the AP as the
result the client will perform re-
transmission.
 When the CU is high and
retransmission is high the
retransmission is most likely to be
Dashboard > Diagnostics > Retries
caused by the interference.
156
Interference
Troubleshooting XIQ Retransmission
 High Tx-Retries -> the AP does not

hear the Ack from the clients as the
result it re-transmits the packet back
to the clients.
 High Rx-retries -> the client does not
hear the Ack from the AP as the result
the client will perform re-transmission.
 When the CU is high and
retransmission is high the
retransmission is most likely to be
Manage > Device Name > Monitoring > Wireless caused by the interference.
Interfaces, but can also be obtained in several other
ways such as from Network 360 and selecting the
device itself.
157
Interference
Troubleshooting Retransmissions
 You can also check the retransmission statistics on tech data or CLI.
 If you have access to the CLI you can clear the statistic first and check it again.
 Type clear interface wifi0 counter wait for 1 minute then issue the following
command: show interface wifi0 counter | include retr
 If the number of retries increase significantly (Tx/Rx or both) there is a strong indication
that there is interference.
AP-330-1#clear interface wifi0 counter
AP-330-1#sh int wi0 count | in retr
6 rx Retries
11% rx retry rate
71 tx retries
57 tx retries
17 unicast data tx retries
3 unicast tx retries
37% tx retry rate
36% unicast data tx retry rate
7 too many hw retries
 The next step is to check the AP’s neighbours

158
Interference
Troubleshooting ACSP Neighbour
“show acsp neighbour” on the CLI window or AP tech-data will display the AP neighbour
information including CU of each neighbour.
#show acsp neighbour
wifi0(5) ACSP neighbor list:
Bssid Mode Ssid/Hive Chan Rssi(dBm) Aerohive AP CU CRC STA Channel-width
885b:dd28:5414 Access idm 1 -43 yes 34 0 0 20
885b:dd28:5415 Access sniff 1 -47 yes 34 0 0 20
c413:e200:3254 Access testdotx 1 -52 yes 12 0 3 20
c413:e200:3255 Access 1111ppsk 1 -51 yes 12 0 3 20
c413:e200:3256 Access chromecast 1 -50 yes 10 0 3 20
c413:e200:3257 Access 2.4GHz 1 -51 yes 12 0 3 20
08ea:4495:dd94 Access idm 1 -42 yes 0 0 1 20
08ea:4495:dd95 Access sniff 1 -43 yes 0 0 1 20
 Based on the XIQ and CLI information, there are 2 other APs using the same
channel with very strong signal within the area. This introduces CCI. When users
start using the wireless the Rx and Tx utilisation will increase and the total CU
will also be high. This can result in performance issue.
 The next step is to check the Spectrum Analysis.
159
Interference
Troubleshooting Spectrum Analysis
 Check the environment for duty

cycle, channel utilisation and non-
802.11 interference in more detail
using spectrum analysis.
 In the referenced analysis, you can
see that duty-cycle on channel 1 is
very high compared to channel 6 and
11. This indicates there are many
Manage > Select Device > Utilities > Spectrum nearby APs on channel 1.
Intelligence  You also notice that there is a non-
802.11 signal is detected on channel 9
which can impact channel 6 and 11.
160
Interference
Solution for Co-Channel Interference
 Address the AP placements. Tweaking the configuration will not help if the APs
are not placed properly.
 Perform survey and adjust the coverage:
 Reduce ACSP Max Tx power
 Increase basic data rate. Beacons are sent on the lowest configured basic
data rate. An AP need to “shout” in order to transmit on a lower data rate that
creates a big cell. (6, 9, 12-Basic, 18, 24, 36, 48, 54) – These rates work for
most standard deployment.
 Eliminate non 802.11 interference sources where possible. This will provide a
cleaner RF environment for the APs to operate in.
 Shutting down some 2.4GHz radio may help as well, especially in a high density
environments.
 Enable DFS to provide more channels to 5GHz band.
 Use 5Ghz wherever possible especially where the 2.4Ghz band is crowded. Also
consider Dual 5ghz if possible.
161
Interference
Solution for External Interference
 Eliminate the sources of non 802.11 interferences.

 If the source of the non-802.11 interference is required, such as alarm sensors or
security cameras, microwave ovens, etc., you may exclude the channels that are
used by these devices from the available channel selection for the AP near these
devices. This is only effective if these devices are on 5GHz band as this band
provides more non-overlapping channels. It is better not to use 2.4GHz band.
interface <wifix> radio channel exclude <string>
 Eliminate rogue APs

 If there are any adjacent buildings using Wi-Fi with high Tx Power, try to have a
discussion with the owner.
 If the 2.4GHz band is too crowded in the area, utilise 5GHz band.
162
Mismatch in Tx-Power
 AP may not always hear the client  Results in poor performance and
 Client may be forced to use lower data network utilization
rate to transmit depending on the  The WiFi bar looks full!
client’s location  Another bad design example!
163
 AP may not always hear the client, depending the client’s location.
 Client may be forced to use lower data rate to transmit.
 The impacts: high Tx-retransmission, higher client’s airtime, near-far, hidden-
node.
164
 The AP’s Tx power could be too low compared to the clients’.

 Client does not always hear the AP, depending on the client’s location.
 AP may be forced to use lower data rate to transmit when it is away from the
client.
 Some of the impacts: high Rx-retransmission and high noise especially when you
have many clients.
165
Mismatch Tx-Power
Reported Issues AP’s Tx Power > Client’s Tx Power
 No transmission though the client is associated

 No IP address
 Packet loss
 Issue occurs more frequently if a client is further away from AP.
 Poor performance
 Roaming issues
 Bad voice quality and one way communication
166
Mismatch Tx-Power
Reported Issues AP’s Tx Power < Client’s Tx Power
 Dis-associated clients
 Packet loss
 Poor performance
 Roaming issues
 Bad voice quality and one way communication
167
Mismatch Tx-Power
Troubleshooting things to check
RSSI
Retransmissions Tx-Power Settings RSSI
168
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Check Tx / Rx Retries
You can see in this graph

that the 5GHz Tx-Retries is
much higher than Rx-
Retries. This is a strong
indication that the AP
power may be too high
compared to the client’s.
In this report you can compare the number of Tx and Rx retries on the AP that is
reported to have the issue.
169
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Check Tx / Rx Retries
You can issue the following command on the CLI to check the retransmission. This
information is also available on the tech data “show interface wifi1 counter”
AP-130-01#sh int wi1 count | in retr

1170 rx Retries
1% rx retry rate
3145 tx retries
3145 tx retries
11% tx retry rate
18% unicast data tx retry rate
361 too many hw retries
It is seen that the Tx retransmission is higher than Rx. Next is to check the AP Tx
Power and Client’s RSSI.
170
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Tx Power Setting
 In order to confirm if the high retransmission is related to
the mismatch issue, check Tx Power settings, client’s RSSI
and channel utilisation.
 You can issue the following command on the CLI to check
Manage > Devices the AP Tx Power. This information is also available on the
tech data
AP-130-01#show acsp
Interface Channel select state Primary channel Channel width Power ctrl state Tx power(dbm)
--------- --------------------- ---------------- ------------- --------------------- -------------
Wifi0 Enable 1 20 Enable 11
Wifi1 Enable 44 40 Disable(User disable) 20
As seen in the above examples, the 5GHz Tx Power is set to maximum (20dBm).
This indicates that the high Tx retries may be related to the mismatch Tx-Power
issue. Next to is to check the Client’s RSSI.
171
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Client’s RSSI
On the wireless clients monitor tab you can see the signal strength of the client.
The “show station” command will provide you with the

client’s RSSI information.
Mac Addr IP Addr Chan Tx Rate Rx Rate Pow(SNR)
6c70:9f61:15cf 10.128.131.73 44 243M 24M -45(48)
b8e8:5644:b4da 10.128.131.70 44 27M 6M -88( 5)
It can be seen from the above outputs that one

of the client’s RSSI is very low compared to the
Manage>Clients>Wireless Clients other, although they are in the same location.
This indicates that this client’s Tx-Power is much
lower than the AP’s.
172
Mismatch Tx-Power
Troubleshooting AP’s Tx Power > Client’s Tx Power – Client’s RSSI
 Some wireless clients may be set to use lower Tx Power in order to extend
battery life. It may be also set automatically by the TPC elements sent by the AP.
You can verify this on the show interface wifi1 output.
AP-130-01#sh int w1 | include control
Tx range=300m; Noise floor=-93dBm; Tx power control=10dBm
 You can see from the above information that the AP forced the client to reduced
it’s max Tx Power by 10 dBm. This will let the client to have around 4 dBm Tx
Power assuming it’s maximum is 14 dBm.
173
Mismatch Tx-Power
Troubleshooting AP’s Tx Power < Client’s Tx Power – Check Tx/ Rx Retries
 In this report you can compare the number of Tx and RX retries on the AP that is
reported to have the issue.
174
Mismatch Tx-Power
You can also check the value of the retries on the CLI or Tech Data
AP130#show interface wifi0 counter | in retr
1438 rx Retries
16% rx retry rate
731 tx retries
729 tx retries
9% tx retry rate
 You can see in the previous graph and CLI output that the 2.4GHz Rx-Retries is
higher than the Tx-Retries. This is a strong indication that the AP power may be
too low compared to the client’s.
 Next step is to check the Tx Power setting and client’s RSSI.
175
Mismatch Tx-Power
Manage > Devices
AP130#show acsp
Interface Channel select state Primary channel Channel width Power ctrl state Tx
power(dbm)
--------- --------------------- ---------------- ------------- --------------------- -----
--------
The above examples show that the Tx Power is set to a very low value. This
indicates that the high Rx retries may be related to the mismatch Tx-Power issue.
Next to is to check the Client’s RSSI.
176
Mismatch Tx-Power
Monitor > Clients
“Show Station” output

Ifname=wifi0.2, Ifindex=15, SSID=11bogus:
-------------- --------------- ---- ------- ------- -------- -------------- -------- -----
--- ---- ---- ---- ------- ---- ------- ------- -------- ---------- ------- -------------
8438:38c8:3112 172.16.102.15 1 19.5M 12M -63(32)
b8e8:5644:b4da 172.16.101.13 1 78M 144.4M -62(33)
The client is detected with high signal. Next, check the AP’s RSSI value that is
detected by the client.
What happens when you switch from DFS to non-DFS Channel?
177
Mismatch Tx-Power
Troubleshooting AP’s Tx Power < Client’s Tx Power – Tx Power
The RSSI of the client seen by the AP is

higher than the RSSI of the AP seen by
the clients. This a strong evidence that
the client’s Tx Power setting is higher
than AP’s Tx Power.
You may need to use a free wireless
analyser on your machine to check the
RSSI of the AP. On a Mac machine
pressing “alt” and click on the Wi-Fi sign
will give you the following information.
178
Mismatch Tx-Power
Solutions
 AP’s Tx Power is higher:

 Adjust ACSP max Tx Power to half power. Wireless client’s Tx power is normally lower
than AP’s.
 Reduce Tx Power manually if it uses static Tx Power.
 Start reducing the Tx Power by 3 dB.
 Disable TPC, or increase the TPC value to a higher value.
 Add more APs if extra coverage is required rather than increasing the AP’s Tx Power.
179
Mismatch Tx-Power
Solutions
 AP’s Tx Power is lower:

Adjust the ACSP max Tx Power to half power.
Increase Tx Power manually if it uses static Tx Power.
Start increasing the Tx Power by 3 dB.
Increase the basic data rate in order to create smaller cell rather than reducing the AP
power to a very low value.
 The default ACSP process allows AP to reduce the Tx Power by 9 dB. You may need to
reduce it to 6 dB. Enter the following command on the supplemental CLI depending on
which radio requires adjustment.
 interface wifi0 radio power auto maxdrop 6
 interface wifi1 radio power auto maxdrop 6
180
Hidden-Node Problem
Obstacle  How does such a situation arise?

 Access points placed at a whim (random)
 Access points hidden due to aesthetic
concerns
 Changes in environment
 How to prevent?
 Design properly
 Site Survey
Client 1 Client 2  Ongoing monitoring
Client 1 cannot Client 2 cannot
reach Client 2 reach Client 1
AP can reach both clients and vice versa

181
Identify The Problem…
182
Hidden Node
Reported Issues
 Slow at certain times.

 Issue is seen more when there are many users connected to an AP.
 No IP address.
 Packet loss.
183
Hidden Node
Troubleshooting
 Things to check:
 Retransmissions
 Collision Status
 Client’s RSSI
184
Hidden Node
Diagnostics Retransmission
 The Tx retries is quite high in this

report. As learned previously, high Tx
retries means that the AP does not
hear back from client.
 Next you can check the collision
status on the CLI or Tech Data.
Dashboard >Diagnostics >

Retries
185
Hidden Node
Troubleshooting Collision
 The best place to check the collision status is from the CLI / Tech Data
AP130#show interface wifi1

AC=access category; be=best-effort; bg=background; vi=video; vo=voice;
AIFS=Arbitration Inter-Frame Space; Txoplimit=transmission opportunity limit;
IDP=Intrusion detection and prevention; BGSCAN=background scan; PS=Power save;
HT=High throughput; A-MPDU=Aggregate MAC protocol data unit;
DFS=Dynamc Frequency Selection; CU=Channel Utilization;
Summary state=High collision;

Mode=access; Radio disabled=no;
Admin state=enabled; Operational state=up;
 The above interface statistic shows that the collision is high. This is a strong
indication that you may have a hidden node issue.
 The next step is to check the clients’ RSSI
186
Hidden Node
Troubleshooting RSSI
 Check the RSSI either from XIQ or CLI

 On the “show station” you can see the clients’ RSSI.

8438:38c8:3112 172.16.102.15 48 130M 6M -47(48)
b8e8:5644:b4da 172.16.101.13 48 156M 6.5M -79(16)
 In this example one of the clients is either far from the AP or located behind an
obstacle. In this situation these two clients may not see each other.
187
Hidden Node
Solution
MT [4]1
 There are many ways can be done in order to resolve the hidden node issue.
 Ensure stations only connect to a nearby AP
 Implement IEEE 802.11 RTS/CTS
 Reduce AP’s Tx power to match the client’s Tx Power
 Increase the basic data rate: Ensure stations to connect to a near by AP only
 Rather than using high Tx and low data rate, add additional APs if there is not enough
coverage.
There are many ways can be done in order to resolve the hidden node
issue. RTS/CTS instead! ?? (Note by Marko) Needs Clarification
188
Slide 188
MT [4]1 RTS/CTS instead!

Marko Tisler, 12/04/2017
Software Defined Radio Profile (SDR)
SDR profiles determine whether WiFi0 should be 5 GHz or 2.4 GHz
 SDR assignment follows kicks in:

 After initial ACSP Process
 Runs on boot up, radio reset, new configuration
 Periodically
 Scheduled
189
Initial ACSP Process
ACSP
Starts
WiFi0:
2.4GHz
WiFi1: 5Ghz SD RF Redundancy Above WiFi0 stays on
Channels are Starts Detection Algorithm threshold? NO 2.4GHz
assigned to
both radios YES
Power Selection
Assign WiFi0 Ensure channel Final channels & Tx-
for WiFi0 &
to 5GHz separation Powers are assigned
WiFi1
ACSP-SDR
Completed
ACSP assigns 2.4GHz to WiFi0.

ACSP assigns channel and power toWiFi1
A complex algorithm is running in the background to determine whether interface
wifi0 needs to stay on 2.4GHz or switch to 5GHz band.
You only enable SDR is all devices on the network can support both 2.4GHz and 5GHz.
If you have some devices that support 2.4GHz ONLY do NOT enable SDR, instead you
assign interface wifi0 to 2.4GHz.
190
SDR Optimisation
 The SDR result may not be optimised

since power assignment kicks in after
SDR process.
 Enable “SDR during initial ACSP” and
“SDR periodically in the background”.
 Assign static power to the APs
191
SDR Optimisation
 Disable “SDR during initial ACSP”.

 Enable “SDR periodically in the
background”.
 Enable ACSP power adjustment.
 Set a longer interval so SDR will only
run after the ACSP power adjustment
has been completed.
192
SDR Optimisation
 Changing band will impact client

connections.
 It is recommended to enable “SDR
during a scheduled time range”.
193
Periodic Checking
SDR
Starts
NO
WiFi0 stays on
Periodic Above
RF Redundancy the current band,
checking threshold
Detection Algorithm NO channel and Tx-
enabled? 3 times?
YES Power
YES
Ensure channel Final channels

Assign WiFi0 to TX Power
separation if and Tx-Powers
a different band Assignment
5GHz is chosen are assigned
SDR
Completed
194
Scheduled Checking
SDR
Starts
NO
WiFi0 stays on
Scheduled
RF Redundancy Above the current band,
checking
Detection Algorithm threshold? YES channel and Tx-
enabled?
YES Power
NO
Ensure channel Final channels

Assign WiFi0 to TX Power
separation if and Tx-Powers
a different band Assignment
5GHz is chosen are assigned
SDR
Completed
195
5 GHz Channels
5.150 5.250 5.350 5.470 5.725 5.850 5.825

5.925
149
153
157
161
165
169
173
177
181
100
104
108
112
116
120
124
128
132
136
140
144
36
40
44
48
52
56
60
64
68
72
76
80
84
88
92
96
20 MHz
U-NII-1 U-NII-2A U-NII-2C U-NII-3
38 46 54 62 38 46 54 62 102 110 118 126 134 142 151 159 167 175 40 MHz
42 58 42 58 106 122 138 155 171 80 MHz
50 114 163 160 MHz
Dynamic Frequency Selection

196
Troubleshooting DFS
 Even after enabling dynamic channel selection and DFS channels, you may see
your 5 GHz radios ending up on channels 36, 40, 44 and 48.
 This is most likely because of detected radar presence.
 You can use CLI commands to verify the cause.
197
Troubleshooting DFS
198
Troubleshooting DFS
 show interface wifi1 dfs command will show any detected radar events.
 If detected, the AP will go off the DFS channels for 30 minutes.
 This back off period can be reduced using Zero-Wait DFS.
199
Troubleshooting DFS
 show acsp channel-info command

will show the cost of a channel.
 The higher the cost, the less likely it is
for the channel to be selected by the
ACSP process.
 Detecting DFS will set channel cost to
max for a period of time and then
gradually reduce it.
200
Lab #2:
RF Issues
You are receiving complaints that WiFi connectivity breaks intermittently

on newly-deployed devices.
Your Task: Verify and fix the RF configuration
201
Network Performance Troubleshooting
202
Best Practices For Broadcast and Multicast
 Disable Inter-station Traffic on SSID if possible

 Enable IP Firewall
 Minimize traffic at the edge
 Specify allowed VLANs
 for trunk ports on switch links to AP
 and in the configuration for APs
203
Filter unnecessary traffic from Switches
Broadcast, Multicast and Unknown
 Allowed VLANs is specified in the interface settings of an AP.

 Use the device templates to make settings by default
 Allowed VLANs: “auto” automatically applies VLANs based on VLAN ID matches for
the management interface, virtual management interface, native VLAN, or the default
VLAN configured in user profiles
204
Broadcast and Multicast Issues
A wireless network may be suffering from high levels of broadcast or multicast

traffic if you notice the following:
 Slow performance
 Client stations unable to obtain an IP address
 Roaming Issue
 High broadcast and multicast issues are often related to the following:
 Switch port configuration
 VLAN Allocation
205
Switch Port Configuration Issues
Generally switch ports that are connected to access points (AP) are configured as
trunk ports to carry VLANs required by the WLAN. However, there are instances
where the ports may be configured to carry all the VLANs, unnecessarily. In these
situations broadcast and multicast traffic from all VLANs may be forward to the
APs’ ports. This can potentially increase the load on an AP’s CPU.
206
Troubleshooting Switch port configuration issues
show cpu detail

CPU total utilization: 8.415%
CPU user utilization: 0.000%
CPU system utilization: 1.485% This indicates high interruptions.
Number of interrupt in last second: 2889 You may have high BC/MC traffic
Interrupt utilization: 0.000%
Soft interrupt utilization: 6.930% from the wired.
CPU0 utilization:
CPU system utilization: 1.000%
Soft interrupt utilization: 11.000%
CPU1 utilization:
Check if this value is high
CPU user utilization: 0.000% compared to the user and system
CPU system utilization: 0.980% utilisation
207
Troubleshooting Switch Port Configuration
show user-profile
User Profile Table
Total Entries = 2
No. User Profile Name VLAN Attribute

--------------------------------------------------------------------------------
1 default-profile 1 0
2 nat1 1 1001
208
Troubleshooting Switch Port Configuration
show forwarding-engine mac-session dst-mac ffff:ffff:ffff
MAC session sync VLAN: Disabled

MAC session table:
Flags: E=Encapsulate; S=Self; C=Captive web portal R=SMAC Route invalid;
Zone: A=Access; B=Backhaul; Ageout: Ageout time (in ms)
Total entries: 5/8191
BC/MC Traffic It is not used by WLAN
Id:1; Ageout:59917; Up:0 min 31 sec; Flag: 0x4; UPID: 0

b8e8:5644:b4da->ffff:ffff:ffff,eth0; Tun:0; Flg: (0x8600); Vlan:110;
Paks:4; Bytes: 562; Zone:B; CAVC:0
209
Solution to Switch Port Configuration Issues
SSID SSID
Red Blue
VLAN Blue
VLAN Red
Dot1q Trunk
VLAN Management
Check switch configuration and ensure it carries VLANs used by the WLAN and
Management only.
210
Common mistakes in allocating VLANs for WLANs
 Too many APs in the same management VLAN

 VLANs are shared with wired users
 The same set of VLANs are assigned on all APs
211
Troubleshooting VLAN Allocation Issues
show cpu detail

CPU system utilization: 9.170% This indicates high interruptions.
Number of interrupt in last second: 6601 You may have high BC/MC traffic
from the wire
CPU1 utilization:
CPU total utilization: 86.956% Check if these value are high
compared to the system and user
Interrupt utilization: 0.000% utilisation
212
Troubleshooting VLAN Allocations Issues
show interface wifi0 counter

27991069 tx data frames
4262455 tx unicast data frames
14512586 tx multicast data frames
9216028 tx broadcast data frames
These values are very high (about 85%
show interface wifi1 counter
43285781 tx data frames
on wif0 and 55% on wifi1)
19173242 tx unicast data frames
13254976 tx multicast data frames
10857563 tx broadcast data frames
213
show interface mgt0

Admin state=enabled; Operational state=up;
DHCP client=enabled;
Default IP subnet=192.168.0.0/255.255.0.0;
IP addr=10.25.246.236; Netmask=255.255.0.0; Default Gateway:10.25.255.254;
VLAN id=1; Native vlan id=1;
MAC addr=0019:7713:d1c0; MTU=1500;
Rx packets=17845724; errors=0; dropped=0;
Tx packets=17032622; errors=0; dropped=0;
Rx bytes=3909393318 (3.641 GB); Tx bytes=5834544988 (5.434 GB);
 Subnet size: The bigger the subnet size the more device can be allocated – this
may increase BC/MC
 VLAN: VLAN1 is mainly used by other devices in the network – this may also
increase BC/MC
214
show amrp node

Too many nodes in one subnet
215
show forwarding-engine mac-session dst-mac ffff:ffff:ffff

MAC session sync VLAN: DisabledMAC session table:
Flags: E=Encapsulate; S=Self; C=Captive web portal; R=SMAC Route invalid;
Zone: A=Access; B=Backhaul; Ageout: Ageout time (in ms)
Total entries: 582/8191
c450:0685:8271->ffff:ffff:ffff,eth0; Tun:0; Flg: (0x8600); Vlan:133;
Paks:2; Bytes: 379
20a2:e464:42eb->ffff:ffff:ffff,eth0; Tun:0; Flg: (0x8600); Vlan:161;
Paks:1; Bytes: 42
f024:7550:92e0->ffff:ffff:ffff,n/a; Tun:0; Flg: R (0x8600); Vlan:133;
Paks:1; Bytes: 42
216
VLAN Allocation Issues solution
 Separate wireless and wired VLANs where possible.

 Create separate sets of VLANs / Reduce the number of users per VLAN. As a
guideline use /25 networks or smaller, unless the number of concurrent wireless
users are not too many.
 Do not use VLAN 1.
217
VLAN Allocation Issues – Solution
L3 Networks
VLAN 102 VLAN 104 VLAN 202 VLAN 204 VLAN 302 VLAN 304
VLAN 103 VLAN 105 VLAN 203 VLAN 205 VLAN 303 VLAN 305
Dot1q Trunk Dot1q Trunk Dot1q Trunk

VLAN Mgt (101) VLAN Mgt (101) VLAN Mgt (101)
Building A Building B Building C

218
Troubleshooting Tools
219
VLAN Probe
VLAN or DHCP probe
Can be executed on the IQEngine CLI, or in XIQ.

CLI command:
interface <mgtx> dhcp-probe vlan-range <number> <number>
Optional timeout and retries may be added to the command:
[ timeout <number> ] [ retries <number> ]
Timeout can be 1-60 secs, default is 10. Retries 1-10, default is 1.

To use this command in XIQ CLI Access Window you must issue the following to
see the output:
show interface <mgtx> dhcp-probe results-summary
220
VLAN Probe Example
221
Remote Sniffer
Remote sniffer allows a network administrator to connect a Windows-based

Wireshark to control a capture
exec capture remote-sniffer
Optional settings:
[ user <string> <string> ] [ host-allowed <string> ]

[ local-port <number> ] [ promiscuous ]
Default port is 2002, any unused port may be utilised.
222
Remote Sniffer Example
223
Wi-Fi Interface Capture *
Interface capture can be used where a 3rd party tool is unavailable.

Start the capture using:
capture interface <wifix> [ count <number> ] [ promiscuous ]
Frame range, 1-100000. Default is 2000
View capture information:
show capture interface <wifix>

* Feature not officially supported
224
Wi-Fi Interface Capture *
To view capture files stored on the AP:
show capture local
To upload the file to a server for viewing use:
save capture local <string> <location>
Location can be an SCP or TFTP server. An HTTP URL may also be used.
225
Wi-Fi Interface Capture Example
226
TCP Service Test
The TCP service can be used to verify TCP connectivity.
exec _test tcp-service host <ip_addr> port <number> [ timeout <number> ]
Port range is 1-65535. Timeout value is 1-60 seconds, default is 10.
227
CAPWAP PING
CAPWAP PING can be used to test UDP connectivity to a XIQ or the Redirector
capwap ping <string> [ port <number> ] [ count <number> ] [ size <number> ] [

timeout <number> ]
228
Delay Execute
Useful when multiple device settings need changing simultaneously, e.g. IP

address, subnet mask, default gateway, VLAN. Enter delay-execute config mode:
exec delay-execute [ <number> ]
 Interval after the delay to apply the entered commands, 1-60 seconds
 Enter the configuration commands and exit delay execute mode:
no exec delay-execute
229
Delay Execute Example
230
SSH Client & Device WAN Access
SSH Client allows an administrator to SSH between devices.
exec ssh-client server <string> user <string>
 The server may be an IP address or FQDN

 Used to permit management traffic to a router’s WAN address
 Also available in XIQ via Utilities drop down.
exec bypass-wan-hardening
231
Authentication Tools – RADIUS Test
Several AAA tools are available in the CLI.

RADIUS authentication test will return success or failure and attributes
exec aaa radius-test <string> username <string> password <string>
Optional authentication method may be specified, default MS-CHAP-v2:
[ {pap|chap|ms-chap-v2} ]
232
Authentication Tool – NTLM Auth
Used to test Active Directory integration from the Aerohive RADIUS server.
exec aaa ntlm-auth username <string> password <string> [ domain <string> ]
233
Authentication Tools - LDAP Search
LDAP Search can display group membership:
exec aaa ldap-search username <string>
Base DN and domain are optional:
[ basedn <string> ] [ domain <string> ]
234
Port Mirroring
A monitor session can be configured with VLANs or Ethernet interfaces as a

source. Applicable for SR2000 & SR2100 series.
First configure a session name:

monitor session <string>
Define the traffic sources:

monitor session <string> source interface <ethx/y|aggx> [ - <ethx/y|aggx> ]
{ingress|egress|both} monitor session <string> source vlan <number> [ -
<number> ] ingress
Finally enable the session:

monitor session <string> enable
235
Real-time client information
Real-time frame statistics are available.

Includes data rates and bytes transmitted
and received
show station <mac_address>
236
System processes
To display the processes and consumed

resources
show system process state
237
Available commands
This will display all commands, when | include is added the command list may be
queried
show cmds
show cmds | include aaa
238
Forwarding Engine Debugging
 It is possible to trace packets as they traverse the FE in IQEngine.

 This type of debugging forms part of what is displayed in Client Monitor but can be
used to display any traffic defined in a flow filter (ff)
 A flow filer may include the following
 Source/destination IP address, MAC address & port numbers
 Protocol numbers
 Interface
239
Forwarding Engine Debugging Process
1. Define the interesting traffic in the flow filter

_ff protocol 1 bidirectional
_ff src-mac 1122:3344:5566 bidirectional
2.Enable the FE debug

_kdebug fe basic
_kdebug fe detail
Basic debug will display the packets route through a device with the IP, port
numbers and interfaces. Detail also has MAC, QoS & IP session, user profile
information
240
Forwarding Engine Debugging Example
Lab-230#_ff dst-ip 8.8.8.8 protocol 1 bidirectional

Lab-230#_kdebug fe basic
Lab-230#show _ff
id 1 dst-ip 8.8.8.8 protocol 1 bidirectional
Lab-230#_debug show
***********Kernel debug enabled***************
_kdebug fe basic
*********Application debug enabled************
Lab-230#show logg buff
2016-09-29 12:01:56 info ah_cli: admin:<show logg buff>
2016-09-29 12:01:51 debug kernel: cf239080::L*: (o) wifi1.1 8.8.8.8->192.168.10.228(57520) ttl(57) icmp-echo-reply(57969/49) 98 bytes
2016-09-29 12:01:51 debug kernel: cf239080::L*: (i) eth0 8.8.8.8->192.168.10.228(57520) ttl(57) icmp-echo-reply(57969/49) 84 bytes
2016-09-29 12:01:51 debug kernel: cea73540::L*: (o) eth0 192.168.10.228->8.8.8.8(59885) ttl(64) icmp-echo-req(57969/49) 98 bytes
2016-09-29 12:01:51 debug kernel: cea73540::L*: (i) wifi1.1 192.168.10.228->8.8.8.8(59885) ttl(64) icmp-echo-req(57969/49) 84 bytes
2016-09-29 12:01:51 debug kernel: cdf50820::L*: (o) wifi1.1 8.8.8.8->192.168.10.228(20912) ttl(57) icmp-echo-reply(57969/48) 98 bytes
2016-09-29 12:01:51 debug kernel: cdf50820::L*: (i) eth0 8.8.8.8->192.168.10.228(20912) ttl(57) icmp-echo-reply(57969/48) 84 bytes
2016-09-29 12:01:51 debug kernel: ce7a6960::L*: (o) eth0 192.168.10.228->8.8.8.8(53749) ttl(64) icmp-echo-req(57969/48) 98 bytes
2016-09-29 12:01:51 debug kernel: ce7a6960::L*: (i) wifi1.1 192.168.10.228->8.8.8.8(53749) ttl(64) icmp-echo-req(57969/48) 84 bytes
2016-09-29 12:01:51 debug kernel: cf0346e0::L*: (o) wifi1.1 8.8.8.8->192.168.10.228(24239) ttl(57) icmp-echo-reply(57969/47) 98 bytes
241
Authentication and Roaming

© Aerohive Networks, Proprietary & Confidential
242
Topics
 Pre-shared Key
 Private Pre-shared Key
 802.1X & Active Directory
 Roaming & Authentication
243
Client Monitor XIQ
244
Pre-shared Key Association
SSID: test1-psk
Key method: WPA2-PSK
Encryption: CCMP (AES)
Supported rates and capabilities
Client
Beacons The AP broadcasts beacons advertising the SSID ‘test1-psk” and its security and network
capabilities on the 2.4Ghz & 5Ghz bands.
Probe Request If the client sends a probe request to discover available SSIDs, the AP responds with the same
Probe Response information as that in its beacons
Authentication Request
The client sends an authentication request, and because WPA2 uses open authentication, the
Authentication Response response always accepts the request
Association Request The client sends its capabilities, and the AP replies if these are acceptable or not. If they are, it
creates an association ID and sends it to the client
Association Response
Four-way handshake The AP and client exchange the pre-shared key and other information to derive keys to encrypt
unicast traffic. (Later, they derive encryption keys for multicast and broadcast traffic as well
245
Successful PSK Authentication
Client Monitor
246
Incorrect Pre-shared Key
247
PSK Client Not Connecting
248
Successful RADIUS authentication
249
Incorrect user credentials
250
Misconfigured RADIUS secret
251
RADIUS certificate issue
252
Expired Server Certificate
253
Inconsistent Roaming Patterns
2 3
AP2
Client roams to AP 2 Client experiences poor voice
quality when turning the corner
AP3
4
1 Client eventually
roams to AP 3
Client starts connection to AP 1
AP1
254
What is the ‘proper design’?
It depends if roaming is a key consideration
XIQ APs
 Layer 2 roaming is supported if the AP the client is roaming to has roaming

entry for the client and has the same VLAN configuration for the user and if
MGT0 interfaces are in different subnets, but the user VLAN is the same and you
disable Layer-3 roaming
 Layer 3 roaming is supported if the AP the client is roaming to has roaming
entry for the client and is in a different management subnet or has a different
VLAN configuration for the user
The APs can bring up a mesh to route around a problem, even if mesh is not being
used by default.
What is the MBTF of a protocol?
255
What is the proper design?
It depends
XIQ APs
 Number of APs in Roaming Range

 How many APs to put in same management subnet
 How can client VLANs be defined to maximize roaming
 Is there any break in Wi-Fi connectivity
The APs can bring up a mesh to route around a problem, even if mesh is not being
used by default.
What is the MBTF of a protocol?
256
Lab #3
802.1X Troubleshooting
You are receiving complaints that users are unable to connect to the
Corporate WiFi.
Your Task: Fix Corporate WiFi connectivity.

(You can use userX/Aerohive1 for authentication testing purposes)
257
Private pre-shared key (PPSK)
258
PPSK in Cloud vs AP
259
ID Manager
RADIUS
Windows NPS
radsec
IDM
ID Manager (IDM) is a AAA server - uses RadSec protocol instead of RADIUS.

260
ID Manager
XIQ Classic vs XIQ
Comparison of output for show idm command.
IDM client: Enabled IDM client: Enabled Per SSID

IDM Proxy IP: 10.16.142.204 IDM Proxy IP: 192.168.1.180
IDM proxy: Enabled IDM proxy: Enabled
IDM server: auth.aerohive.com IDM server: cloud-va-ag.aerohive.com
IDM server IP: 164.177.189.202 IDM server IP: 54.84.93.155
RUN state: Connected securely to the IDM server RUN state: Connected securely to the IDM server
IDM transport mode: TCP IDM transport mode: TCP
Server destination Port: 2083 Server destination Port: 2083
RadSec Certificate state: Valid RadSec Certificate state: Valid
RadSec Certificate Issued: 2013-11-16 23:55:31 RadSec Certificate Issued: 2016-06-14 04:51:35
RadSec Certificate Expires: 2014-02-17 23:55:31 GMT
RadSec Certificate Expires: 2017-06-14 04:51:35
GMT
261
If an ID Manager certificate is invalid
 Clear AAA RADIUS-server-key radsec root-ca

 Clear AAA RADIUS-server-key radsec end-cert
 Save config
 Full config upload
262
ID Manager RadSec Proxy Test
To check if ID Manager RadSec proxy is operating correctly use:
exec aaa idm-test radsec-proxy
Outputs could include:

 The RadSec proxy is connected to the ID Manager auth gateway.
 RadSec and ID Manager auth proxy functionality are disabled on the Aerohive device.
263
ID Manager port test
ID Manager RadSec protocol uses TCP port 2083. Tool below verifies reachability:
exec _test tcp-service host 52.72.239.248 port 2083
Testing TCP connection for host=52.72.239.248, port=2083, timeout=10 seconds
Test successful.
264
Show users on AP
AH-006700-2#show user
Current user size: 10112

Current user number 9999
Idx. Name Method Passwd-digest PSK-digest Valid Group
---- --------- ------ ------------- ---------- ----- -----------
1 ppks10001 auto PM^I0 PM^I0 Yes PPSK-limit
2 ppks10002 auto u!vj9 u!vj9 Yes PPSK-limit
3 ppks10003 auto r$Z-@ r$Z-@ Yes PPSK-limit
4 ppks10004 auto vur(* vur(* Yes PPSK-limit
5 ppks10005 auto L/'G1 L/'G1 Yes PPSK-limit
6 ppks10006 auto "dS(L "dS(L Yes PPSK-limit
7 ppks10007 auto n&@ae n&@ae Yes PPSK-limit
8 ppks10008 auto 'Q$U2 'Q$U2 Yes PPSK-limit
9 ppks10009 auto P'r[: P'r[: Yes PPSK-limit
265
Check AP Time
266
Show AP Time Zone
Select Device>Actions>Advanced>CLI Access
267
RADIUS Test Tool
exec aaa radius-test 172.18.253.135 username user1 password ********* ms-chap-v2

RADIUS server is reachable. Get attributes from RADIUS server: None
RADIUS test RADIUS
Enter RADIUS test commands at the AP
268
Connect the Windows client to 802.1X SSID
269
Show AAA RADIUS-server
Local RADIUS: Enabled
Local RADIUS ACCT: Disabled
Auth Port: 1812
Acct Port: 1813
Proxy: Disabled
Auto Shared Secret: Enabled
Station Auth Type: tls peap ttls leap md5
CA: Default_CA.pem
Server Cert: Default-Server_cert.pem
Private Key: Default-Server_key.pem
Group Map: memberOf
Remote Retry Period: 30 secs
Local Check Period: 300 secs
Require Message Authenticator: No
Ldap Retry Interval: 600 secs
primary active-directory (active):
Admin User: hiveapadmin
Full Domain Name: testneta.local
TLS Enabled: yes
1st domain info (default):
Domain Name TESTNETA
Server: 172.16.1.28
BindDN: hiveapuser@testneta.local
Library SIP: Disabled
primary library SIP parameters:
Port: 6001
270
ROAMING cache sharing
show roaming cache

TLC=PMK Time Left in Cache; Life=PMK Life; A=authenticated; L=CWP Logged In; D=Disconnected; M=managed by MDM
Roaming hops: 1
No. Supplicant Authenticator Size UID PMK PMKID Life Age TLC Hop ALDM FT CWP was accepted
--- -------------- -------------- ---- --- ----- ----- ---- ------- ----- --- ---- ---
0 8c2d:aa4b:6147 e01c:4134:bd28 864 1 n/a n/a -1 798669 3592 1 YNNN N
1 5cf9:38a0:ba56 e01c:4135:44e8 864 1 n/a n/a -1 46149 3592 1 YNNN N
2 109a:ddb7:8507 e01c:4134:9ce8 864 1 n/a n/a -1 1377 3544 1 YNNN N
3 109a:ddb9:b3df e01c:4134:b468 864 1 n/a n/a -1 126 3595 1 YNNN N
4 20c9:d0e1:d85b e01c:4135:22e8 864 1 n/a n/a -1 736 3585 1 YNNN N
271
Load balancing and roaming
(5593)Rx assoc req (rssi 30dB)

(5595)Tx assoc resp <reject> (status 5, pwr 5dBm)
(1840)Sta(at if=wifi0.3) is de-authenticated because of notification of driver
272
High density and roaming
(5593)Rx assoc req (rssi 30dB)

(5595)Tx assoc resp <reject> (status 5, pwr 5dBm)
(1840)Sta(at if=wifi0.3) is de-authenticated because of notification of driver
273
Client device association history
274
Show Auth
Authentication Entities:
if=interface; UID=User profile group ID; AA=Authenticator Address;
PMK=Pairwise Master Key; PTK=Pairwise Transient Key;
GMK=Group Master Key; GTK=Group Transient Key;
Auth flag: M=Mac-Based-Auth passed; X=802.1X passed; C=CWP passed; F=Using failure-UPID;
if=wifi1.1; idx=18; AA=08ea:4489:e2e8; SSID=galen; default-UID=1;
Protocol-suite=open; MAC-based-auth=Enabled;
No. Supplicant UID PMK PTK Life State Reauth-itv Flag FT-Roam
--- -------------- ---- ----- ----- ----- -------------- ---------- -------- -------
0 109a:ddb8:6d4b 1 n/a 0000* -1 open 0 0007: M N
Local Cache Table empty:
PMK-R0 and PMK-R1 Cache Table empty:
275
Lab #4
Guest network Troubleshooting
You are receiving complaints that the Guest WiFi is not working.
Your Task: Fix Guest WiFi Connectivity.
Hint: Users should receive an IP address from the 10.5.8.0/24 range

276
Private pre-shared key
Frame analysis using WIRESHARK and XIQ APs
277
Problem Statement
The IEEE continuously expands the 802.11 standard. Chipset vendors incorporate
new feature-sets to capitalize upon the new features provided for in the standard.
Drivers for Wireshark and other capture tools lag behind the technology. In some
cases years may pass between the adoption of a new technology and the ability
to capture frames demonstrating that new technology.
278
The Solution
 Use an access point as a capture tool.

 Send the data directly to a computer running Wireshark
 Use Wireshark, eye P.A., or another tool for analysis
 Note: For HiveManager Classic, refer to Mathew Gast’s BLOG, here. Boundless
Magazine
279
Packet Capture within XIQ
280
Download PCAP File and Open with Wireshark
281
Packet Capture Using the CLI
Identify the AP to be used as a remote sniffer
1
Record the IP address of the desired AP

2 2
282
Obtain the console access Admin credentials
 Global Settings > Device Management Settings

 Record the Password
Note
The password can be overridden at the policy and device level
283
Connect to the AP using SSH
 Use PuTTY or another SSH client and

connect to the remote sniffer AP
 Alternatively, you can use the SSH
client built into XIQ or the
Monitor>Actions>Advanced>CLI
Access window.
284
Configure the AP as a remote sniffer
Username IP address of the PC Running Wireshark

Password
 Type and run the following command:
exec capture remote-sniffer user sniff ***** host-allowed 10.0.0.8 local-port
14700 promiscuous
Promiscuous mode is optional
Remote interface port
 Verify the settings by running the following command:

Show capture remote-sniffer
SOHO_550#show capture remote-sniffer
Status: Enabled
Promiscuous Mode: Enabled
Host Allowed: 10.0.0.8
Local Port:14700
285
Configure Wireshark
 Launch Wireshark
 On the top navigation, click Capture
 Click Options
286
Configure Wireshark
In the bottom right-hand corner, click Manage Interfaces

287
Configure Wireshark
 Click the Remote Interfaces tab

 Click the + sign to create a new remote interface
288
Configure Wireshark
 Enter the IP address of the remote sniffer AP

 Enter the port number
 Select Password authentication
 Enter the Username and Password
289
Configure Wireshark
Double click the new interface to start

the capture
290
Configure Wireshark
 View the capture in progress.

 Stop the capture and save the capture
file as needed.
291
Creating a New User
 Global settings
 XIQ administration sidebar menu will appear
 Click Add
292
Creating a New User
 Multiple types of user and admin accounts can be created in XIQ

 Administrator user accounts can have different read/write access based on
predefined administrative roles and locations
 To create an admin/user account click global settings
 Select Account Management: Click Add
293
Creating a New User - Internal
 When creating a new admin, Role Based Access Control offers two choices:
 Create a new admin: Additional admins from within your organization
 Grant access to external admin: Additional admins from outside the organization
(resellers, distributors…)
 To create an internal admin account, select ⦿ Create a new admin account
294
Creating a New User
Internal
 Email Address: Enter internal

company email address
 Name: Enter name
 Idle Session Timeout: Enter a value
between 5 and 240 minutes
 Assign a Role and a Location
 Click Save and Close
295
Creating a New User
Internal
 Employee will receive an email requesting that they create a

password for their administrative account
 Click Setup Password
296
Creating a New User
Internal
 They will be directed to XIQ to create

their password
 Click Save and Next
 The new administrator can now Login
297
Creating a New User - Internal
298
Creating a New User
External
 Access can also be granted to outside users: Admin/users from outside the
organization (resellers, distributors…)
 To create an external admin account, select ⦿ Grant access to external admin
Note
External users must have existing XIQ accounts. XIQ Accounts are checked against their email
address & will be marked by the EXT Icon next to their name
299
Role Based Access Control
 XIQ supports RBAC

 When creating a new administrative
account you can assign a role
 A role defines what functions the
admin is able to access within XIQ
 Access can be further restricted by
location – users will only have access
to devices in specific locations
300
 Roles can be assigned access

to certain locations based in
topology maps
 Roles are assigned based on
tier two level of topology maps
 The Administrator and the
Guest Management role have
universal access and cannot be
assigned to unique locations
301
 To view the topology map tiers, from the top-level menu,

click Plan
 Tier one of the network map is called a network name
and it is often named after your organization.
 The definition of the second tier depends on how you
define your network map.
 You can assign either a geographic location, such as a
city or town, or a building to the network name.
 For role-based access control, tier two is the most
important tier because its assignment determines the
admin/user access.
 Example #1: Tier two based on locations
 Example #2: Tier two based on buildings
 RBAC access rights cannot be assigned by floor
302
 For role-based access control, tier two is

the most important tier because its
assignment determines the admin/user
access:
 Example #1: Tier two based on

locations
 Example #2: Tier two based on
buildings
 RBAC access rights cannot be
assigned by floor
303
 Administrator
 This role provides full access to all configuration,
monitoring, & administrative functions. It is the only role
that has access to account and license management.
 Operator
 This role provides full access to most functions including
network and device configuration. However, it does not
allow access to user account and license management.
 Monitor
 Monitor role provides full access to troubleshooting and
read-only access to monitoring & configuration functions.
304
 Help Desk
 Help Desk role provides full access to the Troubleshoot tab
& search access to the User 360 View and Client 360 View.
 Guest Management
 This role provides access to create network credentials.
 Observer
 Observer role provides read-only access to most function except
for account and license management.
305
Private pre-shared key
XIQ Troubleshooting Tool
306
Help Desk View
Issue List
Issue list view
Click on client MAC to go do “Diagnosis” view
Same issues messages

are aggregated
307
Help Desk View
Diagnosis
Event History
Event Description Suggested Action
308
Help Desk View
Diagnosis
Case number can be assigned to match with external Help Desk systems
Detailed client messages captured by the ”Client Monitor” feature.
Note
Client Monitor feature is ON by default for all clients!
309
Issue Escalation
Click ‘Take Action’
Select ‘Escalate’
310
Issue Escalation
Escalation message distribution
311
Issue Escalation
 Anyone in the email distribution list

will get the email message about issue
escalation
 The email includes:
 Where the issue occurred
 Issue description
 Suggested Remedy
 Case # (if assigned)
 Comments
Person responsible for escalation
312
Issue Resolution
313
Issue Resolution
314
Issue Resolution
 Anyone in the email distribution list

will get the email message about
issue escalation
 The email includes:
 Where the issue occurred
 Issue description
 Suggested Remedy
 Case # (if assigned)
 Comments
315
Issue Resolution
Issues can be filtered by time, status and type
Unresolved Issues
Resolved Issues
316
Issue Types
317
Search by MAC
Issues can be searched by MAC address
318
Search by Hostname
Issues can be searched by Hostname

PC02
319
Troubleshoot Now
Configure Client Monitor:

- Which Aps
PC02 - Which Location
- How long to collect
320
SSH Proxy
321
Overview
 SSH for APs and Switches

 SSH proxy session
 SSH administrator role
 SSH proxy global settings
 SSH proxy device settings
 SSH client
 Device management setting
322
SSH for APs and Switches
Access
Point
 XIQ facilitated SSH access to

managed devices (AP and switch)
 Creation and management of an end-
SSH tunnel to-end SSH tunnel
 The network admin can SSH to a
managed device, using any SSH client
the admin prefers
SSH client
323
SSH for APs and Switches
Access
Point  XIQ does not participate in the
conversations during the SSH session
and has no knowledge of the content
inside the SSH tunnel
 XIQ manages the time-out and will
terminate any SSH sessions upon time
SSH tunnel
out
 Any admin with sufficient privilege
can proactively terminate any SSH
session via the NG graphical user
interface (GUI)
SSH client
324
SSH Proxy Session
Access
Point
 Admin selects a device in XIQ
 XIQ contacts the SSH proxy server to
get available port, generate
credentials and create user
 Via CAPWAP, XIQ sends the SSH
proxy server IP address, random port,
username and credential to the AP
SSH proxy servers
Admin
325
SSH Proxy Session
Access
Point  Managed AP or switch initiates SSH
session via the random port to an
allocated SSH proxy server in cloud
SSH tunnel  Port numbers used for the SSH
session are random.
 Outbound ports that need to open on
remote customer firewall: 22, 10000 –
15000
SSH proxy servers
326
SSH Proxy Session
Access
Point
Admin uses preferred SSH client to

contact the SSH proxy server and begin
SSH tunnel
the SSH session with the AP
SSH
SSH client
SSH proxy servers
327
SSH Proxy
Administrator Role
 To enable the SSH proxy,

any XIQ Admin must
already have the highest-
level access of ⦿
Administrator
 None of the other XIQ
roles have access rights to
use the SSH proxy
328
SSH Proxy
Global Settings
 Admin first needs to globally-

enable SSH
 Click the gear icon
 Click SSH
 Click SSH Availability
329
SSH Proxy
Global Settings
 A security warning message

will appear
 Select ☑ Enable SSH
330
SSH Proxy
Device Settings
 Return to device Manage view

 Select ☑ AP or switch
 Click the edit icon
331
SSH Proxy
Device Settings
 Click SSH
 Security warning and device SSH
settings appear
332
SSH Proxy
Device Settings
 Select ⦿ different timeout period if necessary

 Click Enable SSH
333
SSH Proxy
SSH Session being setup
SSH session is being setup
334
SSH Proxy
Active SSH Session
 SSH Active
 Time remaining
 SSH proxy IP address
 Randomized SSH port
335
SSH Proxy
SSH client
 Use your preferred terminal emulation

client to establish the end-to-end SSH
session
 Login with the device admin CLI
credentials
336
SSH Proxy
SSH client
Enter your CLI diagnostic commands
337
SSH Proxy or Supplemental CLI
 SSH sessions should be used

for CLI troubleshooting of
individual devices
 Device configuration via SSH
is discouraged because any
device configuration changes
are not saved in the XIQ
database
Best Practice
Use the Supplemental CLI object to configure CLI commands not available in the XIQ GUI
338
SSH Status
From monitor view, an SSH status column counts how much time is left before the
session time outs
339
Device Management Settings
Global
 Unique admin passwords can be created for XIQ devices

 The administrator uses the device password to SSH or console into the APs
command line interface (CLI)
 To configure an admin password for all devices managed by XIQ click:
Account Name -> Global Settings -> Device Management Settings
Best Practice
For security purposes, we recommend that XIQ Devices have a unique admin password for CLI
login. The device password should be different from the password used to login to XIQ
340
Device Management Settings
Global
341
Device Credential Settings
Single Device
 Device CLI passwords can also be set for each independent device
 Manage > Devices
 Click the Host Name of the device
342
Device Credential Settings
Single Device
 From the Device 360°view

window, click Device Credentials
 Enter and confirm password for
the Root Administrator
 You can also create a CLI
password for a Read Only
Administrator
 Credentials that are created are
unique to this one device
343
Device Credential Settings – Policy
 In the Additional Settings tab of the guided configuration, device credentials

can also be assigned.
 Credentials that are created are used by all devices assigned to the defined
Network Policy
344
Thank You
345
WWW.EXTREMENETWORKS.COM
346

Extreme Wireless Cloud Troubleshooting Student Guide Mar 2020

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Extreme Wireless Cloud Troubleshooting Student Guide Mar 2020

Uploaded by

Copyright:

Available Formats

ExtremeWireless Cloud Troubleshooting

©2020 Extreme Networks, Inc. All rights reserved

Introductions Facilities Agenda Questions Resources

2 ©2020 Extreme Networks, Inc. All rights reserved

 What is your name?

3 ©2020 Extreme Networks, Inc. All rights reserved

DNS Server: 10.5.1.10

4 ©2020 Extreme Networks, Inc. All rights reserved

CWNA Certified Wireless Network

by David D. Coleman and David A. Westcott

Click here to order

5 ©2020 Extreme Networks, Inc. All rights reserved

 Please, please, please, consult our Help if you have

6 ©2020 Extreme Networks, Inc. All rights reserved

7 ©2020 Extreme Networks, Inc. All rights reserved

©2020 Extreme Networks, Inc. All rights reserved

When? Where? Affecting one or Recurring? Recent Changes?

9 ©2020 Extreme Networks, Inc. All rights reserved

 Recreate problem  Test to verify the problem is resolved

10 ©2020 Extreme Networks, Inc. All rights reserved

 802.3 Uses Cables to transmit EM signals

Wired communications travel across what is known as bounded medium. An example

 The MAC sublayer manages access to the physical medium

12 ©2020 Extreme Networks, Inc. All rights reserved

MAC Service Data Unit (MSDU)

MAC Protocol Data Unit (MPDU)

6 Presentation  Troubleshoot the WLAN just like you would

13 ©2020 Extreme Networks, Inc. All rights reserved

6 Presentation RADIUS, Active Directory, DNS, DHCP, NTP and

14 ©2020 Extreme Networks, Inc. All rights reserved

Bad drivers Compatibility issues Improperly

15 ©2020 Extreme Networks, Inc. All rights reserved

16 ©2020 Extreme Networks, Inc. All rights reserved

 Legacy client devices often cannot

17 ©2020 Extreme Networks, Inc. All rights reserved

18 ©2020 Extreme Networks, Inc. All rights reserved

Your Wi-Fi sucks!

19 ©2020 Extreme Networks, Inc. All rights reserved

20 ©2020 Extreme Networks, Inc. All rights reserved

 Spectrum analysis will find RF inference

 Careful PoE budget planning is a must

 Often occurs after AP firmware

23 ©2020 Extreme Networks, Inc. All rights reserved

24 ©2020 Extreme Networks, Inc. All rights reserved

25 ©2020 Extreme Networks, Inc. All rights reserved

 802.1X: Port based access control  Extensible Authentication Protocol

Zone 1 – Backend Communications

27 ©2020 Extreme Networks, Inc. All rights reserved

Unable to reach RADIUS server

28 ©2020 Extreme Networks, Inc. All rights reserved

shared secret secret shared

 Shared secret mismatch  Authentication port mismatch (default

29 ©2020 Extreme Networks, Inc. All rights reserved

 Unable to reach RADIUS server. Possible causes:

30 ©2020 Extreme Networks, Inc. All rights reserved

31 ©2020 Extreme Networks, Inc. All rights reserved

Check the RADIUS configuration the Network policy

Check the shared secret

RADIUS working: You can also verify the RADIUS Attributes

32 ©2020 Extreme Networks, Inc. All rights reserved

33 ©2020 Extreme Networks, Inc. All rights reserved

This shows what a successful connection should look like

34 ©2020 Extreme Networks, Inc. All rights reserved

 SSL tunnel fails = Certificate problem  Incorrect clock settings