Technical tip: Understanding the sticky client threshold behavior

To explain this, let's set the sticky client threshold a little high:

There are still customers below the sticky client threshold:

Running the  debug is described in this related KB article:

Troubleshooting Tip: Debugging a wireless client connection issue using client MAC address

Association request:

Primario (global) # 35383.537 180 06:76:90:7e:1e:18 <ih> IEEE 802.11 mgmt::assoc_req <== 06:76:90:7e:1e:18 ws (0-1
92.168.10.2:5246) vap MyNetCorp rId 1 wId 4 04:d5:90:86:fb:ac
35383.538 180 06:76:90:7e:1e:18 <ih> 06:76:90:7e:1e:18 sta = 0x697d718, sta->flags = 0x00000001, auth_alg = 0, hap
d->splitMac: 1
35383.538 180 06:76:90:7e:1e:18 cw_sta_load_chk ws (0-192.168.10.2:5246) rId 1 wId 4 sta 06:76:90:7e:1e:18
35383.538 180 06:76:90:7e:1e:18 cw_sta_balancing: ws (0-192.168.10.2:5246) 06:76:90:7e:1e:18 enters balancing, rId
1, wId 4, fho 0, apho 0, 5G 1, sta_cnt 0, sta_th 55
35383.538 180 06:76:90:7e:1e:18 cw_sta_balancing: ws (0-192.168.10.2:5246) 06:76:90:7e:1e:18 exits balancing, no n
eed
35383.538 180 06:76:90:7e:1e:18 <ih> IEEE 802.11 mgmt::assoc_resp ==> 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) v
ap MyNetCorp rId 1 wId 4 04:d5:90:86:fb:ac
35383.538 180 06:76:90:7e:1e:18 <ih> IEEE 802.11 mgmt::assoc_resp ==> 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) v
ap MyNetCorp rId 1 wId 4 04:d5:90:86:fb:ac
35383.539 180 06:76:90:7e:1e:18 <dc> STA add 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1 wId 4
bssid 04:d5:90:86:fb:ac NON-AUTH band 0x10 mimo 2*2
35383.539 180 06:76:90:7e:1e:18 <cc> STA_CFG_REQ(4) sta 06:76:90:7e:1e:18 add ==> ws (0-192.168.10.2:5246) rId 1 w
Id 4
35383.539 180 06:76:90:7e:1e:18 <cc> STA add 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1 wId 4
04:d5:90:86:fb:ac sec WPA2 RADIUS auth 0
35383.539 180 06:76:90:7e:1e:18 cwAcStaRbtAdd: I2C_STA_ADD insert sta 06:76:90:7e:1e:18 192.168.10.2/1/4/1
35383.539 180 06:76:90:7e:1e:18 <dc> STA chg 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1 wId 4
bssid 04:d5:90:86:fb:ac NON-AUTH
35383.540 180 06:76:90:7e:1e:18 <cc> STA chg no key 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1
wId 4 04:d5:90:86:fb:ac sec WPA2 RADIUS user user1 group
35383.540 180 06:76:90:7e:1e:18 <dc> STA chg 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1 wId 4
bssid 04:d5:90:86:fb:ac NON-AUTH
35383.540 180 06:76:90:7e:1e:18 <cc> STA chg no key 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1

4-Way Handshake:

wId 4 04:d5:90:86:fb:ac sec WPA2 RADIUS user user1 group
95170.541 06:76:90:7e:1e:18 <eh> send 1/4 msg of 4-Way Handshake
95170.541 06:76:90:7e:1e:18 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=117 replay cnt 1
95170.541 06:76:90:7e:1e:18 <eh> IEEE 802.1X (EAPOL 121B) ==> 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) rId 1 wId
4 04:d5:90:86:fb:ac
35383.542 180 06:76:90:7e:1e:18 <cc> STA_CFG_RESP(4) 06:76:90:7e:1e:18 <== ws (0-192.168.10.2:5246) rc 0 (Success)

95170.606 06:76:90:7e:1e:18 <eh> IEEE 802.1X (EAPOL 139B) <== 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) rId 1 wId
4 04:d5:90:86:fb:ac
95170.606 06:76:90:7e:1e:18 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=135
95170.606 06:76:90:7e:1e:18 <eh> recv EAPOL-Key 2/4 Pairwise replay cnt 1
95170.607 06:76:90:7e:1e:18 <eh> send 3/4 msg of 4-Way Handshake
95170.607 06:76:90:7e:1e:18 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=151 replay cnt 2
95170.607 06:76:90:7e:1e:18 <eh> IEEE 802.1X (EAPOL 155B) ==> 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) rId 1 wId
4 04:d5:90:86:fb:ac
95170.622 06:76:90:7e:1e:18 <eh> IEEE 802.1X (EAPOL 99B) <== 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) rId 1 wId
4 04:d5:90:86:fb:ac
95170.622 06:76:90:7e:1e:18 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=95
95170.622 06:76:90:7e:1e:18 <eh> recv EAPOL-Key 4/4 Pairwise replay cnt 2
95170.623 06:76:90:7e:1e:18 <eh> RADIUS message (type=1) ==> RADIUS Server code=4 (Accounting-Request) id=201 len=
332
35383.623 180 06:76:90:7e:1e:18 <dc> STA chg 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1 wId 4
bssid 04:d5:90:86:fb:ac AUTH
35383.624 180 06:76:90:7e:1e:18 cwAcKernChgSta,6698 ws (0-192.168.10.2:5246) MyNetCorp 06:76:90:7e:1e:18 ret 0
35383.625 180 06:76:90:7e:1e:18 <cc> STA chg 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1 wId 4
04:d5:90:86:fb:ac sec WPA2 RADIUS auth 1 ******
35383.625 180 06:76:90:7e:1e:18 <cc> STA_CFG_REQ(5) sta 06:76:90:7e:1e:18 add key (len=16) ==> ws (0-192.168.10.2:
5246) rId 1 wId 4
35383.628 180 06:76:90:7e:1e:18 <cc> STA_CFG_RESP(5) 06:76:90:7e:1e:18 <== ws (0-192.168.10.2:5246) rc 0 (Success)

DHCP:

35383.758 180 06:76:90:7e:1e:18 <dc> DHCP Request server 0.0.0.0 <== host M2007J20CG mac 06:76:90:7e:1e:18 ip 10.1
.51.2 xId fdd3134f
35383.759 180 06:76:90:7e:1e:18 <dc> DHCP Ack server 10.1.51.254 ==> host mac 06:76:90:7e:1e:18 ip 10.1.51.2 mask
255.255.255.0 gw 10.1.51.254 xId fdd3134f
35383.760 180 06:76:90:7e:1e:18 cwAcAddWSSO mac 06:76:90:7e:1e:18 ip 10.1.51.2 usr 'user1' grp '' authed 1
35383.762 180 06:76:90:7e:1e:18 <dc> STA chg 06:76:90:7e:1e:18 vap MyNetCorp ws (0-192.168.10.2:5246) rId 1 wId 4
bssid 04:d5:90:86:fb:ac os info: Android12
35384.036 180 06:76:90:7e:1e:18 cwAcAddWSSO mac 06:76:90:7e:1e:18 ip 10.1.51.2 usr 'user1' grp '' authed 1
35399.652 180 06:76:90:7e:1e:18 cwAcKernDelSta,6718 ws (0-192.168.10.2:5246) 06:76:90:7e:1e:18 ret 0
35399.652 180 06:76:90:7e:1e:18 <dc> STA del 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) vap MyNetCorp rId 1 wId 4

The sticky client sends de-authentication message:

35399.652 180 06:76:90:7e:1e:18 cwAcProcInputLocalMsg C2C_STA_DEL_WTP wl MyNetCorp wId 4 sec 6
35399.653 180 06:76:90:7e:1e:18 <ih> IEEE 802.11 mgmt::disassoc ==> 06:76:90:7e:1e:18 ws (0-192.168.10.2:5246) vap
MyNetCorp rId 1 wId 4 04:d5:90:86:fb:ac
95186.653 06:76:90:7e:1e:18 <eh> ***WPA_PTK 06:76:90:7e:1e:18 DISCONNECTED***

The sticky client threshold acts after the authentication process. If some users do not have any other FortiAP option and work remotely, these users will be visible as connected and disconnected.

On wifi logs, under System Events -> Lgs -> Wifi Events,  logs of disconnections for the reason of low RSSI will be appear:

date=2024-04-11 time=11:15:45 eventtime=1712859345583636272 tz="-0700" logid="0104043577" type="event" subtype="wireless" level="notice" vd="root" logdesc="Wireless client denied" sn="FP231ETF19001958" ap="FP231ETF19001958" vap="MyNetCorp" ssid="MyNetCorp" stamac="06:76:90:7e:1e:18" radioid=2 channel=165 security="WPA2 Enterprise" encryption="AES" action="client-denial" reason="STA denied on WTP due to low RSSI" msg="Client 06:76:90:7e:1e:18 denied due to low rssi. client rssi -48dBm, threshold rssi -30dBm" remotewtptime="1633.650281"
date=2024-04-11 time=11:15:45 eventtime=1712859345583541050 tz="-0700" logid="0104043575" type="event" subtype="wireless" level="notice" vd="root" logdesc="Wireless client deauthenticated" sn="FP231ETF19001958" ap="FP231ETF19001958" vap="MyNetCorp" ssid="MyNetCorp" radioid=2 user="N/A" stamac="06:76:90:7e:1e:18" signal=0 snr=0 authserver="FAC" channel=165 security="WPA2 Enterprise" encryption="AES" action="deauth" reason="Reserved 0" msg="AP sent deauthentication frame to client 06:76:90:7e:1e:18" snprev="N/A" remotewtptime="1633.647600"
date=2024-04-11 time=11:15:45 eventtime=1712859345495802202 tz="-0700" logid="0104043581" type="event" subtype="wireless" level="notice" vd="root" logdesc="Wireless client WTP disconnected" sn="FP231ETF19001958" ap="FP231ETF19001958" vap="MyNetCorp" ssid="MyNetCorp" radioid=2 user="user1" group="FAC" stamac="06:76:90:7e:1e:18" authserver="FAC" srcip=10.1.51.2 channel=165 radioband="802.11ac" signal=0 snr=0 security="WPA2 Enterprise" encryption="AES" action="client-disconnected-by-wtp" reason="Reserved 0" mpsk="N/A" msg="Client 06:76:90:7e:1e:18 disconnected by WTP."