412 CCNA Wireless Official Exam Certification Guide
Status Code 0
Session Timeout 0
Client CCX version No CCX support
Mirroring Disabled
QoS Level Silver
Diff Serv Code Point (DSCP) disabled
802.1P Priority Tag disabled
WMM Support Disabled
Mobility State None
Mobility Move Count 0
Security Policy Completed No
—More— or (q)uit
Policy Manager State START
Policy Manager Rule Created Yes
NPU Fast Fast Notified No
Policy Type N/A
Encryption Cipher None
Management Frame Protection No
EAP Type Unknown
Interface management
VLAN 0
Client Capabilities:
CF Pollable Not implemented
CF Poll Request Not implemented
Short Preamble Not implemented
PBCC Not implemented
Channel Agility Not implemented
Listen Interval 0
Client Statistics:
Number of Bytes Received 0

Number of Bytes Sent 0
Number of Packets Received 0
Number of Packets Sent 0
Number of Policy Errors 0
Radio Signal Strength Indicator Unavailable
—More— or (q)uit
Signal to Noise Ratio Unavailable
Nearby AP Statistics:
TxExcessiveRetries: 0
TxRetries: 0
RtsSuccessCnt: 0
RtsFailCnt: 0
TxFiltered: 0
TxRateProfile: [0,0,0,0,0,0,0,0,0,0,0,0]
Research_Lab-AP(slot 0)
Example 20-2 Viewing Client Details (continued)
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 412
Chapter 20: Troubleshooting Wireless Networks 413
antenna0: 5 seconds ago -93 dBm antenna1: 4293918453 seconds ago
-128 dBm
Lobby-AP(slot 0)
antenna0: 4293918453 seconds ago -128 dBm antenna1: 5 seconds ago -94 dBm
Although this information is valuable, it is important to note that it is static. In other
words, the information you gain from show commands gives you the state or the condi-
tions of the network at the time that you enter the command. If you require real-time in-
formation, debugs come in handy.
If you have come from the routing world, you are probably familiar with the use of debug
commands and how invaluable they are in troubleshooting. If you are working your way
through the certification program, and you are doing it in order (CCNA > CCNA Wire-
less), then you learned in the CCNA curriculum how a debug command is used in some

basic troubleshooting scenarios. The concept of debug commands carries over here to the
wireless space. Available only from the CLI, debug commands can be used on the con-
troller to help troubleshoot issues. The principle in the use of debug commands is the
same:
■ Do not leave them on, because they are CPU intensive.
■ Be prepared to turn them off. Sometimes the output is overwhelming.
■ Debug commands take priority over other processes on the controller.
If you think that some debug commands might already be enabled, use the show debug
command to verify that notion. One fail-safe that is in place is that if you do turn on a
debug command and forget about it, the debug becomes disabled when the CLI session
times out. Although this is a good fail-safe, you should still turn your debug commands
off when you are done with them. To see a list of the available debug commands, use the
debug ? command, as seen in Example 20-3. You can use this to determine which debug
command is appropriate for the situation; for example, if you are troubleshooting a port-
based authentication problem, you might enable debug dot1x.
Example 20-3 Viewing Available debug Commands
(Cisco Controller) >debug ?
aaa Configures the AAA debug options.
airewave-director Configures the Airewave Director debug options
ap Configures debug of Cisco AP.
arp Configures debug of ARP.
bcast Configures debug of broadcast.
cac Configures the call admission control (CAC) debug options.
cdp Configures debug of cdp.
crypto Configures the Hardware Crypto debug options.
dhcp Configures the DHCP debug options.
client Enables debugs for common client problems.
disable-all Disables all debug messages.
continues
Example 20-2 Viewing Client Details (continued)

23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 413
414 CCNA Wireless Official Exam Certification Guide
dot11 Configures the 802.11 events debug options.
dot1x Configures the 802.1X debug options.
iapp Configures the IAPP debug options.
ccxrm Configures the CCX_RM debug options.
ccxdiag Configures the CCX Diagnostic debug options.
locp Configures the LOCP debug options.
l2roam Configures the L2 Roam debug options.
l2age Configures debug of Layer 2 Ago Timeout Messages.
lwapp Configures the LWAPP debug options
mac Configures MAC debugging
More or (q)uit
To really hone in on where the issues are, you can use debug commands for a specific AP
or a specific client. This requires placing the controller into client troubleshooting mode.
To do this, begin by telling the controller, by way of a CLI command, that you want to de-
bug for a specific MAC address. For example, to tell the controller that it will be debug-
ging for MAC address 00:1a:a2:f9:ed:d0, enter the following:
(Cisco Controller) >debug mac addr 00:1a:a2:f9:ed:d0
The next step is to tell the controller which debug to use for that particular MAC address.
For example, if you want to debug LWAPP events for the MAC address 00:1a:a2:f9:ed:d0,
use the debug lwapp command as shown here:
(Cisco Controller) >debug lwapp events enable
To verify that the debug command is enabled, use the show debug command, as seen in
Example 20-4.
Example 20-4 Verifying Enabled Debugs
(Cisco Controller) >show debug
MAC address 00:1a:a2:f9:ed:d0
Debug Flags Enabled:
arp error enabled.

bcast error enabled.
lwapp events enabled.
lwapp errors enabled.
Then you wait for an LWAPP event to occur. In Example 20-5, an LWAPP event has oc-
curred, and a message has been sent to the console.
Example 20-5 Controller Debug Output
(Cisco Controller) >Wed Jun 25 19:50:50 2008: 00:1a:a2:f9:ed:d0 Received LWAPP
ECHO_REQUEST from AP 00:1a:a2:f9:ed:d0
Wed Jun 25 19:50:50 2008: 00:1a:a2:f9:ed:d0 Successfully transmission of LWAPP
Echo-Response to AP 00:1a:a2:f9:ed:d0
Wed Jun 25 19:50:50 2008: 00:1a:a2:f9:ed:d0 Received LWAPP PRIMARY_DISCOVERY_REQ
from AP 00:1a:a2:f9:ed:d0
Key
Topi
c
Key
Topi
c
Example 20-3 Viewing Available debug Commands (continued)
Key
Topi
c
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 414
Chapter 20: Troubleshooting Wireless Networks 415
Wed Jun 25 19:50:50 2008: 00:1a:a2:f9:ed:d0 Received LWAPP RRM_DATA_REQ from AP
00:1a:a2:f9:ed:d0
Wed Jun 25 19:50:50 2008: 00:1a:a2:f9:ed:d0 Successfully transmission of LWAPP
Airewave-Director-Data Response to AP 00:1a:a2:f9:ed:d0
Wed Jun 25 19:51:14 2008: 00:1a:a2:f9:ed:d0 Received LWAPP RRM_DATA_REQ from AP
00:1a:a2:f9:ed:d0

Wed Jun 25 19:51:14 2008: 00:1a:a2:f9:ed:d0 Successfully transmission of LWAPP
Airewave-Director-Data Response to AP 00:1a:a2:f9:ed:d0
The actual output of the debug in the example is pretty normal. What is important, how-
ever, is that you understand how to enable the debug process, verify it, and turn it off. To
disable the debug process, use the debug disable-all command, as seen in Example 20-6.
First the debug process was verified with the show debug command, and then it was dis-
abled. After the debug process was disabled, the command show debug was again used to
verify that it was in fact disabled.
Example 20-6 Verify the Enabled Debugs
(Cisco Controller) >show debug
MAC address 00:1a:a2:f9:ed:d0
Debug Flags Enabled:
arp error enabled.
bcast error enabled.
lwapp events enabled.
lwapp errors enabled.
(Cisco Controller) >debug disable-all
(Cisco Controller) >show debug
MAC debugging disabled
Debug Flags Enabled:
(Cisco Controller) >
When you let the session time out, even though it turns off the debug command, it still
leaves the command to perform client troubleshooting, as seen in Example 20-7. This
means that if you enable a new debug command, it only debugs for the client you specify.
Example 20-7 Command to Perform Client Troubleshooting Remains
Connection to 192.168.1.50 closed.
terminal$:
terminal$:
terminal$:ssh 192.168.1.50
continues

Example 20-5 Controller Debug Output (continued)
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 415
416 CCNA Wireless Official Exam Certification Guide
(Cisco Controller)
User: admin
Password:*****
(Cisco Controller) >show debug
MAC address 00:1a:a2:f9:ed:d0
Debug Flags Enabled:
As you can see, the connection was closed, essentially timing out. After authenticating
again to the CLI of the controller, the show debug command was entered. This command
output indicates that the MAC address 00:1a:a2:f9:ed:d0 is still enabled for client debug-
ging. The point here is that it is always best to turn off debug commands when you are
finished using them. You can also turn off a specific debug command using the disable
option at the end of the command. For example, to turn off the LWAPP debug that was
used in the previous examples, you would use the debug lwapp events disable command.
When you are comfortable turning debug commands on and off, you can explore debug
commands such as debug dot11. The debug dot11 command helps you troubleshoot
802.11 parameters, such as these:
■ Mobility
■ Rogue detection
■ Load balancing events
In Example 20-8, you can see a client that has successfully associated.
Example 20-8 A Successful Association
Fri Aug 8 15:32:54 2008: 00:1e:c2:ab:14:26 apfPemAddUser2 (apf_policy.c:209)
Changing state for mobile 00:1e:c2:ab:14:26 on AP 00:1a:a2:f9:ed:d0 from
Associated to Associated
Fri Aug 8 15:32:54 2008: 00:1e:c2:ab:14:26 New client (policy)
Fri Aug 8 15:32:54 2008: 00:1e:c2:ab:14:26 Stopping deletion of Mobile Station:
(callerId: 48)

Fri Aug 8 15:32:54 2008: 00:1e:c2:ab:14:26 Sending Assoc Response to station on
BSSID 00:1a:a2:f9:ed:d0 (status 0)
Fri Aug 8 15:32:54 2008: 00:1e:c2:ab:14:26 apfProcessAssocReq (apf_80211.c:4149)
Changing state for mobile 00:1e:c2:ab:14:26 on AP 00:1a:a2:f9:ed:d0 from
Associated to Associated
Fri Aug 8 15:32:54 2008: 00:1e:c2:ab:14:26 802 new client 00:1e:c2:ab:14:26
Example 20-5 Command to Perform Client Troubleshooting Remains (continued)
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 416
Chapter 20: Troubleshooting Wireless Networks 417
Figure 20-1 Viewing the Client Summary
Fri Aug 8 15:32:55 2008: 00:1e:c2:ab:14:26 LBS Client data rcvd from AP
00:1a:a2:f9:ed:d0(0) with RSSI (A -128, B -36), SNR 57
Fri Aug 8 15:32:55 2008: 00:1e:c2:ab:14:26 LBS change cur RSSI B -44 , prev -47,
send notify
In this small output, you can see that the client has become associated. One aspect of
troubleshooting might involve connectivity. With this output, you can see that the client
is in fact associated. If the client still has connectivity issues, you would want to start
looking at the wired network, working your way from the controller, then to the switch,
then to the next hop router, and so on.
You can also use debugs such as debug dhcp if you are having issues with clients obtain-
ing IP addresses. If you are having authentication issues, you might use the debug aaa or
debug dot1x commands.
Using the Controller Interface
The controller has several tools to help troubleshoot. From the controller interface, you
can use controller logs, SNMP to alert administrators to current issues, and the Tech Sup-
port Pages. In the section “Using the CLI to Troubleshoot,” you looked at output of a
client that was trying to associate. You can see a web interface equivalent to the show
client summary command in Figure 20-1.
Key
Topi

c
Example 20-8 A Successful Association (continued)
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 417
418 CCNA Wireless Official Exam Certification Guide
Figure 20-2 Viewing the Controller Logs
Here you can gain information about the client, the WLAN the client is on, and other
valuable information for troubleshooting.
Using the Controller Logs
Another valuable resource is the controller logs. Controller logs allow you to see events
that have occurred at various levels. You probably want to send these to a Syslog server,
butyoucanviewthemonthecontrollerbygoingtoMANAGEMENT > Logs > Mes-
sage logs. Figure 20-2 shows just a sample of the information that you can obtain here.
To change the way logging is configured, browse to MANAGEMENT > Logs > Config.
This configuration page is shown in Figure 20-3. You cant see it inf Figure 20-3, but by se-
lecting the Syslog check box, you can point to an external server by entering the address
in the Syslog Server IP Address field.
Note: If you do not already have a Syslog server, you can download kiwi from http:/
/www.kiwisyslog.com. Kiwi is a free Syslog server that many people use.
In addition, from the Syslog Configuration page, you can set the level of logging by
changing the facility levels. These levels control how much information is captured. In
general, the larger the facility number, the more information that is recorded; however, this
is not always the case. Table 20-2 shows the available facility levels.
Key
Topi
c
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 418
Chapter 20: Troubleshooting Wireless Networks 419
Table 20-2 Available Facility Levels
Facility Name Facility Level
Kernel 0

User Process 1
Mail 2
System Daemons 3
Authorization 4
Syslog 5
Line Printer 6
USENET 7
Unix-to-Unix Copy 8
Cron 9
—10
FTP Daemons 11
System Use 1 12
System Use 2 13
System Use 3 14
System Use 4 15
Local Use 0 16
Local Use 1 17
Local Use 2 18
Local Use 3 19
Local Use 4 20
Local Use 5 21
Local Use 6 22
Local Use 7 23
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 419
420 CCNA Wireless Official Exam Certification Guide
Figure 20-3 Configuring Syslog
You can locally view the logs by selecting MANAGEMENT > Logs > Message logs. The
message logs include information related to the network infrastructure, client issues, au-
thentication issues, and AP association issues. These have relevance to the controller.
Using SNMP

When using SNMP gets/sets, you can obtain information about the status of the controller
and allows you to remotely manage the controller. To set up SNMP, go to MANAGEMENT >
SNMP > General. Here you configure the following parameters, as shown in Figure 20-4:
■ Name
■ Location
■ Contact
■ System Description
■ System Object ID
■ SNMP Port Number
■ Trap Port Number
■ SNMP v1 Mode
■ SNMP v2c Mode
■ SNMP v3 Mode
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 420
Chapter 20: Troubleshooting Wireless Networks 421
Figure 20-4 SNMP Configuration on Controllers
Configuring the Community Strings
When you set up SNMP, two community names exist by default. Public is for read-only
access, and Private is for read/write access. If you have any involvement in security, you al-
ready know that you should change these values. They are well-known values that an at-
tacker can use to gain control of your controller. You can modify the values in the
controller by choosing MANAGEMENT > SNMP > Communities.
You can also set the SNMPv3 users and trap receivers. Although it is not covered here, it
is recommended that you use SNMPv3, because it is the most secure method at the mo-
ment.
To view the SNMP trap logs, go to MANAGEMENT > SNMP > Trap Logs. Figure 20-5
shows a sample of the SNMP trap logs.
You can use these trap logs to troubleshoot client association failures and AP association
failures. The trap logs generate a reason code that can point you in the right direction to
correct the issue. Another way to refine the information you receive is by using the Trap

Controls found at MANAGEMENT > SNMP > Trap Controls. Here you can control
what events generate a trap.
23_1587202115_ch20.qxp 9/29/08 2:43 PM Page 421