Troubleshooting Fortinet Wireless LAN

Performance testing

If the FortiAP gives bad throughput to the client, the link may drop. The throughput or performance can be measured on your smartphone with third party applications tool such as iPerf and jPerf.

 

Measuring file transfer speed

Another way to get a sense of your throughput issues is to measure the speed of a file transfer on your network. Create a test file at a specific size and measure the speed at which Windows measures the transfer. The command below will create a 50MB file.

  • fsutil file createnew test.txt 52428800

The following image shows a network transfer speed of just over 24Mbps. The theoretical speed of 802.11g is 54Mbps, which is what this client is using. A wireless client is never likely to see the theoretical speed.

 

TKIP limitation

If you find that throughput is a problem, avoid WPA security encrypted with Temporal Key Integrity Protocol (TKIP) as it supports communications only at 54Mbps. Use WPA-2 AES instead.

Speeds are very much based on what the client computer can handle as well. The maximum client connection rate of 130Mbps is for 2.4GHz on a 2×2, or 300Mbps for 5Ghz on a 2×2 (using shortguard and channel bonding enabled).

If you want to get more than 54Mbps with 802.11n, do not use legacy TKIP, use CCMP instead. This is standard for legacy compatibility.

 

Preventing IP fragmentation in CAPWAP

TKIP is not the only possible source of decreased throughput. When a wireless client sends jumbo frames using a CAPWAP tunnel, it can result in data loss, jitter, and decreased throughput.

Using the following commands you can customize the uplink rates and downlink rates in the CAPWAP tunnel to prevent fragmentation and avoid data loss.

config wireless-controller wtp edit new-wtp

(in 5.2, you must enable the override profile: set override-profile enable)

(in 5.4, you must enable override-ip-fragment: set override-ip-fragment enable)

set ip-fragment-preventing [tcp-mss-adjust | icmp-unreachable]

set tun-mtu-uplink [0 | 576 | 1500]

set tun-mtu-downlink [0 | 576 | 1500]

end end

The default value is 0, however the recommended value will depend on the type of traffic. For example, IPsec in tunnel mode has 52 bytes of overhead, so you might use 1400 or less for uplink and downlink.

 

Slowness in the DTLS response

It’s important to know all the elements involved in the CAPWAP association:

  • Request
  • Response
  • DTLS
  • Join
  • Configuration

All of these are bidirectional. So if the DTLS response is slow, this might be the result of a configuration error. This issue can also be caused by a certificate during discovery response. You can read more about this in RFC 5416.

 

Connection issues

If the client has a connectivity issue that is not due to signal strength, the solution varies by the symptom.

 

Client connection issues

1. If client is unable to connect to FortiAP:

  • Make sure the client’s security and authentication settings match with FortiAP and check the certificates as well.
  • Try upgrading the Wi-Fi adapter driver and FortiGate/FortiAP firmware.
  • If other clients can connect, it could be interoperability; run debug commands and sniffer packets.
  • Look for rogue suppression by sniffing the wireless traffic and looking for the disconnect in the output (using the AP or wireless packet sniffer).
  • Try changing the IEEE protocol from 802.11n to 802.11bg or 802.11a only.

2. If the client drops and reconnects:

  • The client might be de-authenticating periodically. Check the sleep mode on the client.
  • The issue could be related to power-saver settings. The client may need to udpate drivers.
  • The issue could also be caused by flapping between APs. Check the roaming sensitivity settings on the client or the preferred wireless network settings on the client—if another WiFi network is available, the client may connect to it if it is a preferred network. Also, check the DHCP configuration as it may be an IP conflict.

3. If the client drops and never connects:

  • It could have roamed to another SSID, so check the standby and sleep modes.
  • You may need to bring the interface up and down.

4. If the client connects, but no IP address is acquired by the client:

  • Check the DHCP configuration and the network.
  • It could be a broadcast issue, so check the WEP encryption key and set a static IP address and VLANs.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.