Symptom

Failed to ping the IP address of a device.

Involved Products

AC and AP

Login Mode

• Network port
• Management SSID

Possible Causes

• The Ethernet cable is loose or the management SSID fails to be connected.
• The IP address of a STA is incorrect.

Troubleshooting Procedure

1. Check whether the physical connection between the STA and the device is correct.
   • If the STA connects to the device through a network port, check whether the Ethernet cable is loose.
   • If the STA connects to the device through the management SSID, check whether Wi-Fi connectivity is successful on the STA.

2. Check whether the IP address of the network port on the STA is in the same network segment as the IP address of the device.

   If the STA connects to a Fat AP through the management SSID, check whether the wireless network adapter of the STA can obtain a correct IP address.

Symptom

Failed to ping the IP address of a device.

Involved Products

AC

Login Mode

Network port

Possible Causes

Management plane isolation is configured, and the login through service network ports is not allowed.

Troubleshooting Procedure

1. Log in to the device through the console port.
2. Disable the management plane isolation function.
   • If an AC has a management network port, you can log in through the management network port.
     By default, an AC with a management network port does not allow for the login through a service network port. To enable the login to the AC through service network ports, cancel this restriction by referring to methods described in the following table.

     Method for Allowing the Login Through Service Network Ports	Description
     Method 1: Configure a service network port as the management network port.	Run the management-interface command on the VLANIF interface corresponding to the service network port to log in to the AC. A maximum of four VLANIF interfaces can be configured as management network ports. NOTE: This method is applicable only to V200.
     Method 2: Disable the management plane isolation function globally.	Run the command in the system view to disable management plane isolation globally to allow users to log in to the device through all service network ports. Considering potential security risks, this method is not recommended. V200: mgmt isolate disable V600: management-plane isolate disable

   • If an AC does not have a management network port, you can log in to it only through a service network port.
     By default, an AC without a management network port allows for the login through a service network port. You can configure the VLANIF interface to which the target network port belongs as the management network port to restrict the login from other network ports, improving security.

     This configuration is supported only in the V200 version.

     Method for Allowing the Login Through Service Network Ports	Description
     Method 1: Cancel the configurations of all management network ports.	Run the display current-configuration command to check the configuration file and delete all management-interface configurations. This condition is naturally met on an AC with factory defaults.
     Method 2: Configure the target service network port as the management network port.	If the management-interface command is configured on a VLANIF interface, other VLANIF interfaces without this configuration cannot be used to log in to the device. Run the management-interface command on the VLANIF interface corresponding to the target service network port to log in to the AC. A maximum of four VLANIF interfaces can be configured as management network ports.

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

• Network port
• Management SSID

Possible Causes

Services are not enabled.

Troubleshooting Procedure

1. Log in to the device through the Bluetooth serial port or console port.
2. Check whether services are enabled and perform corresponding operations.
   • To log in to the device through STelnet, ensure that the STelnet service has been enabled on the device.

     ACs and APs running V200:

     <Huawei> display ssh server status
     ...
      Stelnet server       :Enable  //Enable indicates that the STelnet service is enabled.
     ...

     ACs running V600:

     <Huawei> display ssh server status
     ...
     STELNET IPv4 server                        : Enable  //Enable indicates that the IPv4 STelnet service is enabled.
     STELNET IPv6 server                        : Enable  //Enable indicates that the IPv6 STelnet service is enabled.
     ...

     Product	How to Enable the STelnet Service
     AC	stelnet server enable (system view)
     Fat AP
     Cloud AP
     Fit AP	undo stelnet server disable (AP system profile view) on the AC

   • To log in to the device through Telnet, check whether the Telnet service is enabled.

     V200:

     <Huawei> display telnet server status
      TELNET IPV4 server   :Enable //Enable indicates that the Telnet service (IPv4) is enabled.
      TELNET IPV6 server   :Enable //Enable indicates that the Telnet service (IPv6) is enabled.
     ...

     V600:

     <Huawei> display telnet server 
     Telnet server           : Enable //Enable indicates that the Telnet service (IPv4) is enabled.
     ...
     Telnet IPv6 server      : Enable //Enable indicates that the Telnet service (IPv6) is enabled.
     ...

     Product	How to Enable the Telnet Service
     AC	telnet [ ipv6 ] server enable (system view)
     Fat AP	telnet server enable (system view)
     Cloud AP
     Fit AP	telnet enable (AP system profile view) on the AC

   • To log in to the device using a web browser, check whether the HTTPS/HTTP service is enabled.

     V200:

     <Huawei> display http server
       HTTP server status    : Enabled  (default: enable)  //Enabled indicates that the HTTP service is enabled.
     ...
       HTTPS server status   : Enabled  (default: enable)  //Enabled indicates that the HTTPS service is enabled.
     ...

     Product	How to Enable the HTTP/HTTPS Service
     AC	http server enable (system view) http secure-server enable (system view)
     Fat AP
     Cloud AP
     Fit AP	This function is enabled by default and cannot be disabled.

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

• Network port
• Management SSID

Possible Causes

The login protocol or IP address of the STA is blocked by an existing policy.

Troubleshooting Procedure

1. Log in to the device through the Bluetooth serial port or console port.
2. View the VTY configuration to check whether an ACL policy that restricts access exists or whether the specified protocol can be used for the login.

   <AC> system-view
   [AC] user-interface vty 0 4
   [AC-ui-vty0-4] display this
   ...
   user-interface vty 0 4
    acl 3000 inbound        //Run the display acl 3000 command to check whether ACL 3000 is used to restrict access to the device.
    authentication-mode aaa
    protocol inbound ssh    //If the specified login protocol is not included, run the protocol inbound { all | ssh | telnet } command to enable it.
   ...
   [AC-ui-vty0-4] display acl 3000      //Display the configuration of ACL 3000.
   Advanced ACL 3000, 1 rule
   Acl's step is 5
   rule 5 permit tcp destination 169.254.1.1 0   //This rule permits only the access to the destination address 169.254.1.1.
   rule 6 deny tcp source-port eq 22             //This rule denies the access to the destination port 22.

   Assume that you need to log in to the device with the IP address of 192.168.1.1 from the PC with the IP address of 192.168.1.100 through STelnet (port number: 22). To ensure successful login, ensure that ACL rules on the user interface allow for the assumed access.

   [AC-ui-vty0-4] quit
   [AC] acl 3000
   [AC-acl-adv-3000] undo rule 5
   [AC-acl-adv-3000] rule permit tcp source 192.168.1.100 0  //Permit the TCP access from the source IP address 192.168.1.100.
   [AC-acl-adv-3000] rule permit tcp source-port eq 22       //Permit the TCP access from the source port 22.
   [AC-acl-adv-3000] rule permit tcp destination 192.168.1.1 0  //Permit the TCP access to the destination IP address 192.168.1.1.
   [AC-acl-adv-3000] rule permit tcp destination-port eq 22      //Permit the TCP access to the destination port 22.

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

Network port

Possible Causes

The service source interface configuration is inconsistent with the actual connection.

Troubleshooting Procedure

1. Log in to the device through the Bluetooth serial port or console port.
2. Check whether the STelnet, Telnet, HTTPS, and HTTP source interface configurations are consistent with the physical connections.

   To prevent unauthorized logins, the AC and AP provide the source interface-based login mechanism. Only terminals with the specified source interfaces can log in to the device. To log in to the device through a physical network port, ensure that this port is within the range allowed by the policy. By default, all physical network ports can be used to log in to the device.

   From V200R019C10, login security is further improved on the AC and Fat AP. The Layer 3 interface to which a network port belongs must be within the range allowed by the policy. For a device with a management network port (such as the AC6805), its management network is used as the Layer 3 source interface by default. For a device without a management network port (such as the AC6508), VLANIF 1 is used as the Layer 3 source interface by default.

   • To log in to the device using STelnet, check whether the STelnet source interface configuration is consistent with the physical connection.

     <Huawei> display current-configuration | include ssh server permit interface
     ssh server permit interface GigabitEthernet0/0/4  //Physical network ports that are not displayed cannot be used for logging in to the device through STelnet. If this line is not displayed, any physical network ports can be used for the login.
     <Huawei> display ssh server status
     ...
      SSH server source interface         :Vlanif1     //The Layer 3 source interface of the STelnet server is VLANIF 1.

     The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device through STelnet. To use STelnet to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the STelnet source interface configuration as follows:

     <Huawei> system-view
     [Huawei] ssh server permit interface GigabitEthernet 0/0/2
     [Huawei] ssh server-source -i vlanif 100
     Warning: This operation will lead to connection interruptions. Continue? [Y/N]y

   • To log in to the device using Telnet, check whether the Telnet source interface configuration is consistent with the physical connection.

     <Huawei> display current-configuration | include telnet server permit interface
     telnet server permit interface GigabitEthernet0/0/4  //Physical network ports that are not displayed cannot be used for logging in to the device through Telnet. If this line is not displayed, any physical network ports can be used for the login.
     <Huawei> display telnet server status
     ...
      TELNET server source interface      :Vlanif1     //The Layer 3 source interface of the Telnet server is VLANIF 1.

     The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device through Telnet. To use Telnet to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the Telnet source interface configuration as follows:

     <Huawei> system-view
     [Huawei] telnet server permit interface GigabitEthernet 0/0/2
     [Huawei] telnet server-source -i vlanif 100
     Warning: This operation will lead to connection interruptions. Continue? [Y/N]y

   • To log in to the device using a web browser, check whether the HTTP/HTTPS source interface configuration is consistent with the physical connection.

     <Huawei> display http server
     ...
       HTTP server permit interface : GigabitEthernet0/0/4   //The physical source interface of the HTTP/HTTPS server is GigabitEthernet0/0/4.
       HTTPS server source interface: Vlanif1                //The Layer 3 source interface of the HTTP/HTTPS server is VLANIF 1.

     The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device using a web browser. To use a web browser to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the HTTP/HTTPS source interface configuration as follows:

     <Huawei> system-view
     [Huawei] http server permit interface GigabitEthernet 0/0/2
     Warning: This operation may affect the built-in Portal authentication and Portal escape function. Continue? (y/n)[n]:y
     [Huawei] http secure-server server-source -i vlanif 100
     Warning: This operation will lead to connection interruptions.Continue? [Y/N]y

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

Network port

Possible Causes

Service ports are blocked by a firewall.

Troubleshooting Procedure

1. Log in to the device through the Bluetooth serial port or console port.
2. If a firewall exists between the PC and the device, check the firewall security policy and ensure that service ports are enabled.

   To log in to the device through STelnet from the PC, ensure that the firewall security policy allows for TCP port 22-based communication between the source and destination IP addresses.

   Communication Protocol	Basic Protocol	Common Port
   STelnet	TCP	22
   Telnet	TCP	23
   HTTPS	TCP	443
   HTTP	TCP	80

Symptom

A login failure message is displayed.

Involved Products

AC, Fat AP, and cloud AP

Login Mode

• Network port
• Management SSID
• Bluetooth serial port
• Console port

Possible Causes

• The account is locked because the number of consecutive login failures exceeds the threshold.
• The account is manually locked.

Troubleshooting Procedure

Assume that this problem occurs when you log in to the device using the account user01.

1. Log in to the device using another account or method.
2. Query the status of the account that fails to log in.

   <Huawei> display local-user username user01
   ...
     State                : block    //Account state. The value active indicates that the account is activated, and block indicates that the account is locked.
   ...

   If the value of State is block, the account is locked. Run the following commands to activate the account:

   <Huawei> system-view
   [Huawei] aaa
   [Huawei-aaa] local-user user01 state active

Symptom

A login failure message is displayed.

Involved Products

AC, Fat AP, and cloud AP

Login Mode

• Network port
• Management SSID
• Bluetooth serial port
• Console port

Possible Causes

The local account does not support the access type.

Troubleshooting Procedure

Assume that this problem occurs when you log in to the device using the account user01.

1. Log in to the device using another account or method.
2. Query the access types supported by the account that fails to log in.

   <Huawei> display local-user username user01
   ...
     Service-type-mask    : TS     //Access type. Common access types include A (all types), T (Telnet), S (STelnet), H (HTTP), and M (Console).
   ...

   If Service-type-mask does not contain the specified access type, add the access type as required.

   <Huawei> system-view
   [Huawei] aaa
   [Huawei-aaa] local-user user01 service-type http

   The common command format is local-user username service-type { ssh | telnet | http | terminal }, where terminal indicates the console login mode.

Symptom

A login failure message is displayed.

Involved Products

AC, Fat AP, and cloud AP

Login Mode

• Network port
• Management SSID
• Bluetooth serial port
• Console port

Possible Causes

The number of concurrent logins reaches the upper limit.

Troubleshooting Procedure

Assume that this problem occurs when you log in to the device using the account user01 on a web browser.

1. Log in to the device using another account or method.
2. Query detailed information about the account that fails to log in, and then handle the problem accordingly.

   <Huawei> display local-user username user01
   ...
     Access-limit         : Yes    //Whether to limit the number of access accounts.
     Access-limit-max     : 3    //Maximum number of access accounts.
     Accessed-num         : 3    //Current number of access accounts.
   ...

   If the value of Access-limit is Yes, the number of access sessions using an account is limited. When the number of access sessions using an account reaches the upper limit, the account cannot be used to log in to new sessions.

   You can run the following commands to change the maximum number of sessions allowed for an account so that the account can be used to log in to more sessions.

   <Huawei> system-view
   [Huawei] aaa
   [Huawei-aaa] local-user user01 access-limit 4