Troubleshooting a Fortinet Wireless Network

For general wireless troubleshooting and information-gathering tips, see this blog Troubleshooting a Wireless Network - Information Gathering or video

The Fortinet Wireless Engineer receives trouble tickets issues reported via the Help Desk. This person will use the data shown in the dashboard of their Fortinet FortiGate device to view, identify, and potentially resolve the wireless issues. The FortiGate default IP address is 192.168.1.99, and this likely the URL is where they would log in to analyze network statistics.

If the end user is calling because the wireless network is slow, it's not working, it's dropping, or the Wi-Fi is down, all these complaints require the same initial information gathering to determine the root cause of the issue. The information you gather at the beginning will allow you to document the who, what, where, when, and find out the why.

As part of your regular information gathering, whenever anybody calls in with a wireless complaint, your questions will be somewhat similar: Is the station connected? Does it have an IP address? Can I ping or reach important network resources? Has there been a change to the client? Is the basic channel configuration of the network acceptable?

Are there potentially too many SSIDs being broadcast? Sometimes, packet sniffing of wireless traffic is necessary to uncover the actual issue. A Fortinet radio can only capture one frequency at a time, so two FortiAP devices in sniffer mode are required to capture both the 2.4 and 5GHz frequencies.

To initiate a packet capture, use a FortiAP in sniffer mode that supports the same wireless standards as your client devices. You can only set the radio to sniffer mode via the command line interface. It is recommended to place a FortiAP in sniffer mode close to the target access point, or the client where the traffic is to be captured.

The capture file is stored under the temporary directory as wl_sniff.pcap, and you must transfer the capture to a TFTP server before rebooting or changing the radio parameters of the FortiAP.

To initiate a packet capture for wireless traffic on a Fortinet access point, the command line syntax is: Config wireless-controller wtp-profile

      edit FAP231F-default

            config radio-1

                  set mode sniffer

                  set drma enable

                  set drama-sensitivity medium

                  set ap-sniffer-bufsize 32

                  set ap-sniffer-chan 1

                  set ap-sniffer-addr 00:00:00:00:00:00

                  set ap-sniffer-mgmt-beacon enable

                  set ap-sniffer-mgmt-other enable

                  set ap-sniffer-ctl enable

                  set ap-sniffer-data enable. 

Packet sniffer mode will not broadcast SSIDs and be sure to set the radio mode to monitor.

To list all stations connected to the FortiAP devices: 

• diag wireless-controller wlac -d sta | grep -v 0.0.0.0

To list all discovered neighboring FortiAP devices: 

• get wireless-controller scan.

To show RF conditions around all FortiAP radios: 

• get wireless-controller rf-analysis.

To show client load over time: 

• get wireless-controller status

Useful statistics are available from the access point itself by running an AP shell command. The connection is through either the controller GUI, the FortiExplorer (with compatible FortiAP models), the console cable, or SSH when connected directly to an access point, or via the controller using Telnet or SSH or through the CAPWAP web tunnel.

Access through the CAPWAP tunnel can be used when direct SSH/Telenet is not available. This happens when an access point is remotely based behind a NAT device. The Fortinet AP report only sends results to the controller after the command is finished. If a new command is sent to the AP before the previous command is finished, the previous command is canceled. The maximum output from a command is limited to 4MB. The default output size is set to 32K. Resize the output window if the packet capture is larger than 32K. 

To connect to the controller GUI, navigate to your FortiGate dashboard, Wi-Fi & Switch Controller > Managed FortiAPs, right-click on the row of the FortiAP you want to connect to, and then select Connect To CLI.

Enter 'help' or '?' to display a list of commands. Some commands are aliased, and each AP has a set of configuration and diagnostic commands available. Commands cw-diag are used for monitoring or diagnostics. To increase the timeout, you would enter the command cfg -a ADMIN_TIMEOUT=mins.

For station-specific Layer One metrics, 'cw_diag -d sat mac-address' is the command that you would enter. If there were any lost frames indicated, this would show that the AP was unable to successfully send a data frame after numerous retries. If there were lots of retry frames, this could show issues with RF coverage. Sometimes, the number of retry frames can exceed the transmit frames count, and there would also be a listing of the signal-to-noise ratio, as you can see from the example output. 

This slide shows the commands that you would enter to show the last minute of channel utilization for the APs' configured channel: cw_diag -c his-chutil. To show the channel utilization for all allowed channels on the access point: cw_diag -c all-chutil. To show the associated stations: cw_diag ksta.

To display radio interfaces on a Fortinet access point: iwconfig is the command. 

All of the SSIDs are in the form of plan XY, where X is zero for 2.4GHz, 1 for 5GHz, and 2 for 6 GHz, where Y is increased by the function of the SSIDs.

To see the statistics on a single interface,   cw_diag stats wlanXY. The output shows the different SSIDs that are configured. With the X and Y plan called out so that you can see which SSID is operating on which frequency.

To locate the client MAC address or IP address, in Windows: netsh wlan show interfaces. In MAC OS, use Terminal: network setup - listallhardwarereports.

Regular monitoring is essential. The Fortinet rule of thumb for wireless health is utilization less than 75%, Client count less than 30. Temporary peaks above this are to be expected. Look for the best possible link rates but be aware of the client's capabilities. Channel noise ideally should be –92 or weaker (a higher negative number). The signal strength of the client device should match the design criteria, and in general, this should be –64dBm, or better. The Signal to Noise Ratio should be 15 at minimum, 25 or more is preferable. Higher speed standards require higher Signal to Noise Ratios. 

When a client fails to connect to a wireless network, it can be difficult to identify if the cause is an authentication process or a configuration issue, or if it's an issue with a wireless connection. Enable client debug on the controller where problematic clients are connected and check what stage the client fails to connect in order to capture this.

The command is diagnose wireless-controller lac sta_filter <your station MAC address> 2. Then try to connect again from the problematic client.

Fortinet Service Assurance Manager is a diagnostic software implementation, which requires a dedicated FortiAP device. For this device, you would configure the FortiAP in SAM Mode. It reviews wireless network health and offers predictive health checks and reports. The commands to enable a FortiAP device into SAM mode are:

Config wireless-controller wtp-profile

      Edit "FAP231E-sam"

            config radio-2

                  set sam-ssid "test-sam"

                  set sam-bssid 00:00:00:00:00:00

                  set sam-security-type wpa-personal

                  set sam-captive-portal disable

            (enable sam-captive-portal to connect with SSIDs that have a captive portal)

                  set sam-password

                  set sam-test iperf

                  set sam-server "iperf.he.net"

                  set iperf-server-port 5001

                  set iperf-protocol tcp

                  set sam-report-intv 60

            end

      end

If the end user calls into a help desk complaining that the wireless network is slow, navigate to Wi-Fi & Switch Controller > Wi-Fi Clients.

Click on Wi-Fi client. From here, you can click into WI-Fi Maps to view the current connected clients, or you could put an AP into spectrum analysis mode or view a monitor radio. From here, you can get data on the signal strength of the client device, how much bandwidth the client device has been sending up or receiving down.

If the wireless isn't working, go to the main dashboard, Dashboard > Wi-Fi. From here, you can see the FortiAP status, channel utilization, the number of clients by each FortiAP, how many rogue apps are detected, the signal strength of the client devices, any interfering SSIDs or login failures, and the historical client count over time.

If the Wi-Fi is described as dropping, you will go into Log & Report > System Events > Wi-Fi Events, and from there, you can see disconnects, re-associations if there are rogue access points detected and event messages. 

If the Wi-Fi is being described as down, go to Wi-Fi & Switch Controller > Managed FortiAPs and look at your FortiAP connection status for all FortiAPs or that site's access points. Are any of them showing down (red) or are all of them indicated as being up, (green).

For a wireless network validation, the required tools could potentially be one or all of these: accessing the wireless network overview, reviewing client connectivity logs, checking for dropped connections or authentication failures, validating all the Fortinet access points' status and connectivity widgets, RF or Spectrum Analysis (on-site), and accessing the Fortinet Troubleshooting Guides. The performance metrics to track are client count, latency and throughput, signal strength (RSSI), and bandwidth utilization.

Please create an account on wwt.com to access WWT's full knowledge. If you have questions, reach out to the WWT Global Engineering team.