FortiAP wireless troubleshooting

FortiAP Troubleshooting:

create a test SSID:

cw_test_radio <1|2> <2g|5g|auto> <ssid|off> [address] [netmask]


Fortigate controller troubleshooting:

diag wireless-controller wlac -c

wlac usage:
    wlac help                       --show this usage
    wlac kickmac mac                --disassociate a sta
    wlac kickwtp ip cport           --tear down a wtp session
    wlac sniff [intf [wtp-id] [0|1|2] | clear]     --show, set or clear sniff setting on intf for wtp-id
    wlac -k wtp [vfid-ip:port lip:port]  --list wtp info(kern) 
    wlac -k vap [wlan | bssid]           --list vap info(kern)
    wlac -k sta [wlan | bssid mac]       --list sta info(kern)
    wlac -d all                     --list wlan/wtp/vap/sta info(data)
    wlac -d wlan                    --list wlan info(data)
    wlac -d wtp                     --list wtp info(data)
    wlac -d vap                     --list vap info(data)
    wlac -d sta                     --list sta info(data)
    wlac -d wlsta wlan              --list wlan's sta info(data)
    wlac -d wtpsta wtp-index        --list wtp's sta info(data)
    wlac -c sta [mac]           --list sta(ctl)
    wlac -c wtpgrp [wtpgrp]         --list configured wtp profiles(ctl)
    wlac -c wtp [wtp]               --list configured wtps(ctl)
    wlac -c wlan [wlan|ssid]        --list configured wlans(ctl)
    wlac -c swintf                  --list configured switch interface(ctl)
    wlac -c ap-status               --list configured ap status(ctl)
    wlac -c widsgrp                 --list configured wids profiles(ctl)
    wlac -c byod_dev [dev | mac]    --list configured devices(ctl)
    wlac -c byod_devgrp [devgrp     --list configured device groups(ctl)
    wlac -c byod_devacl [devacl]    --list configured device access lists(ctl)
    wlac -c byod_devtype [devtype]  --list configured device types(ctl)
    wlac -c byod [wlan]             --show device access in control plane
    wlac -c byod_detected [wlan]    --list detected devices(ctl)
    wlac -c ws [ip]                 --list current wtp sessions(ctl)
    wlac -c ws-mesh vfid-ip:port    --list this wtp session's mesh parent and child info(ctl)
    wlac -c vap                     --list vap info(ctl)
    wlac -c ap-rogue                --list rogue ap info(ctl)
    wlac -c sta-rogue               --list rogue sta info(ctl)
    wlac -c rap-hostlist bssid      --list hosts related to the ap(ctl)
    wlac -c arp-req                 --list arp info on the controller(ctl)
    wlac -c mac-table               --list mac table(ctl)
    wlac -c br-table                --list bridge table(ctl)
    wlac -c nol                     --list the AP's non occupancy channel list for radar
    wlac -c scan-clr-all            --clear the scanned rogue ap and sta data(ctl)
    wlac -c ap-onwire-clr bssid     --clear the rogue ap's on wire flag(ctl)
    wlac -c darrp                   --list darrp radio table(ctl)
    wlac -c sta-cap                 --list sta capability(ctl)
    wlac -c rf-analysis [wtp-id|ac] --list rf analysis results(ctl)
    wlac -c wids                    --show detected sta threat in control plane


 Debug a wireless client:

To see what’s happening with a wireless client, turn debugging on for that client:

diag wireless-controller wlac sta_filter <MAC ID of client> 1
diag debug console timestamp enable
diag debug enable


Debug AP to Controller connection issues

To see what’s happening in the capwap control packets it may be beneficial to enable plain control.

For the AP, telnet to the AP and run

cw_diag plain-ctl 1

On the controller run the following:

diag wireless-controller wlac plain-ctl <FAP SN> 1

Remember to set plain-ctl back to “0” for security reasons



Leave a Reply