WLAN Troubleshooting Guide

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Login Through Telnet Fails

Symptom

A terminal fails to log in to the device through Telnet.

Possible Causes

The network connection fails.
The user name or password is incorrect.
The server configuration is incorrect.
The IP address of the client is blocked.
The Telnet server is disabled by default and is not enabled.
Management plane isolation is configured, and the terminal does not log in through the management interface.
(V200R019C10 and later versions) The source interface of the Telnet server is configured.
The Telnet interface is disabled by the firewall.

Troubleshooting Procedure

Click to enlarge

Perform the following operations after logging in to the device through the console port.

Check whether the network connection is normal.
Before a user logs in to the device using Telnet, reachable routes must exist between the client and device. Ping the IP address of the server from the client to check whether the network between the client and server is available.
Check whether the user name and password are correct.
The Telnet server supports password authentication and AAA authentication. By default, the authentication mode is AAA authentication.
- In AAA authentication mode, you need to check whether the user name and password are correct. If you do not know whether the password is correct, perform the following operations to change the password for the current user name:
  1. Run the system-view command to enter the system view.
  2. Run the aaa command to enter the AAA view.
  3. Run the local-user user-name password irreversible-cipher irreversible-cipher-password command to configure the password.
- In password authentication mode, check whether the password is correct. You can run the following commands to change the password:
  1. Run the system-view command to enter the system view.
  2. Run the user-interface vty first-ui-number [ last-ui-number ] command to enter the VTY user interface view.
  3. Run the authentication-mode password command to set the authentication mode to password.
  4. Run the set authentication password cipher command to set the authentication password.
Check whether the Telnet server status on the server is normal.
Run the display telnet server status command to check whether the following information is correct:
- Telnet service status
- Port number of the Telnet server
```
<AC> display telnet server status
 TELNET IPV4 server                      :Enable 
 TELNET IPV6 server                      :Disable
 TELNET server port                      :23
 TELNET server source interface          :All
```
- If the TELNET IPv4 server or TELNET IPv6 server field is Disable, run the telnet [ipv6] server enable command in the system view to enable the Telnet service.
- Ensure that the port number of the Telnet server is consistent with that of the Telnet client. Telnet client can log in to the Telnet server with no port number specified only when the port number of the Telnet server is 23. If the Telnet server uses another port, the port number must be specified when Telnet clients log in to the Telnet server. If the port numbers are different, run the telnet server port 23 command in the system view to change the Telnet server's port number to 23.
Check whether the VTY user interface configuration is correct.
1. Log in to the device through the console port. Check the VTY configuration, and ensure that the Telnet protocol has been configured for VTY channels.
```
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#                                                                               
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh     //The Telnet protocol is not bound.
user-interface vty 16 20
 protocol inbound all
#
```
  If the Telnet protocol is not bound, perform the following operations:
```
[AC-ui-vty0-4] protocol inbound telnet
```
  or
```
[AC-ui-vty0-4] protocol inbound all
```
2. Check the login authentication mode.
  Currently, the following authentication modes are mainly used:
  - authentication-mode password: password authentication mode
  - authentication-mode aaa: AAA authentication mode
```
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this 
# 
user-interface maximum-vty 15 
user-interface con 0 
user-interface vty 0 14 
 authentication-mode aaa 
 user privilege level 3 
 protocol inbound ssh 
user-interface vty 16 20
```
  If password authentication mode is configured in the VTY user interface, you must configure the login password in the VTY user interface view. You can run the display this command in the VTY user interface view to check whether the login password is configured. If not, run the set authentication password cipher command in the VTY user interface view to configure it.
  
  If AAA authentication mode is configured in the VTY user interface, you must create a local AAA user. You can run the display this command in the AAA view to check the configuration. You must specify the level and service type for the account; otherwise, you cannot use this account to log in to the device.
  
  For example, the user name is admin and password is Huawei@123 in the command output. If the account configuration is incorrect, run the aaa command to enter the AAA view, reconfigure the account based on the following commands, and log in to the device.
```
[AC] aaa
[AC-aaa] local-user admin password irreversible-cipher Huawei@123
[AC-aaa] local-user admin service-type telnet http terminal
```
3. In AAA authentication mode, if a user enters incorrect passwords three times consecutively within 5 minutes when the client attempts to set up a Telnet connection with the Telnet server, the IP address of the client will be locked for 5 minutes, and the locked IP address cannot pass authentication. You can run the display aaa online-fail-record username username command in any view to check STAs' IP addresses that are locked due to authentication failures. If the IP address of a client is locked, solve the problem using the following methods:
  - Wait for 5 minutes until the device automatically unlocks the IP address.
  - Run the undo local-aaa-user wrong-password command in the AAA view to disable the lock function.
4. Check whether the IP address of the client is permitted.
```
<AC> display current-configuration | include telnet
telnet server permit interface GigabitEthernet0/0/1  //Allow the client to connect to GigabitEthernet0/0/1 on the Telnet server but restrict the connection to other interfaces.
```
  By default, clients can connect to all physical interfaces on the Telnet server. You can run the undo telnet server permit interface command in the system view to restore the default physical interfaces on the Telnet server to which clients can connect.

Check whether an ACL is bound to VTY user interfaces on the Telnet server.

Check the VTY configuration to determine whether an ACL rule is bound to VTY user interfaces.

For example, run the display this command to check whether an ACL has been bound to VTY 0 to VTY 4.

<AC> system-view 
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 acl 3000 inbound         //Bind ACL 3000.
 authentication-mode aaa
 protocol inbound all
user-interface vty 16 20
 protocol inbound all
#

If an ACL is configured, check whether the IP address of the Telnet client is denied in the ACL. If the IP address is denied, delete the deny rule in the ACL view, and modify the IP addresses of clients that are permitted in the ACL.

For example, an ACL is configured on the device and a deny rule is configured for the IP address (192.168.1.2) of a Telnet client.

[AC-ui-vty0-4] display acl 3000 
Advanced ACL 3000, 1 rule 
Acl's step is 5 
 rule 5 deny tcp source 192.168.1.2 0 
[AC-ui-vty0-4] quit

Modify the ACL to allow the IP address of the Telnet client to access the device.

[AC] acl 3000 
[AC-acl-adv-3000] undo rule 5 
[AC-acl-adv-3000] rule 5 permit tcp source 192.168.1.2 0 
[AC-acl-adv-3000] display this 
# 
acl number 3000 
 rule 5 permit tcp source 192.168.1.2 0 
# 
return

(V200R019C10 and later versions) Check whether the source interface of the Telnet server is configured.
In V200R019C10 and later versions, if the AC's source interface is specified, users can log in to the AC only through the specified interface.

By default, no source interface is specified. According to the factory configuration file, for a device with an Ethernet management interface, the default source interface is the Ethernet management interface; for a device without an Ethernet management interface, the default source interface is VLANIF 1.

To reconfigure the source interface of the Telnet server, run the telnet server-source -i { interface-type interface-number | all } command.
- After the parameter interface-type interface-number is specified, the connection to the device through any other interface is torn down.
- After the parameter all is specified, users can log in to the device through any interface. This configuration is not recommended due to low security.

Check whether the Telnet interface is disabled by the firewall.

Run the display network status all command to check the interfaces and services enabled on the network.

<AC> display network status all
Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State 
TCP   VTYD/1      0.0.0.0:23               0.0.0.0:0                Listening
TCP   VTYD/3      10.23.23.1:23            10.23.23.201:4332        Established
TCP6  VTYD/2      ::->23                   ::->0                    Listening
UDP   NTPT/1      0.0.0.0:123              0.0.0.0:0
UDP   AGNT/1      0.0.0.0:161              0.0.0.0:0
UDP   RDS /1      0.0.0.0:1812             0.0.0.0:0
UDP   WEB /1      0.0.0.0:2000             0.0.0.0:0
UDP   L2_P/1      0.0.0.0:40000            0.0.0.0:0
UDP   NAP /1      0.0.0.0:53535            0.0.0.0:0
UDP6  NTPT/2      ::->123                  ::->0
UDP6  AGT6/1      ::->161                  ::->0

Check the firewall policies to determine whether the Telnet or SSH interface is disabled.

Symptom
Possible Causes
Troubleshooting Procedure

Translation

简体中文

Download

Updated: 2023-06-02

Document ID: EDOC1000060368

Downloads: 5813

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate