FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine Release 2.13 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E NT S Preface v Audience v Conventions v Product Documentation vi Obtaining Documentation vii Documentation Feedback ix Cisco Product Security Overview ix Obtaining Technical Assistance x Obtaining Additional Publications and Information xi CHAPTER 1 FAQs and Troubleshooting 1-1 General FAQs and Troubleshooting 1-1 Deployment Wizard Troubleshooting 1-10 Faults FAQs and Troubleshooting 1-11 Devices FAQs and Troubleshooting 1-15 Configuration FAQs and Troubleshooting 1-21 Firmware FAQs and Trouble
Contents CHAPTER 2 Fault Descriptions 2-1 Access Point /Bridge Faults 2-2 Radio Interface Faults 2-8 IDS (Intrusion Detection System) Faults 2-14 Voice Faults 2-24 WLSE Faults 2-24 AAA Server Faults 2-26 Switch Faults 2-31 Router Fault 2-33 WLSM Faults 2-33 INDEX FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine iv OL-8376-01
Preface This guide provides troubleshooting hints, FAQs, and information on faults for the CiscoWorks Wireless LAN Solution Engine and Wireless LAN Engine Express. This guide consists of the following chapters: • FAQs and Troubleshooting • Fault Descriptions This guide is frequently updated on Cisco.com.
Preface Product Documentation Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Product Documentation Note We sometimes update the documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates. Table 1 describes the product documentation for WLSE 2.12. Unless otherwise indicated, these documents apply to both the WLSE and WLSE Express.
Preface Obtaining Documentation Table 1 Product Documentation (continued) Document Title Available Formats Regulatory Compliance and Safety Information for the 1130-19 CiscoWorks Wireless LAN Solution Engine • Printed document included with the product. • PDF on the WLSE Recovery CD-ROM. • On Cisco.com: Regulatory Compliance and Safety Information for the 1030 CiscoWorks Wireless LAN Solution Engine Express • Printed document included with the product. • PDF on the WLSE Recovery CD-ROM.
Preface Obtaining Documentation Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/techsupport You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product Documentation DVD Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product.
Preface Documentation Feedback Documentation Feedback You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can send comments about Cisco documentation to bug-doc@cisco.com.
Preface Obtaining Technical Assistance Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.
Preface Obtaining Additional Publications and Information Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions.
Preface Obtaining Additional Publications and Information • Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com • Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments.
C H A P T E R 1 FAQs and Troubleshooting Revised: June 20, 2006, OL-8376-01 This chapter provides FAQs and troubleshooting hints for all WLSE functions.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting • Q.Which ports and protocols does the WLSE use? • Q.Which transport protocols and authentication methods does WLSE use? • Q.Can I use a different HTTP port to manage the access point? • Q.Can SSH be disabled? • Q.Devices are being displayed by IP address instead of hostname. Can I change this? • Q.How can I get information about the WLSE’s operating system and hardware? • Q.Can I install WLSE 2.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting Q. Can SSH be disabled? A. It cannot be disabled on the WLSE itself, but you can use the firewall command to deny all SSH connections. For example, the following CLI command will cause the WLSE to reject all incoming SSH connections on the Ethernet 0 interface but allows connections through other protocols and other ports: firewall ethernet0 private ssh Q. Devices are being displayed by IP address instead of hostname.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting A. Upgrading your WLSE will not disrupt service on your access points. The APs connectivity will remain intact and the WLAN will function normally. General Troubleshooting This section provides the following troubleshooting information: • Symptom After the WLSE reboots, the Internal Server Error message appears in the UI.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting Symptom When I try to access an access point web page through the WLSE, the following error message appears: Action Cancelled. Possible Cause The SNMP user on the access point does not have enough rights.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting Symptom After the WLSE 1130 series starts up, the setup login prompt appears. After you use the setup program, the WLSE cannot connect to the network. Possible Cause – The network cable is not connected to the Ethernet 0 port. – The Ethernet 0 interface is disabled or misconfigured. – The system is configured correctly, but the network is down or misconfigured. – DNS is misconfigured.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting 5. If no conditions are preventing the system from connecting to the network, contact Cisco’s Technical Assistance Center. Symptom Cannot connect to the WLSE using a Web browser. Possible Cause – The system cannot connect to the network. – HTTP or HTTPS is not enabled – If connecting via HTTP, the IP address was not appended with :1741. – The client system is not configured. Recommended Action 1.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting Symptom The system time or date is incorrect. Possible Cause – NTP is misconfigured. – The system clock is set incorrectly. Recommended Action Make sure NTP is configured correctly and that the system clock is set correctly. For information about maintaining the system time and date, see the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.13.
Chapter 1 FAQs and Troubleshooting General FAQs and Troubleshooting 2. If you have specified hosts using the telnetenable CLI command, make sure the host from which you are attempting to Telnet is on the list. 3. If you are using a DNS server, perform the following step: Configure the system to use a functioning DNS server by entering: # ip name-server ip-address ip-address is the IP address of the DNS server. If you are using the import CLI command, proceed to the next step. where 4.
Chapter 1 FAQs and Troubleshooting Deployment Wizard Troubleshooting Symptom After performing certain operations on the WLSE, such as clicking Apply in the Display Faults page, then clicking the client browser Refresh button, a pop-up message is generated indicating that the page cannot be refreshed. Possible Cause The browser Refresh button was used. Recommended Action Avoid using the Refresh button on the browser. Instead, use the navigational tools provided by the WLSE user interface.
Chapter 1 FAQs and Troubleshooting Faults FAQs and Troubleshooting Symptom Access points do not get the expected configuration applied from a Wizard template. Possible Cause An auto-managed configuration template exists that is assigned to meet other matching criteria. Recommended Action Check the matching criteria by selecting Configure > Auto Update > Auto-Managed Configuration > Assign Templates. Faults FAQs and Troubleshooting • Faults FAQs, page 1-11 • Faults Troubleshooting, page 1-13 • Q.
Chapter 1 FAQs and Troubleshooting Faults FAQs and Troubleshooting b. Change the Fault History Truncation Interval parameter to reduce the number of days the cleared faults are saved. Q. Why didn’t the fault color on the device tree change (it remains red) after I Acknowledged a P1 fault on an AP? A.
Chapter 1 FAQs and Troubleshooting Faults FAQs and Troubleshooting A. Yes. For more detailed information on which policies can report traps (RF Port Status and RF Port Admin Status) to the WLSE and how to set it up, see the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, 2.13. Q. What happens to faults when radio management features are disabled using the radiomanager disable CLI command? A. The following happens: – No new radio management related faults are generated.
Chapter 1 FAQs and Troubleshooting Faults FAQs and Troubleshooting Symptom After adding an AAA server to a WLSE, the fault ‘AAA server is Not available’ is generated for that AAA server. Possible Cause There are several reasons for this error messages: the wrong secret (a secret that does not match what is configured on the AAA server) was entered; the WLSE IP address is not configured as a NAS on the server, or the server is unreachable.
Chapter 1 FAQs and Troubleshooting Devices FAQs and Troubleshooting Symptom SNMP Unreachable faults are displayed more frequently than the set polling interval. Possible Cause When the WLSE polls for any faults, it also checks if the device is SNMP reachable. If the device is unreachable, it will generate an SNMP Unreachable fault no matter what the SNMP Reachable poll interval is. Recommended Action None.
Chapter 1 FAQs and Troubleshooting Devices FAQs and Troubleshooting Q. What is an invalid CDP seed? A. An invalid seed is a device that does not run Cisco Discovery Protocol (CDP), such as a PC or workstation). Such a device does not function as a seed because it does not allow the WLSE to traverse the network and find other devices. In the discovery run log, invalid seeds are shown as SNMP unreachable. Q. Can I discover devices if CDP is disabled? A.
Chapter 1 FAQs and Troubleshooting Devices FAQs and Troubleshooting Devices Troubleshooting This section contains the following troubleshooting information: Discovery/Device Management Troubleshooting • Symptom Devices were discovered but are not displayed in the GUI; for example, in Reports. • Symptom There is a time discrepancy in the scheduled discovery jobs. • Symptom The SNMP Query Authorization Exception is recorded in the discovery log.
Chapter 1 FAQs and Troubleshooting Devices FAQs and Troubleshooting Symptom There is a time discrepancy in the scheduled discovery jobs. Possible Cause The local or system time is not set correctly on the WLSE. Recommended Action a. Reset the WLSE system time (UTC) using CLI commands as follows: Enter services stop to stop services. Enter the clock command to reset the time. Enter services start to restart the services. b. Set the local browser time. Select Admin > Appliance > Time/NTP/Name/Webtimeout.
Chapter 1 FAQs and Troubleshooting Devices FAQs and Troubleshooting Table 1-1 Discovery Run Log Messages (continued) Message Possible Cause Recommended Action Unable to auto-manage device: x.x.x.x due to MAC filter values or time period for auto-management has expired. See the online help or the User Guide for the A new device is being discovered but could not be CiscoWorks Wireless LAN Solution Engine, Release 2.13.
Chapter 1 FAQs and Troubleshooting Devices FAQs and Troubleshooting Symptom After creating a customized device name format, truncation of device names in displays such as device trees makes it difficult or impossible to distinguish one device from another. Possible Cause In device trees, only 30 characters can be displayed. Recommended Action Reconstruct the device identifier string so that the unique portion of the name comes first; for example, place the IP address first.
Chapter 1 FAQs and Troubleshooting Configuration FAQs and Troubleshooting Symptom AP 1230 and AP 1231 are not shown in WLSE displays. Possible Cause These APs have the same sysObjectID as the AP 1210. Recommended Action Check the AP 1210 system group and other WLSE listings for AP 1210. AP 1230 and AP 1231 will be shown there. Symptom Frequent client inventories are causing too much network traffic or degrading WLSE performance.
Chapter 1 FAQs and Troubleshooting Configuration FAQs and Troubleshooting • Q.Can I give a configuration job a name that is used for a firmware or radio management job? • Q.Why do I get the following error message when I upload a configuration template with SCP using the Overwrite option: Invalid SSH version running on the device? • Q.What happens when I apply a configuration to a device with an existing configuration? • Q.If a template is valid for an access point with an 802.
Chapter 1 FAQs and Troubleshooting Configuration FAQs and Troubleshooting A. The two configurations are merged unless you have specified that you want to overwrite the existing configuration when you ran the job. If you select Apply Template to Running Configuration when you create the Configuration job, the selected configuration template will replace the startup-config on the selected device(s). Q. If a template is valid for an access point with an 802.
Chapter 1 FAQs and Troubleshooting Configuration FAQs and Troubleshooting Q. What is startup configuration template? Startup configuration template is used right after a device (access point) reboots. It requires DHCP server to be properly set up to allow the access point to pick its startup configuration from WLSE. For this to work, you must set up the following: a. Enter the in the Boot Server Host Name field (option number 066) on the DHCP server. b.
Chapter 1 FAQs and Troubleshooting Configuration FAQs and Troubleshooting Configuration Troubleshooting This section provides the following troubleshooting information: • Symptom When I perform a configuration update to the startup-configuration of a device, the device becomes unreachable. • Symptom Configuration jobs fail when the hostname command is used in the Custom Values page. • Symptom The WLSE will not save a newly-created configuration template.
Chapter 1 FAQs and Troubleshooting Configuration FAQs and Troubleshooting Symptom A configuration job fails using a template imported from an IOS access point. Possible Cause It has commands such as power local 100 that cause it to fail. Recommended Action Check the job log to see which commands failed; remove the commands from the template using the Custom Values screen; then save the template and rerun the configuration job. Symptom The banner command in an IOS custom template fails or is incomplete.
Chapter 1 FAQs and Troubleshooting Firmware FAQs and Troubleshooting Symptom An SCP job fails with username having 15 privilege. Possible Cause If the device is having the following configuration: aaa new-model no aaa authentication login default no aaa authorization exec default Logging in with privilege 15 username/password, requires that the enable secret/password be entered in exec mode. Recommended Action Configure the authentication to use local or server level authentication.
Chapter 1 FAQs and Troubleshooting Firmware FAQs and Troubleshooting Q. What kinds of job logs are available? A. There are two kinds of job logs: Job run log and the jobvm log. • The job run log is where events are logged for a particular job’s run. This log can be used to check what went wrong with the job and make any required corrections. The job run log can be viewed by selecting a particular job from the job list, then clicking Job Run Detail.
Chapter 1 FAQs and Troubleshooting Firmware FAQs and Troubleshooting Symptom When uploading an image to an access point from a from a remote TFTP server, the access point reports an Invalid checksum error or Unknown failure. Possible Cause The image filename entered in the job does not match the image filename on the remote TFTP server. Recommended Action Make sure the filenames on the job and on the server are the same.
Chapter 1 FAQs and Troubleshooting Firmware FAQs and Troubleshooting For more information on updating firmware, see the User Guide for the CiscoWorks Wireless LAN Solution Engine, 2.13. You can access a PDF version of this guide by clicking View PDF in the WLSE’s online help. Symptom An SNMP job fails. Possible Cause The read community string does not have sufficient permissions.
Chapter 1 FAQs and Troubleshooting Reports FAQs and Troubleshooting Table 1-2 Telnet/SSH Credentials Required Device Login Sequence Telnet Credential Fields Required Username: Password: prompt>enable Password: enable prompt # User Name Password: prompt>enable Password: enable prompt# User Password Username: Password: enable prompt# User Name enable prompt# (no credentials required) Username: prompt>enable Password: enable prompt# User Name Username: prompt# User Name Username: Password: pr
Chapter 1 FAQs and Troubleshooting Reports FAQs and Troubleshooting A. The As Of column indicates the starting time of the aggregation for the utilization report. Therefore, the starting time shown might be earlier than the date range selected for the report. Q. How long can report data be kept in WLSE? A. the trends reports data is kept in the WLSE database for a specific amount of time, which can be configured (see Devices > Discover > Inventory > Polling). Q.
Chapter 1 FAQs and Troubleshooting Reports FAQs and Troubleshooting Symptom The Top N Busiest Clients report and the Client Statistics report display 0 (zero) values. Possible Cause Wireless client polling frequency is set to 51 minutes by default. The counters could reset between two polling cycles which would cause zero values when the reports are run. Recommended Action Increase the polling frequency by selecting Devices > Discover > Inventory > Polling.
Chapter 1 FAQs and Troubleshooting Reports FAQs and Troubleshooting Symptom After running a job, the updated data does not appear in a report. Possible Cause A full polling cycle has not completed and the new data has not been entered in the database. Recommended Action Verify that the polling cycle has completed as follows: a. Select Admin > Appliance > Status > View Log File. b. Click jobvm.log. c. Scroll through the log to find the message: “Finished Inventory” for your particular job.
Chapter 1 FAQs and Troubleshooting Radio Manager FAQs and Troubleshooting Possible Cause This is because the very first aggregations are based on day and time that the WLSE’s system software was installed, and the formula for computing the next aggregation is causing this discrepancy. Recommended Action No action is required. Subsequent aggregations will occur at the normal intervals. Symptom In the Group Client Association Report, the Number of Clients Associated with this Group displays a 0 (zero).
Chapter 1 FAQs and Troubleshooting Radio Manager FAQs and Troubleshooting Auto Re-Site Survey • Q.Is there a limit to the number of floors or access points that can be enabled for the auto re-site survey? • Q.Will it cause problems if a floor that has no access points yet is added to Auto Re-Site Survey? Miscellaneous • Q.Can I give a radio management job a name that is used for a firmware or configuration management job? • Q.Can I use a non-Cisco RADIUS server with radio management? • Q.
Chapter 1 FAQs and Troubleshooting Radio Manager FAQs and Troubleshooting Q. What is the throughput impact if Radio Monitoring is enabled? A. Each AP scans all supported non-serving channels every 90 seconds. Each non-serving channel scan lasts for 20 to 30ms depending on radio type. Because of the short duration, the overall impact to the throughput should be less than 1% of the total bandwidth. Self Healing Q. How do “Hot Standby” and “Self-Healing” work together? A.
Chapter 1 FAQs and Troubleshooting Radio Manager FAQs and Troubleshooting You use Assisted Site Survey to generate your power settings and apply the following power settings (respectively): {5,10,20,5} AP C goes down and Self Healing adjusts the power settings: {5,20,down,20} AP C comes back up and Self Healing adjusts the power settings: {10,5,20,5} In the final state, this is an equivalent coverage—perhaps not the exact settings, but equivalent.
Chapter 1 FAQs and Troubleshooting Radio Manager FAQs and Troubleshooting The radio in question is detecting a large amount of neighboring radios. If a radio is detecting too many other radio beacons (the warning message includes the total detected), it might not have the bandwidth to process the beacons. This makes the radio in question unreliable for vouching for other radios.
Chapter 1 FAQs and Troubleshooting Radio Manager FAQs and Troubleshooting Q. Why does the Client MAC Spoofing fault reappear after it has been cleared? A. The WLSE raises faults for all clients identified by MIB ciscoWdsIdsMacSpoofClient (1.3.6.1.4.1.9.9.457.1.1.3.1.3). It retains the history of all spoofed MAC addresses. Because the WDS maintains the history of all spoofed MAC addresses, the WLSE raises the MAC spoofing fault during the poll cycle, even after the fault is cleared on the WLSE.
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting Symptom My clients are not being authenticated through WDS. Possible Cause You have not created a server group on the WDS for client authentication. Recommended Action To create a server group on the WDS for client authentication, you can use the AP CLI, the AP web interface, or the WLSE configuration templates for an AP-WDS, or the WLSM CLI for a WLSM-WDS.
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting • Q.When I select devices in the Assisted Site Survey Wizard, why are some shown in red? • Q.When I’m using the Assisted Site Survey Wizard, why is the Next button disabled after I complete step one? • Q.In the Assisted Site Survey Wizard, why is Use Old Radio Scan Data disabled? • Q.In the Assisted Site Survey Wizard, what does None mean in the Last Scan Time field? • Q.
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting Q. Why does Location Manager show a coverage map for an AP based on the configured transmit power setting even when the radios are shut down? A. If you did not select Display coverage for operational radio interfaces only in Edit > Preferences, Location Manager displays coverage based on the configured values. Even when a radio is turned off, it still has a configured transmit power.
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting Q. When I’m using the Assisted Site Survey Wizard, why is the Next button disabled after I complete step one? A. You have not selected any acceptable devices that are required for the next step. If any of the selected devices are shown in red, you need to deselect them before you can go to the next step. Q. In the Assisted Site Survey Wizard, why is Use Old Radio Scan Data disabled? A.
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting Q. In the Constraints and Goals step in the Assisted Site Survey Wizard, how do I select multiple channels in the channel list? A. For Windows users, control-click on the channels to add them to the selection. The selected channels are highlighted. Q. How long should the Constraints and Goals calculation step take in the Assisted Site Survey Wizard? A. It varies depending on the amount of radio scan and client walkabout data.
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting Radio Parameter Generation Q. When WLSE is trying to calculate new radio parameter generations, why do I get an error about walkabout locations? A. Before WLSE can generate radio parameters, you must have previously collected client walkabout data or you must have defined the dimensions of your building and floor(s).
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting Symptom It takes a very long time to import a building or floor image in to Location Manager. Possible Cause The resolution and pixel size of the image file is very large. Recommended Action Because the larger an image resolution is, the longer it takes to upload to the server and the more memory it uses, it is recommended that your building and floor images be less than 1,000x1,000 pixels.
Chapter 1 FAQs and Troubleshooting Sites FAQs and Troubleshooting There are quite a few reasons why an interface might be removed from the scan. The WLSE examines each interface separately; after that, if all interfaces have been removed, this error is displayed. Recommended Action Use the radio management verification tool to check on the status of the devices that are displaying errors for AP radio scan. Right-click on each device and select Verify RM Capability.
Chapter 1 FAQs and Troubleshooting Intrusion Detection System FAQs and Troubleshooting Intrusion Detection System FAQs and Troubleshooting • Intrusion Detection System FAQs • Intrusion Detection System Troubleshooting Intrusion Detection System FAQs Detecting Rogue APs • Q.How does WLSE detect rogue APs? • Q.What is the difference between a rogue and a friendly AP? • Q.How does the WLSE distinguish between a rogue device and an ad-hoc device? • Q.
Chapter 1 FAQs and Troubleshooting Intrusion Detection System FAQs and Troubleshooting Detecting Rogue APs Q. How does WLSE detect rogue APs? A. Here is a brief summary of the rogue AP detection logic: a. A rogue AP appears and starts sending out beacons and responding to probe-requests. b. A nearby managed and RM-enabled AP or client detects the beacon (same channel or off-channel) or probe response (off-channel).
Chapter 1 FAQs and Troubleshooting Intrusion Detection System FAQs and Troubleshooting WLSE considers hardware, both client and access points, to be trusted sources, and assumes that vendors are reporting the field correctly. WLSE expects only client machines and peripherals to emit beacons with the IBSS flag set (it is very unlikely that an access point would emit an IBSS beacon). In rare cases, however, a malicious station can spoof the field.
Chapter 1 FAQs and Troubleshooting Intrusion Detection System FAQs and Troubleshooting Q. I understand that WLSE does not accept SNMP traps that indicate an AP detected a rogue. So why is an AP that is currently designated as the WDS generating rogue AP SNMP traps? A. The AP is generating the detected rogue trap, not the WDS functionality currently operating within the AP. This trap is based on authentication tattletale rogue detection, which is currently not reported to the WLSE.
Chapter 1 FAQs and Troubleshooting Intrusion Detection System FAQs and Troubleshooting – First, a rogue is detected which has an RSSI value higher than the configured threshold. For example, it has an RSSI value of -60dBm and the configured threshold is -80dBm. – Then, the rogue is not seen for a while, and the WLSE marks it for deletion. (Rogue APs that are not heard from for a long time are candidates for deletion from the WLSE.) Interference Detection Q.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting A. When the Friendly-to-Rogue policy evaluates a site, any device that hasn’t been seen in “too long a time” is reclassified as rogue. This time period starts when WLSE last observed the device, not after the administrator has set it to Friendly. To keep an unmanaged device as Friendly, set the maximum unobserved time to a value larger than the amount of time the device is expected to not be observed.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting • Q.Can I restore a backup that I made on a WLSE running beta software to a WLSE running released software? • Q.Can I restore a backup from a WLSE 1105 to a WLSE 1130 series? • Q.Can I upgrade from beta software to released software? • Q.Are there any special considerations when performing actions on a redundant cluster? • Q.Why are the WLSEs in my redundant environment exhibiting problems such as duplicate IPs, etc.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting Check the status by using the CLI command redundancy status, or by selecting Admin > Appliance > Redundancy > Redundancy Status. On the master DNS server, make sure that the DNS zone file for the inverse zone (in-addr.arpa) for the netblock contains the necessary PTR records for each WLSE.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting Table 1-3 Redundancy States Redundancy State Description Active Lost Router Active node is not receiving responses from the standby node or from the default gateway. This could signify a network issue. Active Lost Standby Active node is not receiving responses from the standby node. Active Upgrade Active node is waiting for the standby node to complete a WLSE upgrade.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting • Symptom Cannot back up WLSE configuration to a remote server when using the secure file transfer option. • Symptom The ACS Failed Login Report link is missing. • Symptom When using the MS NT Domain authentication module, the user could not log in by using the domain password.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting Symptom When using Internet Explorer 6.0 to install a new image on a WLSE from a repository located on a Windows XP machine, the progress bar does not appear in the Install Software Updates window. This problem also occurs when you use Internet Explorer 6.0 and a Windows XP system as a client to install a new image on a WLSE. Possible Cause The Internet Explorer 6.0 browser on Windows XP does not come with the Java plug-in installed.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting Possible Cause At each instance of synchronization and failover, the standby AAA RADIUS server goes down, thereby triggering the “HA standby AAA radius server not available” fault during each instance. Recommended Action a. Select Faults > Manage Fault Settings. b. Select the AAA Server settings in the relevant fault profile. c. Set the consecutive polling cycle count to 2 for the “Radius Server Not Available” fault.
Chapter 1 FAQs and Troubleshooting Admin FAQs and Troubleshooting b. Telnet or SSH into the active 2.13 system and execute the CLI command reload. Wait until the reload is complete. c. Telnet or SSH into the standby 2.13 system and execute the CLI command services start. Symptom Both WLSEs in an HA pair are claiming the same VIP address.
Chapter 1 FAQs and Troubleshooting Internal AAA Server (WLSE Express Only) FAQs and Troubleshooting Consolidating and Saving Log Files The dumptech CLI command calls the diagnostic-info and tarlog commands, tars their output to an archive called dumptech.tgz, and sends the output to a named user and location. For information on this command, see the “Using the CLI” appendix in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.13 on Cisco.com at http://www.cisco.
C H A P T E R 2 Fault Descriptions This section provides the following information on the faults displayed in Faults > Display Faults. The following information is provided: • Fault—The fault as it appears in the Display Faults table. • Explanation—An explanation as to why the fault occurred. • Related Setting—The threshold or policy you assigned to devices under Faults > Manage Fault Settings, IDS > Manage IDS Settings, or IDS > Manage Network-Wide IDS Settings, when applicable.
Chapter 2 Fault Descriptions Access Point /Bridge Faults Access Point /Bridge Faults Table 2-1 Access Point Faults Fault Description Explanation Related Setting Recommended Action Access point ssid reclassified from Friendly to Rogue due to rule An access point that was previously determined to be Friendly has been reclassified to Rogue: IDS > Manage Network-Wide IDS Settings > Rogue AP Detection > Friendly to Rogue AP Reclassification Use the fault details page to mark it friendly if the AP is
Chapter 2 Fault Descriptions Access Point /Bridge Faults Table 2-1 Access Point Faults (continued) Fault Description Explanation Related Setting AP CPU utilization is Overloaded (utilization %) The fault threshold set for the overloaded state has been exceeded. AP is not registered with a WDS The managed access point is not registered with any WDS.
Chapter 2 Fault Descriptions Access Point /Bridge Faults Table 2-1 Access Point Faults (continued) Fault Description Explanation Device was not reachable via SNMP The SNMP Agent could be down. Related Setting Manage Fault Settings > Access Using the SNMP threshold setting, you configure the WLSE to poll the Point/Bridge sysUpTime MIB object periodically. Thresholds > If at any time the WLSE fails to poll SNMP Reachable this MIB object, the WLSE generates this fault.
Chapter 2 Fault Descriptions Access Point /Bridge Faults Table 2-1 Access Point Faults (continued) Fault Description Explanation Related Setting Ethernet bandwidth utilization is Degraded (utilization %) The fault threshold set for the degraded state has been exceeded. Ethernet bandwidth utilization is Overloaded (utilization %) The fault threshold set for the overloaded state has been exceeded.
Chapter 2 Fault Descriptions Access Point /Bridge Faults Table 2-1 Access Point Faults (continued) Fault Description Explanation HotStandBy is active The access point that is configured for hot standby has become active. Related Setting Manage Fault Settings > Access The following conditions could cause Point/Bridge Policies > the hot standby access point to HotStandby Status become active: the primary access point is down, the Ethernet port is down, or the Radio port is down.
Chapter 2 Fault Descriptions Access Point /Bridge Faults Table 2-1 Access Point Faults (continued) Fault Description Explanation Related Setting Recommended Action MIC is disabled for the VLAN number MIC is not enabled for the selected VLAN on the access point. Manage Fault Settings > Access Point/Bridge Policies > MIC per Vlan Log into the access point and enable the VLAN. Then, using the WLSE fault settings, enable the MIC for that VLAN. Manage Fault Settings > Radio-802.
Chapter 2 Fault Descriptions Radio Interface Faults Table 2-1 Access Point Faults (continued) Fault Description Explanation Related Setting Recommended Action WEP is disabled WEP is not enabled for the VLAN defined on the access point. (Note that the VLAN number is displayed in the Type column under Faults > Display Faults.) Make sure you have set the policy Manage Fault correctly for the VLAN.
Chapter 2 Fault Descriptions Radio Interface Faults Table 2-2 Radio Interface Faults (continued) Fault Description Explanation Related Setting Appeared up|down. Compensated for by Up/Down radio(s). The indicated radio appeared up or Radio Manager > Self Healing > Finish down on this AP, so other radios were modified to maintain coverage. After self healing has been applied to the other AP, this fault indicates the radio that had the failure.
Chapter 2 Fault Descriptions Radio Interface Faults Table 2-2 Radio Interface Faults (continued) Fault Description Explanation Related Setting Recommended Action Compensation calculation did not complete due to errors Errors forced the cancellation of Self Healing compensation calculations. Not applicable. Display the Self Healing fault details page, then select the document with the eyeglasses. The error messages displayed on this page will explain the problem.
Chapter 2 Fault Descriptions Radio Interface Faults Table 2-2 Radio Interface Faults (continued) Fault Description Explanation Related Setting The faults will clear when the WDS/WLSE is reauthenicated and Radio Monitoring is enabled correctly. Not Monitored because: To qualify for Self Healing, an AP reason, Ignored must: Number of CCMP Replay Discarded is Overloaded. • Enable Radio Monitoring on both Serving and Non-Serving channels.
Chapter 2 Fault Descriptions Radio Interface Faults Table 2-2 Radio Interface Faults (continued) Fault Description Explanation Port is down The port is operationally down. Related Setting Manage Fault Settings > When this fault is cleared, the following message displays: Port is Radio-802.11x Thresholds > RF Port up AdminStatus Recommended Action Check the device to determine why the port is down.
Chapter 2 Fault Descriptions Radio Interface Faults Table 2-2 Radio Interface Faults (continued) Fault Description Explanation Retry Count rate is Degraded number per minute The retry count rate alarm indicates if the wireless medium is congested. The alarm will be raised if the MSDU retransmission rate Retry Count rate is Overloaded number per per minute is greater than the specified threshold.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-2 Radio Interface Faults (continued) Fault Description Explanation Related Setting WEP Error is in Degraded state (error rate %) Manage Fault The fault threshold set for the degraded state has been exceeded. Settings > When this fault has been cleared, Radio-802.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Ad-hoc network ssid An ad-hoc network that was reclassified from Friendly previously determined to be to Rogue due to rule Friendly has been reclassified to Rogue. ssid is the Service Set Identifier of the unmanaged radio’s BSS.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Bad MIC while MFP enabled This fault is raised against the AP Not applicable. that is observed generating the violation. Investigate the possibility that a rogue AP is conducting a spoofing attack against the managed network.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Client authentication error The fault threshold set for the rate is Degraded number degraded state has been exceeded. per minute When this fault is cleared, the following message displays: Client association error rate is OK. Related Setting Recommended Action IDS > Manage IDS Settings > IDS-802.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Related Setting Recommended Action Excessive Association Frames in Channel: channel [Frames: framecount,Interval:wind owsize] The fault thresholds been exceeded. IDS > Manage IDS Settings > General IDS Settings > Excessive Management Frame Detection Verify that the fault threshold is set correctly.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Related Setting Excessive Disassociation Frames from STA: station [Frames: framecount,Interval:wind owsize] The fault thresholds been exceeded.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Related Setting IDS > Number of CCMP Replay The fault threshold set for the Discarded is Degraded. degraded state has been exceeded. Manage IDS Settings > IDS-802.11x When the fault is cleared, the >CCMP Replays following message displays: Discarded Number of CCMP Replays Discarded is OK. Recommended Action Verify that the fault threshold is set correctly.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Related Setting IDS > Number of TKIP Local The fault threshold set for the MIC failures is Degraded. degraded state has been exceeded. Manage IDS Settings > IDS-802.11x When the fault is cleared, the >TKIP Local MIC following message displays: failures Number of TKIP Local MIC failures is OK. Number of TKIP Local MIC failures is Overloaded.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Related Setting Radio Role must be “roleScanner” to support Frame Monitoring (was x). This fault is raised when a radio is Radio Mgr > Frame Monitoring initially configured for Frame Monitoring (where x is the integer value of the SNMP OID cd11IfStationRole from the CISCO-DOT11-IF-MIB), but then someone configures the radio out of scanning-only mode.
Chapter 2 Fault Descriptions IDS (Intrusion Detection System) Faults Table 2-3 IDS Faults (continued) Fault Description Explanation Related Setting Recommended Action Unregistered Client(s) present One or more unregistered clients have been detected in the wireless network, and are unsucessfully attempting to authenticate with the APs.
Chapter 2 Fault Descriptions Voice Faults Voice Faults Table 2-4 Voice Faults Fault Description Explanation Voice Bandwidth Exceeded [Bandwidth In Use:current%,Threshold: threshold%] This is a warning that is triggered only when the voice bandwidth in use exceeds the threshold limit. Related Setting Faults > Manage Fault Settings, then Edit the Default profile. Select RADIO-802.11a The higher the percentage of THRESHOLDS > bandwidth being used, the less is Voice Bandwidth.
Chapter 2 Fault Descriptions WLSE Faults Table 2-5 WLSE Faults Fault Description Explanation Duplicate IP Detection During discovery, an AP with a duplicate IP is found and placed in the Duplicate IP folder under Devices > Managed > Manage/Unmanage. This folder contains access points that are in the pending state. A device becomes pending and is placed in this folder when: • The same IP address is assigned to more than one access point. • An access point’s IP address changes.
Chapter 2 Fault Descriptions AAA Server Faults Table 2-5 WLSE Faults Fault Description Explanation Related Setting Recommended Action Other node is running a different version. Redundancy will be turned off. A mismatch of WLSE software Not applicable. version has been detected between the active and the standby WLSEs. Make sure the correct WLSE software has been installed on both the active and standby WLSEs. Redundancy active mode enabled The WLSE sending this message is Not applicable.
Chapter 2 Fault Descriptions AAA Server Faults Table 2-6 AAA Server Faults (continued) Fault Description Server Type Explanation Related Setting EAP-FAST server is not available EAP-FAST Can be caused by any of the Manage Fault Settings > AAA > following reasons: EAP-FAST > • WLSE IP Address is not configured as a NAS on Response Time Recommended Action Check server configuration to make sure that: • WLSE IP address is configured as NAS on the server.
Chapter 2 Fault Descriptions AAA Server Faults Table 2-6 AAA Server Faults (continued) Fault Description Server Type EAP-MD5 server is EAP-MD5 Degraded Explanation Related Setting Recommended Action The fault threshold set for the degraded state has been exceeded. Manage Fault Settings > AAA > EAP-MD5 > Response Time Verify that the fault threshold is set correctly. Manage Fault Settings > AAA > EAP-MD5 > Response Time Verify that the fault threshold is set correctly.
Chapter 2 Fault Descriptions AAA Server Faults Table 2-6 AAA Server Faults (continued) Fault Description Server Type Explanation Related Setting Recommended Action LEAP server is Overloaded LEAP The fault threshold set for the overloaded state has been exceeded. Manage Fault Settings > AAA > LEAP > Response Time Verify that the fault threshold is set correctly. This fault is not generated based on a threshold violation.
Chapter 2 Fault Descriptions AAA Server Faults Table 2-6 AAA Server Faults (continued) Fault Description Server Type Explanation Related Setting Recommended Action PEAP server is Overloaded PEAP The fault threshold set for the overloaded state has been exceeded. Manage Fault Settings > AAA > PEAP > Response Time Verify that the fault threshold is set correctly.
Chapter 2 Fault Descriptions Switch Faults Switch Faults Table 2-7 Switch Faults Fault Description Explanation Related Setting CPU utilization is Degraded (utilization %) The fault threshold set for the Manage Fault Settings > Verify that the fault threshold is set Switch > CPU correctly. degraded state has been Utilization exceeded. If the threshold is set correctly, review your network to determine the action When this fault has been necessary to clear the fault condition.
Chapter 2 Fault Descriptions Switch Faults Table 2-7 Switch Faults (continued) Fault Description Explanation Related Setting Recommended Action Port is down. The port is operationally down. Manage Fault Settings > Check the switch to determine why the Switch > Port Status port is down. When this fault is cleared, the following message displays: Port is UP.
Chapter 2 Fault Descriptions Router Fault Router Fault Table 2-8 Router Fault Fault Description Explanation Related Setting Device was not reachable via SNMP The SNMP Agent on the switch is down. Manage Fault Make sure that the router SNMP agent Settings > Router > is active. SNMP Reachable When this fault has been cleared, the following message displays: Device was reachable via SNMP.
Chapter 2 Fault Descriptions WLSM Faults FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine 2-34 OL-8376-01
I N D EX 1-21 AP 1231, not shown in displays 1-21 AP 1230, not shown in displays A AAA server assisted site survey AAA server not available fault, falsely generated 1-60 internal (WLSE Express) 1-62 name, display of building/floor, not visible 1-45 1-43 1-44 client walkabout, skipping 1-44 client walkabout, Recall button 1-21 AAA server, external Constraints and Goals, calculation time 1-45 fault descriptions 2-26 AAA server, internal Constraints and Goals, multiple channels 1-45 fault descrip
Index 1-23 template, wireless bridge B 1-26 templates, banner command in backup (WLSE) templates, imported backup to remote server with SCP 1-59 1-59 restoring from beta software 1-55 restoring from WLSE 1105 1-55 backup to Windows server booting (WLSE) templates, IOS job failure 1-8 1-26 troubleshooting 1-25 connecting to WLSE cannot connect using browser using console 1-7 1-8 Telnet, problems with cannot boot from hard drive from recovery CD 1-26 1-9 1-9 bridge template, for D 1-23
Index devices assisted site survey 1-41 configuration 1-21 FAQs 1-15 hostname, not updated 1-15 Devices tab 1-15 1-20 not displayed after discovery 1-17 sysContact not updated 1-15 sysLocation not updated 1-15 faults 1-11 troubleshooting 1-17 Intrusion Detection System 1-49, 1-53 IP address change, not displayed discovery CDP disabled firmware 1-27 general 1-1 internal AAA (WLSE Express) 1-62 location manager 1-41 1-16 devices not displayed radio manager 1-35 1-17 radio scan 1-42 error mes
Index Display Faults screen, refresh rate Display Fault view, blank 1-12 jobs, using remote TFTP server 1-14 1-29 troubleshooting 1-28 FAQs 1-11 FreeRADIUS authentication failure 1-41 HA Standby AAA RADIUS server Not Available fault 1-59 notification failure G 1-14 notification failure, low-priority faults 1-14 1-12 polling interval 1-14 GUI (WLSE) not available 1-10 notifications polling interval, SNMP-unreachable faults 1-15 H 1-12 traps sent by WLSE 1-12 hardware, WLSE troubleshoot
Index 1-47 AP scanning task aborted 1-47 coverage map, radios shut down 1-43 device, not in device tree 1-43 fault descriptions 2-14 AP coverage, not displayed interference detection settings 1-53 rogue AP, coverage problems caused by 1-51 rogue AP, generation of SNMP traps 1-52 rogue AP detection, frequency of rogue AP detection, frequency of 1-51 rogue AP detection, requirements for clients 1-51 rogue AP detection, triangulation by using client 1-51 rogue AP detection, when radio monitoring disab
Index 1-36 WDS APs, SSIDs for 1-36 WDS APs, number of O operating system, on WLSE information about WDS APs, username and password for 1-3 with non-Cisco RADIUS server 1-36 1-39 radio monitoring disabled P disabling, effect on rogue AP detection 1-51 1-55 passwords (WLSE), rules for 1-36 throughput impact of ports radio parameter generation 1-2 used by WLSE 1-37 data required for 1-46 walkabout locations, error about R 1-46 radio scan aborted radio interference, fault descriptions
Index Group Client Association report, different data from Current Client Associations report 1-33 Group Performance Report on RF Utilization 1-31 group report for a user-defined group, empty 1-33 Historical Associations report, data inaccurate 1-33 notification failure real-time router fault descriptions 2-33 S security, self-signed certificate 1-56 seeds invalid 1-34 1-16 self healing 1-31 Summary and/or Detailed report empty 1-33 time discrepancy in email jobs 1-34 Top N Busiest Clients report,
Index general 1-4 usernames (WLSE) rules for 1-55 users (WLSE) T login failure Telnet on WLSE, disabled by default 1-2 login failure, alternative authentication source 1-58 not listed troubleshooting 1-58, 1-59 1-58 usernames/passwords, rules for FAQs 1-1 1-55 hints Admin tab 1-57 V configuration, access points 1-25 1-60 virtual machine crash Deployment Wizard 1-10 Devices tab 1-17 faults tab 1-13 W firmware 1-28 WDS general 1-4 clients not authenticated radio manager 1-40 1-41 W
Index WLSE-WDS authentication failed 1-41 WLSM discovery log errors 1-20 fault descriptions 2-33 management of multiple subnets 1-36 FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine OL-8376-01 IN-9
Index FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine IN-10 OL-8376-01
