Description:

This article describes steps to fix sticky client issues on a FortiAP WiFi connected to FortiGate. 

Scope:

FortiOS 6.4/FortiAP 6.4 and above.

Solution:

The primary focus of an implementation with FortiAP connected to FortiGate is to maintain strong RSSI clients to connect to the nearest FortiAP. Weak RSSI-based clients will be de-authenticated and denied connection to the SSID temporarily until the WiFi client RSSI single strength improves.

If sticky-client-remove is enabled, the AP will send de-authentication to the client when the client's RSSI falls below the configured sticky-client-2g|5g-threshold, and a FortiGate event log will be generated.

The sticky client problem occurs if a client remains connected to a far away FortiAP with a weaker signal (RSSI value).
This results in degraded wireless network speed due to factors such as low data rate, interference, more Air-time by sticky clients, etc.

Typical RSSI values:

Received Signal Strength Indicator (RSSI) is an estimated signal strength indicator on the WiFi client to tell how well a device can hear, detect, and receive signals from any Wireless Access Point. An RSSI closer to 0 is stronger, and closer to –100 is weaker.

Strong RSSI values range: from -65 and above (for example: -50, -40 values and above values are considered stronger WiFi client signal strength values).

Weak RSSI values range: from -72 and below (for example: -75, -80, and below values are considered weaker WiFi client RSSI values).

This solution is to remove weak RSSI-based clients from the SSID, when the feature is enabled the weak RSSI user will be de-authenticated and will not be accepted on the SSID until the WiFi client RSSI improves.

To configure sticky-client-remove in the CLI, run the following:

config wireless-controller vap

    edit <vap-name>

        set sticky-client-remove enable|disable

        set sticky-client-2g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)

        set sticky-client-5g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)

    end

end

Typically, between the -70 to -76 RSSI threshold range is considered a safer value.

To check if the sticky client is enabled, run the following CLI command on the FortiAP:

vcfg | grep -ie Radio -ie "sticky client"

To verify if the client has been removed due to the sticky-client-remove feature, check the FortiGate or the FortiAP WiFi event logs. For example:

1: date=2020-xx-xx time=xx:xx:01 logid="0104043xx7" type="event" subtype="wireless" level="notice" vd="root" eventtime=158274114161xx1879 tz="-0800" logdesc="Wireless client denied" sn="FPxxxxxxx03" ap=" FPxxxxxxx03" vap="VAP_profile" ssid="SSID_Name " stamac="xx:xx:xx:xx:xx:xx" radioid=2 channel=100 security="WPA2 Personal" encryption="AES" action="client-denial" reason="STA denied on WTP due to low RSSI" msg="Client xx:xx:xx:xx:xx:xx denied due to low rssi. client rssi -85dBm, threshold rssi -76dBm" remotewtptime="1557.250156"

Run the below command on the FortiAP CLI to check the sticky client behavior in real-time:

klog | grep -ie RSSI -ie deauth

[ 856.477122] Client a6:c8:b4:40:c3:bf(avg RSSI=23, cnt=94) de-authed due to insufficient RSSI
[ 856.477139] [MLME] cpu1 vap-00(wlan00): [a6:c8:b4:40:c3:bf] wlan_mlme_deauth_request reason 1.

Press Ctrl+C at any time to stop the log prints.

Related documents:

wireless-controller vap

Advanced Wireless Features

Technical Tip: How to collect logs and config to assist TAC in debugging issues on FortiAP WiFi

Signal strength issues