Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
mp2
Staff
Staff

Created on ‎09-07-2020 02:14 AM Edited on ‎01-10-2023 02:43 AM By Moderator

Article Id 198713

Troubleshooting Tip: Fixing sticky client issues on FortiAP connected to FortiGate

Description:

 

This article describes how to fix sticky client issues on a FortiAP connected to FortiGate.

 

Scope

 

FortiOS 6.4/FortiAP 6.4 and above.


Solution

 

The primary focus of an implementation with FortiAP connected to FortiGate is to maintain high quality SNR clients in BSS. Low quality SNR-based clients will be de-authenticated and not allowed in BSS until their SNR improves.

 

If sticky-client-remove is enabled, the AP will send deauthentication to the client when the client's RSSI falls below the sticky-client-2g|5g-threshold, and a FortiGate event log will be generated.


The sticky client problem occurs if a client remains connected to far away FortiAP with a weaker signal.
This results in degraded wireless network speed due to factors such as low data rate, interference, more Air-time by sticky clients etc.


This solution to remove sticky clients maintains good SNR clients in BSS. Low SNR-based clients will be de-authenticated and will not be accepted in BSS until their SNR improves.

To configure sticky-client-remove in the CLI, run the following:

 

# config wireless-controller vap

edit <vap-name>

set sticky-client-remove enable|disable

set sticky-client-2g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)

set sticky-client-5g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)

end

end

 

To check if sticky client is enabled, run the following CLI command on the FortiAP:

 

# vcfg | grep -ie Radio -ie "sticky client"

 

To verify if the client has been removed due to sticky-client-remove enable, check the event log. For example:

 

1: date=2020-xx-xx time=xx:xx:01 logid="0104043xx7" type="event" subtype="wireless" level="notice" vd="root" eventtime=158274114161xx1879 tz="-0800" logdesc="Wireless client denied" sn="FPxxxxxxx03" ap=" FPxxxxxxx03" vap="VAP_profile" ssid="SSID_Name " stamac="xx:xx:xx:xx:xx:xx" radioid=2 channel=100 security="WPA2 Personal" encryption="AES" action="client-denial" reason="STA denied on WTP due to low RSSI" msg="Client xx:xx:xx:xx:xx:xx denied due to low rssi. client rssi -85dBm, threshold rssi -76dBm" remotewtptime="1557.250156"

 

Run the below command on the FortiAP CLI to check the sticky client behavior in realtime:

 

# klog | grep -ie snr -ie deauth

.

.

[ 856.477122] Client a6:c8:b4:40:c3:bf(avg snr=23, cnt=94) de-authed due to insufficient SNR
[ 856.477139] [MLME] cpu1 vap-00(wlan00): [a6:c8:b4:40:c3:bf] wlan_mlme_deauth_request reason 1.

.

 

Press Ctrl+C at any time to stop.

 

Related links:

https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/167620/wireless-controller-vap

https://docs.fortinet.com/document/fortiap/7.2.1/fortiwifi-and-fortiap-configuration-guide/705184/ad...

Labels:
9905
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.