In the following section, you will learn basic troubleshooting techniques for a secure Fortinet wireless LAN
- strategies for troubleshooting Fortinet wireless devices
- how to avoid common misconfigurations
- solutions to connectivity issues
- capturing and analyzing wireless traffic
- wireless debug commands
The goal of this document is to provide you with practical knowledge that you can use to troubleshoot the FortiOS wireless controller and FortiAP devices. This includes how to use tools and apply CLI commands for maintenance and troubleshooting of your wireless network infrastructure, analyze problems per OSI layer, explore diagnostics for commissioning issues regarding at-client and access point connectivity problems, and understand the packet sniffer technique as a strong troubleshooting tool.
The content is divided as follows: Signal strength issues
Throughput issues Connection issues General problems Packet sniffer
Useful debugging commands
Signal strength issues
Poor signal strength is possibly the most common customer complaint. Below you will learn where to begin identifying and troubleshooting poor signal strength, and learn what information you can obtain from the customer to help resolve signal strength issues.
Asymmetric power issue
Asymmetric power issues are a typical problem. Wireless is two-way communication; high power access points (APs) can usually transmit a long distance, however, the client’s ability to transmit is usually not equal to that of the AP and, as such, cannot return transmission if the distance is too far.
Measuring signal strength in both directions
To solve an asymmetric power issue, measure the signal strength in both directions. APs usually have enough power to transmit long distances, but sometimes battery-powered clients have a reply signal that has less power, and therefore the AP cannot detect their signal.
It is recommended that you match the transmission power of the AP to the least powerful wireless client—around 10 decibels per milliwatt (dBm) for iPhones and 14dBm for most laptops.
Even if the signal is strong enough, other devices may be emitting radiation as well, causing interference. To identify the difference, read the client Rx strength from the FortiGate GUI (under Monitor > WiFi Client Monitor) or CLI.
The Signal Strength/Noise value provides the received signal strength indicator (RSSI) of the wireless client. For example, A value of -85dBm to -95dBm is equal to about 10dB levels; this is not a desirable signal strength. In the following screenshot, one of the clients is at 18dB, which is getting close to the perimeter of its range.
The Signal Strength/Noise value received from the FortiAP by clients, and vice versa, should be within the range of -20dBm to -65dBm.
You can also confirm the transmission (Tx) power of the controller on the AP profile (wtp-profile) and the FortiAP (iwconfig), and check the power management (auto-Tx) options.
Controller configured transmitting power – CLI:
config wireless-controller wtp-profile config <radio>
(the following output is limited to power levels)
auto-power-level : enable auto-power-high : 17
auto-power-low : 10
Actual FortiAP transmitting power – CLI:
wlan00 IEEE 802.11ng ESSID:”signal-check”
Mode:Master Frequency:2.412 GHz Access Point:<MAC add> Bit Rate:130 Mb/s Tx-Power=28 dBm
Using FortiPlanner PRO with a site survey
The most thorough method to solve signal strength issues is to perform a site survey. To this end, Fortinet offers the FortiPlanner, downloadable at http://www.fortinet.com/resource_center/product_downloads.html.
Sample depiction of a site survey using FortiPlanner
The site survey provides you with optimal placement for your APs based on the variables in your environment. You must provide the site survey detailed information including a floor plan (to scale), structural materials, and more. It will allow you to place the APs on the map and adjust the radio bands and power levels while providing you with visual wireless coverage.
Below is a list of mechanisms for gathering further information on the client for Rx strength. The goal is to see how well the client is receiving the signal from the AP. You can also verify FortiAP signal strength on the client using WiFi client utilities, or third party utilities such as InSSIDer or MetaGeek Chanalyzer. You can get similar tools from the app stores on Android and iOS devices.
- Professional Site Survey software (Ekahau, Airmagnet survey Pro, FortiPlanner)
- On Windows: “netsh wlan show networks mode=bssid” (look for the BSSID, it’s in % not in dBm!)
- On MacOS: Use the “airport” command:
“/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport” airport –s |
grep <the_bssid> (live scan each time)
l On Droid: WiFiFoFum
If the wireless signal seems to be strong but then periodically drops, this may be a symptom of frequency interference. Frequency interference is when another device also emits radio frequency using the same channel, co-channel, or adjacent channel, thereby overpowering or corrputing your signal. This is a common problem on a 2.4GHz network.
There are two types of interference: coherent and non-coherent.
- Coherent interference: a result of another device using the same channel as your AP, or poor planning of a wireless infrastructure (perhaps the other nearby APs are using the same channel or the signal strength is too high).
- Non-coherent interference: a result of other radio signals such as bluetooth, microwave, cordless phone, or (as in medical environments) x-ray machines.
Most common and simple solution for frequency interference is to change your operation channel. Typically, the channel can be set from 1 to 11 for the broadcast frequency, although you should always use channels 1, 6, and 11 on the 2.4GHz band.
Another solution, if it’s appropriate for your location, is to use the 5GHz band instead.
You can perform a site survey using spectrum analysis at various points in your environment looking for signal versus interference/noise. MetaGeek Chanalyzer is an example of a third party utility which shows a noise threshold.
Note that a signal of -95dBm or less will be ignored by Fortinet wireless adapters.
Sometimes communication issues can be caused by low performance.
Testing the link
You can identify delays or lost packets by sending ping packets from your wireless client. If there is more than 10ms of delay, there may be a problem with your wireless deployment, such as:
- a weak transmit signal from the client (the host does not reach the AP)
- the AP utilization is too high (your AP could be saturated with connected clients)
- interference (third party signal could degrade your AP or client’s ability to detect signals between them)
- weak transmit power from the AP (the AP does not reach the host) — not common in a properly deployed network, unless the client is too far away
Keep in mind that water will also cause a reduction in radio signal strength for those making use out of outdoor APs or wireless on a boat.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos