How to debug client roaming - the 'deep dive'

Aaron · ‎04-18-2013

If a wireless client is having problems roaming, it may be necessary to perform a "deep dive" data capture. This will involve:

capturing information regarding the environment
reproducing the problem, while collecting:
- packet capture from the client under test
- wireless sniff from channels in use near the client
- debugs from the APs involved
- debugging from the wireless LAN controller(s) to which the AP(s) are joined
- possibly also wired capture from the APs' and/or WLC's switchports

In more detail:

capturing information regarding the environment
- collect information on the client under test:
  - manufacturer, model
  - operating system
  - wireless adapter: manufacturer, model, firmware version
  - supplicant, supplicant version
  - if the client is running Windows: get the output of "netsh wlan show all"
- collect information on the wireless infrastructure:
  - WLC model, software version
  - complete "show run-config" output from the WLC (to be used with WLC Config Analyzer)
  - a floormap or similar showing the location where the roaming test is performed, with AP names labeled (e.g. a floor map screenshot from WCS/NCS/PI)
  - site survey data from the location under test can be helpful
reproducing the problem, while collecting:
- packet capture from the client under test
  - be sure that the client is NTP synced to true time
  - nonpromiscuous packet capture from the client's wireless adapter (e.g. Wireshark, tshark, tcpdump)
    - with an Apple iPad/iPhone, can connect the client via USB to a Mac OS X machine and capture the adapter data that way (see https://developer.apple.com/library/mac/qa/qa1176/_index.html)
    - with Windows 7/8, can use Netmon 3.4 (in non-monitor mode), and capture interesting data from the wireless adapter
- wireless sniff from channels in use near the client
  - be sure to NTP sync all sniffers
  - with 2.4GHz, a 1/6/11 sniff is ideal
  - if you don't have enough sniffers for all channels in use, then find out which channels the client is using, or should be using, and monitor those channels
  - lock each sniffer to its channel - do not set the sniffers to scan
  - be sure to NTP sync all sniffers
  - for multichannel sniffing, the following options can be used:
    - OmniPeek Enterprise with multiple Mediatek USB adapters (software from WildPackets)
    - OmniPeek Remote Assistant with multiple Mediatek USB adapters (software available from Cisco TAC)
    - Wireshark with AirPcap from Riverbed
    - multiple Mac OS X laptops, all NTP synced
    - (less preferred) multiple or Mac OS X laptopls, all NTP synced
    - (not recommended) Windows 7 laptops with Netmon 3.4
  - see the 802.11 Wireless Sniffing tip for more details
- if there is possibility of significant non-802.11 interference in the environment (more likely in 2.4GHz than in 5GHz), then get a a spectrum capture near the location of concern during the the time of concern. This could be done with Spectrum Expert with CleanAir APs (or with a Cognio Cardbus card), or with Chanalyzer from Metageek.
- debugs from the APs involved
  - ideally, you will set up a syslog server that all APs can talk to, and configure the APs to send their debug output to that server. This will enable all AP debugs to be nicely sequenced.
  - alternatively, you can run terminal sessions into all of the APs:
    - telnet or ssh into all APs in the roaming path
    - log each telnet/ssh session
    - set "terminal monitor" in each session
  - enter the following commands into each AP:
  - debugging from the wireless LAN controller(s) to which the AP(s) are joined
    - telnet/ssh into the WLC(s)
    - log each telnet/ssh session
    - make sure that your WLC is NTP synced, with the minimum 3600 second interval
    - enter the following commands:
      config session timeout 160
      debug client hh:hh:hh:hh:hh:hh
      debug mobility handoff enable (only if multiple WLCs are in use)
- possibly also wired capture from the APs' and/or WLC's switchports
  - NTP sync all wired sniffers
  - if the switchport uses 802.1Q tagging, configure the sniffer's LAN adapter to capture VLAN tags (see http://wiki.wireshark.org/CaptureSetup/VLAN)
- start a continuous ping (e.g. a Windows ping -t) to the client under test, from a wired station in or near the wireless client's subnet
- now reproduce the problem.
- make a note of what time the problem happened, where the client under test was when the problem occured, what symptoms the client experienced (ping latency, ping drops), etc.
- stop the packet capture on the client under test, the wireless sniffer(s), the debugs on the APs, the debugging on the WLCs, the wired sniffers (if in use)
- from each AP, collect: "show controller dot11radio0" (or dot11radio1)
- from the WLC, collect: "show msglog"
- collect all of:
  - the note describing the event
  - the writeup describing the client device
  - the show run-config output from the WLC(s)
  - the map showing the area of interest
  - the nonpromiscuous capture from the client adapter
  - any other info from the client
    - If Windows 7, the output of "netsh wlan show all"
    - If Windows 10, the output of "netsh wlan show wlanreport"
  - the wireless sniffer captures (unfiltered, but do not include gigantic files that do not correspond to the time of interest)
  - the spectrum capture, if any
  - the AP log files
  - the WLC debugs/log files
  - the wired sniffer capture(s) if in use
- zip all of these up together
Upload this data to your TAC case

Kamaljeet Singh · ‎05-01-2014

Thank you Aaron for this great post.

Regards

Kamal