FortiWLC – Troubleshooting

System Logs

The system log records the following:

  • Configuration changes (CLI or GUI)
  • Key commands
  • Events and operations
  • Errors

The CLI command show log lists the entire log. To view the system log files from the Web UI, click Maintenance > Syslog > View Syslog Files.

 

Figure 78: Syslog Files Table

Facility Name can be one of these eight sources of information:

Facility Messages contain…
Security Creation and violation of security configuration, including User logins and Captive Portal activity
QoS Quality of Service messages for both creation and violation of QoS rules created on this controller
System WNC Rogue AP syslog messages
NMS Network Manager Server syslog messages
Mobility Handoff or redirect messages
Bulk Update Any use of the bulk update commands available from the GUI are noted here. The Bulk Update function, accessed from the AP Configuration, Wireless Interfaces Configuration, and Antenna Property pages, updates a group of selected APs. Bulk Update works the same in each of these areas, but the items to be updated are specific to the page where the bulk update is being initiated.
Facility Messages contain…
Upgrade Any use of the CLI command upgrade
Per-user Firewall Creation and violation of per-user firewalls

Select one of the Facilities listed in the above chart and then click View Syslog to see these details:

Figure 79: Security System Log Details

Entry Meaning
Line Line number of the syslog file where the entry is located
Priority Severity of the entry. Possible priorities are: debug, info, notice, warning, error, err, crit, alert, emerg, panic.
Entry Meaning
Mnemonic Three-letter mnemonic assigned to the entry:

CAP = Captive Portal

RED = redirect FOR = forward

WAU = WebAuth user authentication

WST = Web Server Event

WPW = Web UI user password administration

Time Date and time when the entry was logged.
Record The details of the syslog event depend on the category of the message:

Security: User logins, Captive Portal activity

QoS: Creation and violation of QoS rules

System WNC: Rogue activity

NMS: If this controller is part of Network Manager, all activity initiated by the Network Manager Server

Mobility: This consists primarily of RED (redirect) messages

Bulk Update: AP updates done in groups

Upgrade: FortiWLC (SD) upgrades

Per-User Firewall: Creation and violation of firewalls

To search for information on any column of a Facility screen like the one in Figure 79, do the following. In the box at the top of any column (Line, Priority, Mnemonic, Time, Record), provide search data to filter the messages. You then see only messages that fit that filter. For Priority, you see messages of the selected priority level and higher; for example, a search for debug shows every message because debug is the lowest priority level. A search for info shows the messages info and higher: notice, warning, error, err, crit, alert emerg, panic (highest priority).

You can also click the calendar icon above the Time column to enter a specific date or time to filter syslog messages in this category.

Station Log Events

Station log event messages are displayed in this format:

[object name, field name <old value: new value>, field name <old value: new value> …]”

Log Category : “nms”, Priority : ‘info”, Mnemonic : “CONFIG”

The following chart describes some common station log events.

Event Condition That Triggers Event Interpretation
| 00:0f:8f:9d:d3:23 | Station Assign

| <AID=1> assigned to

<AP_ID=31><ESSID=swhanessid><BSSID=00:0c:e6:9d:4f:be >

A mobile station is assigned to AP::ESSID::BSSID. A mobile station is assigned to the BSSID. Once a mobile station is assigned to AP::ESSID::BSSID, the mobile proceeds to the next stage, 802.11 authentication and association. The AID value is assigned to the station if it goes through 802.11 authentication/ association.
| 00:0f:8f:9d:d3:23 | Station Assign

| <AID=1> Assign Removed From <AP_ID=31><ESSID=swhanessid><BSSID=00:0c:e6:9d:4f:be >

A mobile station’s assignment state is removed from AP::ESSID::BSSID. A mobile station cannot proceed to the next stage, assignment. The most common cause is that a mobile station did not proceed to the 802.11 authentication or association stage within the Station Assignment Aging Time.
00:16:6f:3b:17:a9|IP Address Discovered| <Old IP discovery

Method=none><Old

IP=0.0.0.0<New IP discovery

Method=dynamic><New

IP=10.101.66.25>

A Mobile station’s discovery method or IP address changes and the system accepts the new IP address. The new IP field indicates an IP address being used by a station.
00:16:6f:3b:17:a9|IP Address Discovered| <IP = 10.101.64.100> fails due to one of local IPs A Mobile station is detected trying to use the controller’s IP address. The system blocks IP traffic from the station using the IP address.
00:16:6f:3b:17:a9|IP Address Discovered| ip update not performed. <Client IP=10.101.64.1> is used

by a wired station <00:0e:84:85:33:00>

A Mobile station is detected trying to use the IP used by a wired station whose MAC address is shown. The system blocks IP traffic from the station using the IP address.

 

Syslog Message Description
AP DOWN CLEAR Access Point <ap-id> is up Access Point ap-id was added to the WLAN. The coverage is extended. Action: None
AP DOWN CRITICAL Access Point <ap-id> is down Access Point ap-id was removed from WLAN. Expect loss of service in some areas.

Action: If this event is unexpected, check the network connectivity between the access point and the controller.

AP rebooted by admin Access Point has been manually rebooted.

Action: None

AP Software Version Mismatch The software version on the AP does not match that on the Controller. This message can be generated because the auto-AP upgrade feature is disabled.

Action: To resolve this condition, the AP must be upgraded manually with the upgrade ap command to ensure continued functionality.

CAP <user>@<a.b.c.d> logged in <OK|FAILED> The specified Captive Portal user has logged in successfully (OK) or has been refused login (FAILED).
Controller rebooted by admin Controller has been manually rebooted.
AP Boot Image Version Mismatch The boot image version on the AP does not match that required for the version of the AP software.

Action: The boot image must be upgraded using the upgrade ap command with the boot image option before attempting to upgrade the AP software version.

AP Initialization Failure The AP failed to initialize properly.

Action: Check that the AP network cables are properly connected. Check that the version of the AP boot image matches the version of the AP software, and that the AP software version matches the software version of the controller. If the AP still fails to initialize after these checks, contact Fortinet Customer Support.

AP Temperature The AP temperature has exceeded the maximum threshold.
Syslog Message Description
Hardware Diagnostic The AP failed the hardware diagnostic checks.

Action: Contact Fortinet Customer Support.

ROGUE AP DETECTED CLEAR STATION mac=<mac-address> bss=<bssid> ch=<channel-id> reported by AP <ap-id> A station previously reported as rogue is not detected any longer by any of the access points.
ROGUE AP DETECTED CRITICAL STATION mac=<mac-address> bss=<bssid> ch=<channel-id> reported by AP <ap-id> A station using an unknown BSSID as been detected.

Action: Check if the bssid belongs to another valid WLAN. If not, you may decide to turn on the rogue AP mitigation feature.

Radio Card Failure The AP radio card has failed. Contact Fortinet Customer Support.
WLAN services started on controller FortiWLC (SD) processes have been started on the controller.
WLAN services stopped on controller FortiWLC (SD) processes have been stopped.
WST:WS Serving… Web server new event message.
WPW :<user>@<a.b.c.d> changed password <OK | FAILED> The specified FortiWLC (SD) user has either successfully changed their password (OK) or was unable to change the password (FAILED).
MAC Filtering Station Log Events

Seven events are defined for MAC Filtering log events.

Event Condition That Triggers Event Interpretation
| 00:66:77:c2:03:01 | Mac Filtering |

Mac in permit list – accept client

A station, 00:66:77:c2:03:01, is in the ACL Allow Access List, and a Permit List Enabled is on. A mobile station goes to the next stage or assignment.
| 00:66:77:c2:04:01 | Mac Filtering |

Mac not in permit list – reject client

A station, 00:66:77:c2:04:01, is not in the ACL Allow Access List, and Permit List Enabled is on. RADIUS authentication is disabled. A mobile station cannot proceed to the next stage or assignment.
Event Condition That Triggers Event Interpretation
| 00:66:77:c2:03:01 | Mac Filtering |

Mac not in deny list – accept client

A station, 00:66:77:c2:03:01, is not in the ACL Deny Access List and Deny List Enabled is on. RADIUS authentication is disabled. A mobile station goes to the next stage or assignment.
| 00:66:77:c2:04:01 | Mac Filtering |

Mac in deny list – reject client

The station 00:66:77:c2:04:01 is in the ACL Deny Access List and Deny List Enabled is on. RADIUS authentication is disabled. A mobile station can’t proceed to the next stage or assignment.
| 00:66:77:c2:03:01 | Mac Filtering |

Sent RADIUS request

RADIUS authentication is enabled and a RADIUS authentication request message is sent. A RADIUS request message is sent for an authentication.
| 00:66:77:c2:02:01 | Mac Filtering | RADIUS authentication succeeded (vlan 0) RADIUS authentication is enabled, and a RADIUS accept response message is received. A mobile station goes to the next stage or assignment.
| 00:66:77:c2:02:06 | Mac Filtering |

RADIUS authentication failed

RADIUS authentication is enabled, and a RADIUS reject response message is received. A mobile station cannot proceed to the next stage or assignment.
Key Exchange Station Log Events

Key exchange is a security method in which cryptographic keys are exchanged between users. A station goes through this stage of connection when any of these are enabled: WPA, WPA2, WPA PSK, WPA2 PSK, MIXED or MIXED_PSK.

Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9 |1X Authentication |M1 <msg

type=EAPOL_KEY> PTK sent

The system sends a first key exchange message. This is common for WPA, WPA2, WPA

PSK, WPA2 PSK, MIXED or

MIXED_PSK. The system tries transmission up to 4 times and then aborts the key exchange transaction if it doesn’t receive an M2 message by sending 802.11 deauth.

M2 <pkt type=EAPOL_KEY> MIC

Verified

The system receives a key exchange message, M2, from a station, and MIC is verified correctly. This is common for WPA, WPA2, WPA PSK, WPA2 PSK, MIXED or MIXED_PSK.

 

Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9 |1X Authentication | M3 <msg

type=EAPOL_KEY> WPA PTK

Negotiation sent

The system sends a third key exchange message for WPA or WPA-PSK modes. The system tries transmission up to 4 times, and then aborts the key exchange transaction if it doesn’t receive M2 message by sending 802.11 deauth.
00:16:6f:3b:17:a9 |1X Authentication | M4 <pkt type=EAPOL_KEY> <key type=Unicast Key> Key Pairwise The system receives a fourth key exchange message from a station for WPA or WPA-PSK modes. The system tries transmission up to 4 times, and then aborts the key exchange transaction if it doesn’t receive M2 message by sending 802.11 deauth.
00:16:6f:3b:17:a9 |1X Authentication | M5 <msg

type=EAPOL_KEY> WPA GTK

Rekey Negotiation sent

The system sends a fifth key exchange message for WPA or WPA-PSK modes.  
00:16:6f:3b:17:a9 |1X Authentication | M6 <pkt type=EAPOL_KEY>

<key type=Group Key>

The system receives a sixth key exchange message from a station for WPA or WPA-PSK modes. This is the last message of a key exchange for WPA or WPA-PSK. It indicates a successful key exchange. A station can proceed to the next stage.
00:16:6f:3b:17:a9 |1X Authentication | M3 <msg

type=EAPOL_KEY> WPA2 PTK

Negotiation sent

The system sends a third key exchange message for WPA2 or WPA2-PSK modes. The system tries transmission up to 4 times and then aborts the key exchange transaction if it doesn’t receive M2 message by sending 802.11 deauth.
00:16:6f:3b:17:a9 |1X Authentication | M4 <pkt type=EAPOL_KEY> <key type=Unicast Key> Key Pairwise The system receives a fourth key exchange message from a station for WPA2 or WPA2-PSK modes. This is a last message of a key exchange for WPA2 or WPA2-PSK. It indicates a successful key exchange.

A station can proceed to a next stage.

Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9 |1X Authentication |Sending Station Disconnect,

Reason : MIC Failure, Auth Type

802.1X

The message sent by a station results in a MIC failure. For WPA-PSK, or WPA2-PSK, the wrong passphrase or password leads to this failure. When the MIC failure occurs, a the system sends a 802.11 deauth to the station.
00:16:6f:3b:17:a9 |1X Authentication |Sending Station Disconnect,

Reason : 4-way Handshake Timeout, Auth Type 802.1X

The key exchange aborts due to no response from a client. The system tries to transmit a key exchange message up to 6 times with one second intervals.  If the station does not respond, it aborts the key exchange.
Authentication Station Log Events
Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9 |802.11 State  |state change <old=Unauthenticated><new=Authenti-

cated><AP=00:0c:e6:04:fc:ad><B

SSID=00:0c:e6:0a:ca:6e>

A station successfully completes the 802.11 authentication phase on AP::BSSID.  
00:16:6f:3b:17:a9 |802.11 State  |state change <old=Unauthenticated><new=Authenti-

cated><AP=00:0c:e6:04:fc:ad><B

SSID=00:0c:e6:0a:ca:6e>

A station successfully completes the 802.11 association phase on AP::BSSID.  

 

Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9 |802.11 State  |state change <old=Associated><new=Unauthenti-

cated><AP=00:0c:e6:04:fc:c0><B

SSID=00:0c:e6:d8:84:14>

A station’s 802.11 state changes from Associated to Unauthenticated. A state change from associated to unauthenticated can happen because:

Station ages out. The default aging out period is 30 minutes. The aging out period of 802.11 associated stations is different from the aging out period of an assigned stations.

Station voluntarily leaves a currently associated BSSID by sending a 802.11 deauthentication frame.

Station moves from BSSIDOLD to

BSSIDNEW. The associated state of BSSIDOLD is automatically cleared up.

In the multi-controller environment, a station moves from ControllerOLD to ControllerNEW and the two controllers are in the same subnet; the associated state of the station in ControllerOLD is automatically cleared up.

1x/WPA/WPA2 authentication fails due to either RADIUS reject, a message timeout, or an unknown reason.

A key exchange fails due to timeout or MIC failure.

00:16:6f:3b:17:a9 |802.11 State

|<AID=1> handoff <OLD-

_AP_ID=3><NEW_AP_ID=4><BS

SID=00:0c:e6:30:47:17>

Station is handed off from an AP to another AP. This event is generated only if a mobile station is associated to the ESS of a Virtual Cell or a Virtual Port. The abbreviations mean the following:

AID: Association ID

OLD_AP_ID: AP servicing the station before the handoff

NEW_AP_ID: AP servicing the station after the handoff

BSSID: Parent BSSID in the Virtual Cell or Virtual Port.

 

Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9 |802.11 State  |Received Deauth frame from station <Deauth reason: authentication leave><deauth packet RSSI = 62><AID=3><BSSID=00:0c:e6:f9: 01:01> Station sends 802.11 de-authentication frame. Station decided to leave the ESS/

BSS. This is only supported by AP400.

00:16:6f:3b:17:a9 |802.11 State  |  Received Disassoc frame from station <Disassoc reason: association leave><deauth packet RSSI

=

57><AID=3><BSSID=00:0c:e6:f9: 01:01>

Station sends 802.11 dis-association frame. Station decided to disassociate. This is only supported by AP400.

 

1X/WPA/WPA2 Authentication Station Log Events

DHCP Station Log Events

Event Condition That Triggers Event Interpretation
|00:16:6f:3b:17:a9 | 1X Authentication |<auth

method=WPA2_EAP>:<pkt type=EAPOL_START> recvd <ESSID=vcellwpa2>

<BSSID=22:01:0f:3b:17:a9>

The system receives

EAPOL_START message from a

station associated to an ESSID::BSSID pair.

There are two auth methods;

WAP2_EAP or WPA_EAP. The standard states that this message is optional.

|00:16:6f:3b:17:a9 | 1X Authentication | <EAP code=request> <EAP ID=1> <EAP type=Identity> sent The system sends an EAP Identity Request to the station. The system tries this message up to four times with one second intervals. As authentication proceeds, the EAP ID increases by one.
|00:16:6f:3b:17:a9 | 1X Authentication |<pkt type=EAP_PACKET> <EAP code=response><EAP ID=1> The system receives an EAP

Response message from a station.

The EAP ID of the response must match the EAP ID of request.
00:16:6f:3b:17:a9|1X Authentication| RADIUS <msg

code=access_request><msg

ID=178> sent

<ip=192.168.101.17>:<port=1812>

The system forwards a station’s request to the RADIUS Server IP::Port As authentication proceeds, the message ID increases by one.
00:16:6f:3b:17:a9|1X Authentication| <pkt type=EAP_PACKET> <EAP code=request><EAP ID=2>

<info=relay eap-request from

RADIUS> sent

The system forward a RADIUS Server’s request to a station.  
00:16:6f:3b:17:a9|1X Authentication| <pkt type=EAP_PACKET> <EAP code=success><EAP ID=13>

<info=relay eap-request from

RADIUS> sent

The system receives RADIUS

Accept message, and send EAP SUCCESS message to a mobile.

This is the last message of an authentication. A key exchange stage immediately follows if WAP or WAP2 is used.
00:16:6f:3b:17:a9|1X Authentication| Backend Authentication Timeout A message forwarded to a RADIUS server is timed out.  

 

Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9|1X Authentication|  Sending EAP Failure to station, (identifier 1) An EAP failure message is sent to a station. Three cases trigger this event:

A RADIUS message times out

An EAP message to a station times out

A RADIUS Server sends a reject

message

00:16:6f:3b:17:a9|1X Authentication| RADIUS Access-Reject received The system receives a RADIUS Reject message from a RADIUS server.  
00:16:6f:3b:17:a9|1X Authentication| Backend Authentication Failure The system receives a RADIUS Reject message from a RADIUS server.  
Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9|DHCP | <msg_type=DIS-

COVER><server_ip=255.255.255.255

><server_mac=ff:ff:ff:ff:ff:ff><client_ip=0.0.0.0

The system receives a DHCP message from a station. The message displays a server’s IP and MAC, and a client’s IP.

DHCP message types displayed are

DISCOVER, REQUEST, or RELEASE.

00:16:6f:3b:17:a9|DHCP |<msg_type=OFFER><server_ip=10.101.64.1

><server_-

mac=00:0e:84:85:33:00><offered_ip=

10.101.66.25>

The system receives a DHCP message from a DHCP server. The message displays a server’s IP and MAC, and a client’s offered IP.

DHCP message types displayed are OFFER, ACK, NACK or INFORM.

 

Captive Portal Station Log Event
Event Condition That Triggers Event Interpretation
00:16:6f:3b:17:a9|CP User Authentication| <User=vijay> authenticated <ipaddr=10.101.66.25> The system gets a RADIUS Accept message. A user is authenticated successfully.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiWLC – Troubleshooting

  1. Johnny

    “station-log issues” command works but will not accept any of the arguments. 4200 controller running 8.4.1 software.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.