WLAN Troubleshooting Guide

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Login Through SSH Fails

Symptom

A terminal fails to log in to the device through STelnet.

Possible Causes

The network connection fails.
The user name or password is incorrect.
The server configuration is incorrect.
The IP address of the client is blocked.
The encryption/decryption algorithm used by the STelnet client does not match that on the device.
Management plane isolation is configured, and the terminal does not log in to the device through the management interface.
(V200R019C10 and later versions) The source interface of the SSH server is configured.
The SSH interface is disabled by the firewall.

Troubleshooting Procedure

Click to enlarge

Perform the following operations after logging in to the device through the console port.

Check whether the network connection is normal.
Before a user logs in to the device using SSH, reachable routes must exist between the client and device. Ping the IP address of the SSH server from the client to check whether the network connection between the client and server is normal. Make sure that the fault is not caused by an SSH connection setup failure.
Check whether the user name and password are correct.
1. Check whether the user name and password are the same as those configured on the SSH server. If they are inconsistent, enter the correct user name and password. If you are not sure whether the password is correct, perform the following operations to reconfigure the password:
  - Log in to the device using a user account with a higher privilege level (at least level 3) than the previous user account, and configure a new password for the previous user account.
  - Log in to the device through the console port and configure a new password.
  The configuration method is as follows:
```
<AC> system-view 
[AC] aaa 
[AC-aaa] local-user test password irreversible-cipher huawei@1234
```
2. If a user enters incorrect passwords three times consecutively within 5 minutes when the client attempts to set up an SSH connection with the SSH server, the IP address of the client will be locked for 5 minutes, and the locked IP address cannot pass authentication. You can run the display aaa online-fail-record username username command in any view to check STAs' IP addresses that are locked due to authentication failures. If the IP address of a client is locked, solve the problem using the following methods:
  - Wait for 5 minutes until the device automatically unlocks the IP address.
  - Run the undo local-aaa-user wrong-password command in the AAA view to disable the lock function.
Check whether the SSH server status on the server is normal.
1. Log in to the device through a console port and run the display ssh server status command and ensure the following settings are correct:
  1. STelnet service status
  2. Timeout interval for SSH authentication
  3. SSH server port number
```
<AC> display ssh server status
 SSH version                      :2.0   
 SSH connection timeout          :60 seconds   //Set the timeout interval for SSH connection authentication.
 SSH server key generating interval :0 hours
 SSH authentication retries         :3 times
 SFTP server                        :Disable
 Stelnet server                   :Disable   //Disable the STelnet service.
 SSH server port                  :1026     //The server port has been changed. The default port number is 22, which is not displayed.
 SSH server source interface          :All
```
2. If the STelnet service is disabled, run the stelnet server enable command in the system view to enable it.
3. When the weak-encryption-algorithm plug-in is installed, check whether the SSH protocol version of the client is early. If the protocol version of the client is later than or equal to 1.3 and earlier than 1.99, run the ssh server compatible-ssh1x enable command in the system view to enable the SSH server to be compatible with earlier versions.
4. If the SSH authentication timeout interval is too short, users will fail to log in to the SSH server. Run the ssh server timeout seconds command in the system view to change the SSH authentication timeout interval.
5. Ensure that the port number of the SSH server is consistent with that of the SSH client. SSH client can log in to the SSH server with no port number specified only when the port number of the SSH server is 22. If the SSH server uses another port, the port number must be specified when SSH clients log in to the SSH server. If the port number of the SSH server has been changed, change the port number accordingly during the SSH login. For example, change the port number of the SSH server to 1026 on PuTTY.
  
  If the default port number is used for SSH login, you need to delete the configuration of changing the server's port number from the device.
```
[AC] undo ssh server port 
Warning: The operation will disconnect all online users. Continue? [Y/N]:y 
Info: Succeeded in changing SSH listening port.
```

Check whether the VTY user interface configuration is correct.

Log in to the device through the console port. Check the VTY configuration, and ensure that the SSH protocol and AAA authentication have been configured for VTY channels.

The following example shows that AAA authentication and the SSH protocol have been configured.

<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#                                                                               
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 authentication-mode aaa           //The AAA mode has been configured.
 protocol inbound all               //The SSH protocol has been bound.
user-interface vty 16 20
 protocol inbound all
#

If the SSH protocol is not bound, perform the following operations:

[AC-ui-vty0-4] protocol inbound ssh

[AC-ui-vty0-4] protocol inbound all

Check whether the SSH user configuration on the server is correct.

Run the display ssh user-information command in any view to check whether the SSH user exists on the server.

<AC> display ssh user-information
-------------------------------------------------------------------------------
 Username         Auth-type          User-public-key-name
 -------------------------------------------------------------------------------
 admin            password           null
 -------------------------------------------------------------------------------

The Username field displays the SSH user name. Based on this field, check whether the current user is displayed in the command output.

If the current user is not displayed in the command output, perform the following operations to add the user:

<AC> system-view
[AC] aaa
[AC-aaa] local-user test password irreversible-cipher huawei@123
[AC-aaa] local-user test service-type ssh

Check whether the IP address of the client is permitted.
```
<AC> display current-configuration | include ssh
ssh server permit interface GigabitEthernet0/0/1  //Allow the client to connect to GigabitEthernet0/0/1 on the SSH server but restrict the connection to other interfaces.
```
By default, clients can connect to all physical interfaces on the SSH server. You can run the undo ssh server permit interface command in the system view to restore the default physical interfaces on the SSH server to which clients can connect.

Check whether a public key is configured on the device.

To avoid logging in to a bogus SSH server, the client uses the digital signature to verify the SSH server's identity during login. If the public key of the SSH server is not saved on the client or the saved public key is incorrect, the server identity verification fails. As a result, the user fails to log in to the server through the client. Therefore, before a user logs in to the server on the client, create a key pair on the server, and save the correct public key of the SSH server on the client. To ensure successful login to the SSH server, configure and generate a local key pair first. The login failure may be caused by an incorrect key pair. The methods of checking whether a key pair is generated on the device are as follows:

Run the following command to check whether the RSA public key is configured on the device.

[AC] display rsa local-key-pair public
Info: Local key pair is not generated. //The RSA public key is not configured.

Run the following command to check whether the ECC public key is configured on the device.

[AC] display ecc local-key-pair public
Info: Local key pair is not generated. //The ECC public key is not configured.

If no public key is configured for the server, perform the following operations to generate an RSA or ECC key pair:

[AC] rsa local-key-pair create      //Create an RSA public key.
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
       It will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
[AC] ecc local-key-pair create      //Create an ECC public key.
Info: The key name will be: AC6605_Host_ECC.
Info: The ECC host key named AC6605_Host_ECC already exists.
Warning: Do you want to replace it ? [Y/N]: Y
Info: The key modulus can be any one of the following : 256, 384, 521.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=521]:521
Info: Generating keys...
Info: Succeeded in creating the ECC host keys.

Check whether an ACL is bound to VTY user interfaces on the SSH server.

Check the VTY configuration to determine whether an ACL rule is bound to VTY user interfaces.

For example, run the display this command to check whether an ACL has been bound to VTY 0 to VTY 4.

<AC> system-view 
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 acl 3000 inbound         //Bind ACL 3000.
 authentication-mode aaa
 protocol inbound all
user-interface vty 16 20
 protocol inbound all
#

If an ACL is configured, check whether the IP address of the SSH client is denied in the ACL. If the IP address is denied, delete the deny rule in the ACL view, and modify the IP addresses of clients that are permitted in the ACL.

For example, an ACL is configured on the device and a deny rule is configured for the IP address (192.168.1.3) of an SSH client.

[AC-ui-vty0-4] display acl 3000 
Advanced ACL 3000, 1 rule 
Acl's step is 5 
 rule 5 deny tcp source 192.168.1.3 0 
[AC-ui-vty0-4] quit

Modify the ACL to allow the IP address of the SSH client to access the device.

[AC] acl 3000 
[AC-acl-adv-3000] undo rule 5 
[AC-acl-adv-3000] rule 5 permit tcp source 192.168.1.3 0 
[AC-acl-adv-3000] display this 
# 
acl number 3000 
 rule 5 permit tcp source 192.168.1.3 0 
# 
return

Ensure that the encryption/decryption algorithm used by the SSH client matches that on the device.

To ensure device security, some insecure encryption algorithms are disabled by default. You can run the following command to enable them: To configure an insecure encryption algorithm, load a weak-encryption-algorithm plug-in.

<AC>system-view 
Enter system view, return user view with Ctrl+Z.
[AC]ssh server secure-algorithms cipher aes256_ctr aes128_ctr 3des aes128 aes256_cbc
Info:Insecure encryption algorithm is enabled,It is recommended to disable the insecure encryption algorithm.
[AC]ssh server secure-algorithms hmac sha2_256 md5 md5_96 sha1 sha2_256_96 sha1_96
Info:Insecure encryption algorithm is enabled,It is recommended to disable the insecure encryption algorithm.
[AC]ssh server key-exchange dh_group14_sha1 dh_group1_sha1 dh_group_exchange_sha1
Info:Insecure exchange algorithm is enabled,It is recommended to disable the insecure exchange algorithm.

Replace the SSH client with a new one, such as PuTTY of the latest version.

Check whether management plane separation is configured.
For devices with management interfaces, such as AC6605, ACU2, and AC6805, check whether management plane separation is enabled. If this function is enabled, the system prohibits users from accessing the management plane through service interfaces. That is, users fail to log in to the device through non-management interfaces.
1. Check whether management plane separation is configured.
  By default, management plane separation is enabled on a device. To log in to the device through a service interface, run the mgmt isolate disable command to disable management plane separation.
2. Run the display mgmt interface command to check the management network port of the current device. Check whether the user logs in to the device through a non-management port.
  # Display the management interface on the device.
```
<AC> display mgmt interface 
--------------------------------------------------------------------------------- 
Interface name 
--------------------------------------------------------------------------------- 
MEth0/0/1 
--------------------------------------------------------------------------------- 
Count:1
```
(V200R019C10 and later versions) Check whether the source interface of the SSH server is configured.
In V200R019C10 and later versions, if the AC's source interface is specified, users can log in to the AC only through the specified interface.

By default, no source interface is specified. According to the factory configuration file, for a device with an Ethernet management interface, the default source interface is the Ethernet management interface; for a device without an Ethernet management interface, the default source interface is VLANIF 1.

To reconfigure the source interface of the SSH server, run the ssh server-source -i { interface-type interface-number | all } command.
- After the parameter interface-type interface-number is specified, the connection to the device through any other interface is torn down.
- After the parameter all is specified, users can log in to the device through any interface. This configuration is not recommended due to low security.

Check whether the SSH interface is disabled by the firewall.

Run the display network status all command to check which interfaces and services are enabled on the network.

<AC> display network status all
Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State 
TCP   VTYD/1      0.0.0.0:23               0.0.0.0:0                Listening
TCP   VTYD/3      10.23.23.1:23            10.23.23.201:4332        Established
TCP6  VTYD/2      ::->23                   ::->0                    Listening
UDP   NTPT/1      0.0.0.0:123              0.0.0.0:0
UDP   AGNT/1      0.0.0.0:161              0.0.0.0:0
UDP   RDS /1      0.0.0.0:1812             0.0.0.0:0
UDP   WEB /1      0.0.0.0:2000             0.0.0.0:0
UDP   L2_P/1      0.0.0.0:40000            0.0.0.0:0
UDP   NAP /1      0.0.0.0:53535            0.0.0.0:0
UDP6  NTPT/2      ::->123                  ::->0
UDP6  AGT6/1      ::->161                  ::->0

Check the firewall policy to determine whether the Telnet or SSH interface is disabled.

Symptom
Possible Causes
Troubleshooting Procedure

Translation

简体中文

Download

Updated: 2023-06-02

Document ID: EDOC1000060368

Downloads: 5820

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate