Description:
This article describes steps to fix sticky client issues on a FortiAP WiFi connected to FortiGate.
Scope:
FortiOS 6.4/FortiAP 6.4 and above.
Solution:
The primary focus of an implementation with FortiAP connected to FortiGate is to maintain strong RSSI clients to connect to the nearest FortiAP. Weak RSSI-based clients will be de-authenticated and denied connection to the SSID temporarily until the WiFi client RSSI single strength improves.
If sticky-client-remove is enabled, the AP will send de-authentication to the client when the client's RSSI falls below the configured sticky-client-2g|5g-threshold, and a FortiGate event log will be generated.
The sticky client problem occurs if a client remains connected to a far away FortiAP with a weaker signal (RSSI value).
This results in degraded wireless network speed due to factors such as low data rate, interference, more Air-time by sticky clients, etc.
Typical RSSI values:
Received Signal Strength Indicator (RSSI) is an estimated signal strength indicator on the WiFi client to tell how well a device can hear, detect, and receive signals from any Wireless Access Point. An RSSI closer to 0 is stronger, and closer to –100 is weaker.
Strong RSSI values range: from -65 and above (for example: -50, -40 values and above values are considered stronger WiFi client signal strength values).
Weak RSSI values range: from -72 and below (for example: -75, -80, and below values are considered weaker WiFi client RSSI values).
This solution is to remove weak RSSI-based clients from the SSID, when the feature is enabled the weak RSSI user will be de-authenticated and will not be accepted on the SSID until the WiFi client RSSI improves.
To configure sticky-client-remove in the CLI, run the following:
config wireless-controller vap
edit <vap-name>
set sticky-client-remove enable|disable
set sticky-client-2g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)
set sticky-client-5g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)
end
end
Typically, between the -70 to -76 RSSI threshold range is considered a safer value.
To check if the sticky client is enabled, run the following CLI command on the FortiAP:
vcfg | grep -ie Radio -ie "sticky client"
To verify if the client has been removed due to the sticky-client-remove feature, check the FortiGate or the FortiAP WiFi event logs. For example:
1: date=2020-xx-xx time=xx:xx:01 logid="0104043xx7" type="event" subtype="wireless" level="notice" vd="root" eventtime=158274114161xx1879 tz="-0800" logdesc="Wireless client denied" sn="FPxxxxxxx03" ap=" FPxxxxxxx03" vap="VAP_profile" ssid="SSID_Name " stamac="xx:xx:xx:xx:xx:xx" radioid=2 channel=100 security="WPA2 Personal" encryption="AES" action="client-denial" reason="STA denied on WTP due to low RSSI" msg="Client xx:xx:xx:xx:xx:xx denied due to low rssi. client rssi -85dBm, threshold rssi -76dBm" remotewtptime="1557.250156"
Run the below command on the FortiAP CLI to check the sticky client behavior in real-time:
klog | grep -ie RSSI -ie deauth
[ 856.477122] Client a6:c8:b4:40:c3:bf(avg RSSI=23, cnt=94) de-authed due to insufficient RSSI
[ 856.477139] [MLME] cpu1 vap-00(wlan00): [a6:c8:b4:40:c3:bf] wlan_mlme_deauth_request reason 1.
Press Ctrl+C at any time to stop the log prints.
Related documents:
wireless-controller vap
Advanced Wireless Features
Technical Tip: How to collect logs and config to assist TAC in debugging issues on FortiAP WiFi
Signal strength issues
