Wireless Troubleshooting Tools
- Overview
- WCAE
- Wireless Config Analyzer Express - Engine
- Wireless Config Analyzer Express - GUI
- License Statement
- What is new! (engine)
- What is new! (GUI)
- Checks available in tool
- RF Health
- How to use - Cloud
- How to collect show tech wireless for Catalyst 9800
- How to colletct sh-run-config
- RF Graph analysis using WCAE Desktop and Gephi
- Client Audits
- Support
- WLAN Poller
- Wireless Detector
- AireOS Meraki Translator
- 9800 Guestshell/EEM scripts
- WiFi Hawk - Wireless Captures Analysis
- Cisco Support Assistant Extension (CSAE)
- KPI Dashboard
- WLCCA
- 9800 Traces to ELK stack
- 9800 Telemetry Pipeline
What is new !
Release 0.32, July 2024
Features
- Fixed Client delete reasons
- 230135: Usage of specific SUDI trust point in webauth may cause performance issues
- Updated recommended ROMMON and code versions
- Per user feedback, now AP profile checks are applied, even if the profile has no APs joined
- 230136: Warning if FT or OKC are in use, and Default site tag is on flex mode with more than 2 APs joined
- 230137: Warning if this is a medium/large deployment and AP load balancing method is not in use
- 230138: Warning when more than 3000 clients are present, and half of them are on same WNCD
- Improved check 20053, and converted into 20053 to 20055 to have one warning per slot ID (original check did not include slot number)
- New checks 20057, 20058, to warn if AP is using medium or low power
- New multiprocessing parsing engine. Speed gains up to 80% in large files, especially in AireOS
- 230131, warns if 802.11h CSA is disabled
- 230132, warns if http max-connect is set on webauth map
- 230133, Usage of specific SUDI trust point in Local EAP may cause performance issues
- 300004, error if VLAN name mapping from policy profile, is missing in Flex profile. This would cause WLAN not to be pushed to AP
- Added WLC SN to summary data
Fixes
- 240034: skip check if version has the fix
- 230070: improved error reporting, to indicate which policy profile is missing
- Different typos across messages
- 230072: Fixed false positive, if WLAN is using FT_802.1X or DOT1X_SHA256 instead of legacy 802.1X
- 240036: Fixed false positive is SAE is not in use
- 290001: False positive caused by overlap of new AP Proxy support feature
- AP Profile prim/sec controller address support IPv6 or v4 addresses
- 230051: adjusted warning for use of default site tags with large AP counts (>200)
- 230049: more than 4 WLANs per radio, fixed count of WLAN to be done per frequency band, not in total per policy tag
- Prevents Excel format errors when debug data is exported for AireOS
- Handles error in Allowed channel list exception
- Adjusted message text for 230130 about IOS AP support changes
- Updated text on 20025 for AP expired certs
- Exception during corrupted Flex profile parsing
- Modified certificate expiration, to differentiate from "expiring in 60 days" vs already expired certs
Release 0.18, December 2023. 5 new checks, several fixes
Features:
- Speed gain for IOS-XE file parsing (up to 90% faster). No changes in processing/report generation
- Support for IOS-XE 17.13
- Support for Mac OS 14.x
- New checks: 230124, 230125 for HTTP access class as best practices (IPv6/ipv4)
- New Mesh check:270004 Warns if link SNR is lower than 12
- New Mesh check:270005 Warns if RAP is connected over wireless backhaul and not ethernet
- New Mesh check:270006 validates if all APs in a sector have same regulatory domain
- New Mesh check:270007 informs if there are more than 4 hops for a given MAP
Fixes:
- Exception on IOS-XE check if multicast address parsing failed (invalid file)
- Removed unnessary processing error for 240035, when WLAN has no WPA2 policy defined
- Fixed 230098 detection (SNMPv1 trap destination)
- Debug bundle failed to find file properly, if command separator was a lower slash
- Execption while doing RF health calculation, if radio did not have mac address (corrupted source file)
- Exception when version line is split, leading to incorrect parsing
- Exception if FRA interval is null
- XLS generation error during 6GHz radio reporting
- Fix on nearby exception handling
- Fix on AireOS reporting missing radio due to 2800 showing 3 radios slots, when it only has 2 (third is monitoring, not in file)
- Missing radio types in AireOS definitions (this was marking valid radios incorrectly)
- Client state parsing was including client summary data incorrectly
- Missing 6GHz RFstats export in JSON
- Corrections on IOS-XE recommended and deferred code listing
v0.17
Features - 9800:
- New Check 230118, warns if pubkey has less than 2048 bits (needs 17.12)
- New Check 230119, warns if a large number of pubkeys have been created (provisioning problem)
- New Check 250028, checks if IP mac binding is disabled, and policy profile is using L3 features that require it
- New Check 230120, warns if DTLS 1.0 is disabled, that could prevent IOS and some older APs to join
- New Check 230121, informational message if cipher ECDHE-RSA-AES128-GCM-SHA256 is not enabled, and version is 17.12 or higher, as it could prevent AP downgrade scenarios
- New Check 240034, in Flex local switching, AKM 802.1x-256 does not support fast roaming or OKC on some client types
- Added new option, to override automatic file type detection. Useful when file has long text at the beginning (banner, or other not-relevant data)
- New Check 290006, BSSID Neighbor stats warning, if the feature is enabled with less than 180 seconds interval
- Changes to AP RF Summary page, it now includes Channel width, and neighbor overlapping on secondary channel count
- New Check 230122, validates ending character in hostname for DNAC interoperability
- Updated ROMMON version recommendations
- New Check 230123, warning if certificate has less than 60 days of lifetime remaining
- New report tab for 9800: all controller certificates
Fixes:
- Parsing error on policy profile for corrupted config files
- NDP report not getting generated
- Exception in client audit, if DCA interval is None
- Exception on XLS export if there are no client delete reason entries
- Exception if version number is None
- False positive on 230033 in some default scenarios (VRF count)
v0.16
Features:
- Added tracking of AP models, per tag combination, included in Policy Usage report tab
- New check 250026: Warns if IOS AP is mapped to a policy profile with Fabric
- New check 240032: Warns if IOS AP is mapped to a WLAN profile with WPA3
- New check 250027: Error reported if policy profile name has special characters, and version is lower than 17.12
- Added hypervisor info in controller data summary tab, if available (9800-CL/17.9+)
- New check 230116: Warns if WMI is using DHCP addressing
- New check 240033: Warns WLAN has radio dot11 commands, to ensure migration to dot11 policy CLI before deprecation
- Added handling when AP radio has failed regulatory domain check (Join profile config setting)
- New check 230117: Error reported if a RW file system has less than 10% of free disk space
Fixes:
- Incorrect grouping of AP tag names, in the RF Neigh. report
- Exception on band name in Vocera audit
- Exception when handling 16.10 incomplete files
- Exception on uptime processing in case of invalid date present
- Error on client audit, when 5.5 rate was enabled
- RF summary report had tool tips off by 1 column
- Exception if Client delete reasons section had no data
- Cochannel statistic was not filtering for only neighborgs in channel, leading to incorrect high counts
- Important fix on 17.9.2+ AP summary list. New IOS-XE
- Radio with 5/6 GHz support was being marked as invalid
- Fixed RMI command parsing if controller is using IPv6
Release 0.14, April 23. Focus on fixes
Fixes:
- Incorrect parsing of tunnel eogre parameters, leading to missing RF profile in run-config
- Incorrect parsing for 6GHz RF profiles
- Added 9136/916x for Fastlane+ support in Apple client audit
- Vocera audit errors for data rates
- Client profiling name parsing failing if it was longer than 32 characters
- Added improved 17.9 parsing
- Exception during XLS report if WLAN profile was missing in policy tag
Release 0.13, March 23. RF Health Improvements, new checks
Features:
- RF Health metric for Radio utilization has been modified: Now it evaluates what is the AP/Client generated utilization vs what is present in the channel by other sources. This prevents false positives due to valid client activity New RF Health metric for Channel changes per day: it does a correlation of channel changes vs days of uptime, and flags if there are more than 4 channels a day, with 12/day as worst score
- Rework of check 230052: Flex AP count per site tag for PMK distribution. This is now correctly based on count of AP per site, and it check if High Scale distribution feature is enabled or not
- Cosmetic changes to Table of Content on XLSX report
- Cosmetic changes to GUI button placement
- New Check 230110, warns if SSH key is less than 2048 bits
- New Check 230111, Validates that RMI and WMI are on same subnetwork
- New Check 230112, Checks if WLAN is shared across policy profiles, and all AVC profiles are same
- Updated recommended IOS-XE Versions
- New Check 230115: Warns if RF profile name is correct on each RF tag
- New checks 230113/230114: Validate Rommon version installed
- New Client Delete Reason report
Fixes:
- Corrected parsing error when "commands" entry was present in run-config
- Incorrect state for MLD snooping if command is missing
- Added support for NTP IPv6 servers, correcting false positive of lack of time sync
- Fix error if uptime is null
- RFHealth was not calculated for slot1, etc, if slot0 was on monitor mode
- Invalid Channel changes per day calculation, if uptime was just one day (was set to zero)
- Incorrect parsing of show version values (PID, Confreg, etc)
Release 0.12, December 22. Lots of new checks
Features:
- 9800: new check 240030, warns if WLAN profile name has 32 characters
- 9800: new check 230107, warns if SSC token is configured for controllers with embedded cert (non-CL)
- 9800: new check 230108, validates that Trustsec and RMI are not used together
- Added new Best Practices report: get how many BP checks are, and missing entries for your configuration. With direct link for easy navigation to the Check report page
- 9800: Shows AP count in tag view report (how many APs are using each tag/policy combination)
- 9800: Adds check for last run time in BSS Color for 6GHz
- 9800: new check 230106, if WMI is pointing to invalid interface name
- AireOS: shows password policies in controller tab
- All AP lists are now sorted alphabetically
Fixes:
- Exception handling 16.10 versions
- Minor readability changes in AP checks report
- Prevent exception if active client info is not present
- Message 20031 was reported in error for 9800, this check is now disabled, unless it is AireOS controller (new check is needed at flex profile level)
- Updated GUI library to solve the Mac OS Ventura issue
- Predicted power level in 6GHz dBm was off by one level when current power matching one entry on 6GHz table
- Improved parsing of AP CDP entries, to avoid reporting duplicate names as errors if using non-Cisco switches
- Fixed multiple typos across the checks/messages
Release 0.10, October 22. Focus in Load analysis
This release brings 7 new checks focused in 9800 Radius load and mDNS, plus add several new tables to better understand 9800 load scenarios, AP group usage in AireOS, and extracting AP related configuration for analysis or lab use
New checks:
- 9800: new mDNS check, 230103, warns if mDNS GW is enabled, but not in use on any active WLAN
- 9800: new mDNS check, 230104, checks if there are more than 128 mDNS wired services, to prevent high CPU load issues
- 9800: new mDNS check, 230104, checks if there are more than 128 mDNS wired services per VLAN, to prevent high CPU load issues
- 9800: new mDNS check, 250025, validates that location filtering is enabled across all the mDNS service profiles
- 9800: new mDNS check, 240030, warns if WLAN/Policy profile are using the default mDNS service profile
- 9800: Two checks 230101, warning if radius server is down, and 230102, generates warning is server is Up, has more than 100 requests, and there is more than 40% of timeouts
WNCD Load visualisation - 9800
Performs aggregation across tags, for every AP, adding radio client counts. Also, if using latest 17.3/17.6/17.9 versions, it can include per WNCD CPU load This is intended as analysis tool, to isolate where possible WNCD load may be coming from, and evaluate in detail client counts per tag. This can be leveraged to do proper static wncd-tag configuration in 17.10 or manual split via tag customisation in previous versions Expanding the WNCD row, can show the AP/Client counts per associated tag
mDNS Browser - 9800
This new report adds a "navigation" view into mDNS services being learned by the IOS-XE controller It can show per VLAN (wired) or per WLAN (wireless) detailed services counts. This can be used to isolate where additional filtering may be needed, or to identify potential sources of high CPU load due to miss-configured mDNS service policies You can expand each entry, to see individual services
AAA Report - 9800
Displays stats for all radius servers, and highlights those with timeouts for more than 30% of requests This is intended to help detecting typical high load scenarios, where radius servers could not cope with accounting or profiling requests
Improved readability for AP checks report
Instead of displaying all AP names impacted per each check, now the report shows a summary with AP counts If needed, you can expan the row, to see the individual APs impacted
New Summary view for AireOS AP Groups
You can now visualize each AP group, APs count associated to it, and WLANs in use, RF profiles, etc, all in one page
AP config Export - 9800
When using the AP Config tab, each AP name will contain a note, with all the applicable configuration profiles for that AP. You can do "right-click" and select "Show/Hide Note" to make it permanent, and copy it to another application if needed This can be used for lab testing, config comparison, etc
