Table Of Contents
Alarms and Events
Alarm Dashboard
Setting Search Filters for Alarms
Alarm and Event Dictionary
Notification Format
Traps Added in Release 2.0
AP_BIG_NAV_DOS_ATTACK
AP_CONTAINED_AS_ROGUE
AP_DETECTED_DUPLICATE_IP
AP_HAS_NO_RADIOS
AP_MAX_ROGUE_COUNT_CLEAR
AP_MAX_ROGUE_COUNT_EXCEEDED
AUTHENTICATION_FAILURE (From MIB-II standard)
BSN_AUTHENTICATION_FAILURE
COLD_START (FROM MIB-II STANDARD)
CONFIG_SAVED
IPSEC_IKE_NEG_FAILURE
IPSEC_INVALID_COOKIE
LINK_DOWN (FROM MIB-II STANDARD)
LINK_UP (FROM MIB-II STANDARD)
LRAD_ASSOCIATED
LRAD_DISASSOCIATED
LRADIF_COVERAGE_PROFILE_FAILED
LRADIF_COVERAGE_PROFILE_PASSED
LRADIF_CURRENT_CHANNEL_CHANGED
LRADIF_CURRENT_TXPOWER_CHANGED
LRADIF_DOWN
LRADF_INTERFERENCE_PROFILE_FAILED
LRADIF_INTERFERENCE_PROFILE_PASSED
LRADIF_LOAD_PROFILE_FAILED
LRADIF_LOAD_PROFILE_PASSED
LRADIF_NOISE_PROFILE_FAILED
LRADIF_NOISE_PROFILE_PASSED
LRADIF_UP
MAX_ROGUE_COUNT_CLEAR
MAX_ROGUE_COUNT_EXCEEDED
MULTIPLE_USERS
NETWORK_DISABLED
NO_ACTIVITY_FOR_ROGUE_AP
POE_CONTROLLER_FAILURE
RADIOS_EXCEEDED
RADIUS_SERVERS_FAILED
ROGUE_AP_DETECTED
ROGUE_AP_NOT_ON_NETWORK
ROGUE_AP_ON_NETWORK
ROGUE_AP_REMOVED
RRM_DOT11_A_GROUPING_DONE
RRM_DOT11_B_GROUPING_DONE
SENSED_TEMPERATURE_HIGH
SENSED_TEMPERATURE_LOW
STATION_ASSOCIATE
STATION_ASSOCIATE_FAIL
STATION_AUTHENTICATE
STATION_AUTHENTICATION_FAIL
STATION_BLACKLISTED
STATION_DEAUTHENTICATE
STATION_DISASSOCIATE
STATION_WEP_KEY_DECRYPT_ERROR
STATION_WPA_MIC_ERROR_COUNTER_ACTIVATED
SWITCH_DETECTED_DUPLICATE_IP
SWITCH_DOWN
SWITCH_UP
TEMPERATURE_SENSOR_CLEAR
TEMPERATURE_SENSOR_FAILURE
TOO_MANY_USER_UNSUCCESSFUL_LOGINS
Traps Added in Release 2.1
ADHOC_ROGUE_AUTO_CONTAINED
ADHOC_ROGUE_AUTO_CONTAINED_CLEAR
NETWORK_ENABLED
ROGUE_AP_AUTO_CONTAINED
ROGUE_AP_AUTO_CONTAINED_CLEAR
TRUSTED_AP_INVALID_ENCRYPTION
TRUSTED_AP_INVALID_ENCRYPTION_CLEAR
TRUSTED_AP_INVALID_RADIO_POLICY
TRUSTED_AP_INVALID_RADIO_POLICY_CLEAR
TRUSTED_AP_INVALID_SSID
TRUSTED_AP_INVALID_SSID_CLEAR
TRUSTED_AP_MISSING
TRUSTED_AP_MISSING_CLEAR
Traps Added in Release 2.2
AP_IMPERSONATION_DETECTED
AP_RADIO_CARD_RX_FAILURE
AP_RADIO_CARD_RX_FAILURE_CLEAR
AP_RADIO_CARD_TX_FAILURE
AP_RADIO_CARD_TX_FAILURE_CLEAR
SIGNATURE_ATTACK_CLEARED
SIGNATURE_ATTACK_DETECTED
TRUSTED_AP_HAS_INVALID_PREAMBLE
TRUSTED_HAS_INVALID_PREAMBLE_CLEARED
Traps Added in Release 3.0
AP_FUNCTIONALITY_DISABLED
AP_IP_ADDRESS_FALLBACK
AP_REGULATORY_DOMAIN_MISMATCH
RX_MULTICAST_QUEUE_FULL
Traps Added in Release 3.1
AP_AUTHORIZATION_FAILURE
HEARTBEAT_LOSS_TRAP
INVALID_RADIO_INTERFACE
RADAR_CLEARED
RADAR_DETECTED
RADIO_CORE_DUMP
RADIO_INTERFACE_DOWN
RADIO_INTERFACE_UP
UNSUPPORTED_AP
Traps Added in Release 3.2
LOCATION_NOTIFY_TRAP
Traps Added In Release 4.0
CISCO_LWAPP_MESH_POOR_SNR
CISCO_LWAPP_MESH_PARENT_CHANGE
CISCO_LWAPP_MESH_CHILD_MOVED
CISCO_LWAPP_MESH_CONSOLE_LOGIN
CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE
CISCO_LWAPP_MESH_CHILD_EXCLUDED_PARENT
CISCO_LWAPP_MESH_EXCESSIVE_PARENT_CHANGE
IDS_SHUN_CLIENT_TRAP
IDS_SHUN_CLIENT_CLEAR_TRAP
MFP_TIMEBASE_STATUS_TRAP
MFP_ANOMALY_DETECTED_TRAP
GUEST_USER_REMOVED_TRAP
Traps Added/Updated in Release 4.0.96.0
AP_IMPERSONATION_DETECTED
RADIUS_SERVER_DEACTIVATED
RADIUS_SERVER_ACTIVATED
RADIUS_SERVER_WLAN_DEACTIVATED
RADIUS_SERVER_WLAN_ACTIVATED
RADIUS_SERVER_TIMEOUT
DECRYPT_ERROR_FOR_WRONG_WPA_WPA2
Traps Added or Updated in Release 4.1
AP_IMPERSONATION_DETECTED
INTERFERENCE_DETECTED
INTERFERENCE_CLEAR
ONE_ANCHOR_ON_WLAN_UP
RADIUS_SERVER_DEACTIVATED
RADIUS_SERVER_ACTIVATED
RADIUS_SERVER_WLAN_DEACTIVATED
RADIUS_SERVER_WLAN_ACTIVATED
RADIUS_SERVER_TIMEOUT
MOBILITY_ANCHOR_CTRL_PATH_DOWN
MOBILITY_ANCHOR_CTRL_PATH_UP
MOBILITY_ANCHOR_DATA_PATH_DOWN
MOBILITY_ANCHOR_DATA_PATH_UP
WLAN_ALL_ANCHORS_TRAP_DOWN
MESH_AUTHORIZATIONFAILURE
MESH_CHILDEXCLUDEDPARENT
MESH_PARENTCHANGE
MESH_CHILDMOVED
MESH_EXCESSIVEPARENTCHANGE
MESH_POORSNR
MESH_POORSNRCLEAR
MESH_CONSOLELOGIN
LRADIF_REGULATORY_DOMAIN
LRAD_CRASH
LRAD_UNSUPPORTED
Unsupported Traps
Configuring Alarm Severity
Viewing MFP Events and Alarms
Alarm Emails
Viewing IDS Signature Attacks
Wireless LAN IDS Event Correlation
Alarms and Events
This chapter describes the type of events and alarms reported, how to view alarms and events by product or entity and severity, and how to view IDS signature attacks. It contains these sections:
•
Alarm Dashboard
•Setting Search Filters for Alarms
•Alarm and Event Dictionary
•Configuring Alarm Severity
•Viewing MFP Events and Alarms
•Viewing IDS Signature Attacks
An event is an occurrence or detection of some condition in and around the network. For example, it can be a report about radio interference crossing a threshold, the detection of a new rogue access point, a controller rebooting.
Events are not generated by a controller for each and every occurrence of a pattern match. Some pattern matches must occur a certain number of times per reporting interval before they are considered a potential attack. The threshold of these pattern matches is set in the signature file. Events can then generate alarms which further can generate email notifications if configured as such.
An alarm is a WCS response to one or more related events. If an event is considered of high enough severity (critical, major, minor, or warning), the WCS raises an alarm until the condition which resulted is judged to be no longer occurring. For example, an alarm may be raised while a rogue access point is detected, but the alarm will terminate after the rogue has not been detected for several hours.
One or more events can result in a single alarm being raised. The mapping of events to alarms is their correlation function. For example, some IDS events are considered to be network wide so all events of that type (regardless of which access point the event is reported from) maps to a single alarm. On the other hand, other IDS events are client-specific. For these, all events of that type for a specific client MAC address will map to an alarm which is also specific for that client MAC address, regardless of whether multiple access points report the same IDS violation. If the same kind of IDS violation takes place for a different client, then a different alarm is raised.
A WCS administrator currently has no control over which events generate alarms or when they time out. On the controller, individual types of events can be enabled or disabled (such as management, SNMP, trap controls, etc.).
Alarm Dashboard
The number of active alarms for controllers, access points, location, and rogue elements as well as alarms associated with entities such as coverage, mesh, and severity are actively displayed on the left-side of most WCS windows (see Figure 14-1).
Critical (red), Major (orange) and Minor (yellow) alarms are shown in the alarm dashboard, left -to-right.
Figure 14-1 Alarm Summary Block
To view a listing of a specific type of alarm (critical, major, or minor) for a specific product or entity (such as coverage), click on the appropriate box within the alarm dashboard and a window displaying details for that alarm type and product or entity appears (see Figure 14-2).
Note You can also view alarm details for a specific product or entity by choosing Monitor > Alarms and then selecting the desired alarm level from the Severity drop-down menu and the product or entity type from the Alarm Category drop-down menu.
Note To search for additional alarms, click New Search... on the left panel of the page. For more details on conducting a search, refer to the "Setting Search Filters for Alarms" section.
Note Configuring a username and password login for access points from the controller is a new capability.
Figure 14-2 Alarm Summary Page for WCS
Note You can click a box in the alarm dashboard to display alarm events for the entity and alarm type selected. For example, if you click on the minor alarms box for location, the Alarms page for that specific item appears (see Figure 14-2). For more details on a specific alarm listed on the Alarms page, click on the Failure Object link (see Figure 14-3).
Figure 14-3 Details for a Specific Failure Object (Alarm)
The most recent 802.11 channel where a rogue access point was observed is provided by clicking the Rogue Clients link on the bottom right or choosing Rogue Clients from the Select a command drop-down menu.
Note You can use the drop-down menu at the upper-right of the Alarms page to assign, unassign, delete or clear the alarm. The event history of the alarm is also accessible from this menu.
Setting Search Filters for Alarms
From the Monitor > Alarms page you can search for filters based on severity, category, and date range.
Step 1 Choose Monitor > Alarms. The Alarms window appears (see Figure 14-2). In the left-hand column, the saved searches that have been performed are listed.
Step 2 Use the controls in the left sidebar to create and save custom searches:
•New Search drop-down menu: Opens the Search Alarms window. Use the Search Alarms window to configure, run, and save searches.
•Saved Searches drop-down menu: Lists the saved custom searches. To open a saved search, choose it from the Saved Searches list.
•Edit link: Opens the Edit Saved Searches window. You can delete saved searches in the Edit Saved Searches window.
Step 3 (optional) If you want to change how the alarm search results are displayed, click Edit View. The Edit View window appears (see Figure 14-4). In the left-hand window, highlight which areas you want to view and click Show to move them to the right-hand window. You can then highlight the areas in the right-hand menu and click Up or Down to rearrange the order.
Figure 14-4 Edit View
Step 4 If you want to run a new search, click the New Search link. A Search Alarms menu appears (see Figure 14-5.
Figure 14-5 Search Alarms Window
Step 5 Use the Severity drop-down menu to choose which level of severity to search for.
Note A user can modify the severities assigned to various system conditions, but the following definitions are general guidelines that will be used as the default.
•All Severities: Selects severities of every type.
•Critical: The system requires immediate attention and correction.
•Major: An error occurred and will require attention.
•Minor: A condition is noted and recorded, but it may not be an error.
•Warning: A warning message indicates a potential error condition. Warnings are not displayed in the alarm summary dashboard.
•Informational: An information message provides routine information on normal events, but an alarm is not generated.
•Clear: The existing alarm is cleared.
Step 6 Use the Alarm Category drop-down menu to choose which devices you want to limit in the search. The choices are all, access point, controller, WCS, severity, coverage, rogue access point, mesh links, location servers, and location notifications.
Step 7 In the Rogue AP State drop-down menu, determine which rogue access point states you want to search. The choices are all, alert, known, acknowledged, contained, threat, contained pending, trusted missing, and removed.
Step 8 In the Rogue Type drop-down menu, specify which type of rogue to search for. The choices are all, access point, ad hoc, infrastructure rogues, IBSS rogues, or all rogues.
Step 9 Specify how you want the rogue access point search displayed. From the Search for Rogue APs by drop-down menu, you can choose all access points, access point name, access point MAC address, rogue MAC address, floor area, or outdoor area.
Step 10 Specify the amount of time you want the search to cover. The choices in the Time Period drop-down menu are any, last 5 minutes, last 15 minutes, last 30 minutes, last hour, last 8 hours, last 24 hours, or last 7 days.
Step 11 Click the Save Search check box if you want to save this search. You can then assign a name to this search.
Step 12 Choose how many failure objects should display per page. The choices are 10, 20, 30, 50, or 100.
Step 13 Click GO. The search begins and the list of failed objects display (see Figure 14-6). The date and time of the failure and a brief message about the failure is provided.
Figure 14-6 Alarms Displaying After Search
Step 14 The alarm search results reveal the following:
•Severity—Either Critical, Major, Minor, Warning, Clear, or Info.
•Failure Object—Clicking the title toggles between the name and the object in the message column.
•WCS—WCS name where alarm was detected.
•Owner—Name of person to whom this alarm is assigned or blank. Clicking the title toggles between ascending and descending order.
•Date/Time—When the alarm occurred. Clicking the title toggles between ascending and descending order.
•Message—Message explaining why the alarm occurred. Clicking the title toggles between ascending and descending order.
Step 15 Click the failure object link to get more in depth information on this particular alarm.
Alarm and Event Dictionary
This section describes the event and alarm notifications that the wireless LAN controller, access points, and location appliances can receive. In addition, specific actions an administrator can do to address these alarms and events are described.
Notification Format
For each alarm and event notification, the following information is provided:
Table 14-1 Notification Format
Field
|
Description
|
Title
|
The notification title is generally picked up from an event property file defined in the NMS.
|
MIB Name
|
The MIB Name is the name of the notification as defined in the management information base (MIB). In some cases, if the event is specific only to the NMS, this field is not relevant. You can define multiple events in WCS from the same trap based on the values of the variables present in the trap. In such cases, multiple subentries appear with the same MIB Name. In addition, this field displays the value of the variable that caused WCS to generate this event.
|
WCS Message
|
The WCS Message is a text string that reflects the message displayed in the WCS alarm or event browser associated with this event. Numbers such as "{0}" reflect internal WCS variables that typically are retrieved from variables in the trap. However, the order of the variables as they appear in the trap cannot be derived from the numbers.
|
Symptoms
|
This field displays the symptoms associated with this event.
|
WCS Severity
|
This field displays the severity assigned to this event in WCS.
|
Probable Causes
|
This field lists the probable causes of the notification.
|
Recommended Actions
|
This field lists any actions recommended for the administrator managing the wireless network.
|
Traps Added in Release 2.0
AP_BIG_NAV_DOS_ATTACK
MIB Name
|
bsnApBigNavDosAttack.
|
WCS Message
|
The AP ''{0}'' with protocol ''{1}'' receives a message with a large NAV field and all traffic on the channel is suspended. This is most likely a malicious denial of service attack.
|
Symptoms
|
The system detected a possible denial of service attack and suspended all traffic to the affected channel.
|
WCS Severity
|
Critical.
|
Probable Causes
|
A malicious denial of service attack is underway.
|
Recommended Actions
|
Identify the source of the attack in the network and take the appropriate action immediately.
|
AP_CONTAINED_AS_ROGUE
MIB Name
|
bsnAPContainedAsARogue.
|
WCS Message
|
AP ''{0}'' with protocol ''{1}'' on Switch ''{2}'' is contained as a Rogue preventing service.
|
Symptoms
|
An access point is reporting that it is being contained as a rouge.
|
WCS Severity
|
Critical.
|
Probable Causes
|
Another system is containing this access point.
|
Recommended Actions
|
Identify the system containing this access point. You may need to use a wireless sniffer.
|
AP_DETECTED_DUPLICATE_IP
MIB Name
|
bsnDuplicateIpAddressReported.
|
WCS Message
|
AP ''{0}'' on Switch ''{3}'' detected duplicate IP address ''{2}'' being used by machine with mac address ''{1}."
|
Symptoms
|
The system detects a duplicate IP address in the network that matches that assigned to an access point.
|
WCS Severity
|
Critical.
|
Probable Causes
|
Another device in the network is configured with the same IP address as an access point.
|
Recommended Actions
|
Correct the misconfiguration of IP addresses in the network.
|
AP_HAS_NO_RADIOS
MIB Name
|
bsnApHasNoRadioCards.
|
WCS Message
|
Not supported in WCS yet.
|
Symptoms
|
An access point is reporting that it has no radio cards.
|
WCS Severity
|
N/A.
|
Probable Causes
|
Manufacturing fault or damage to the system during shipping.
|
Recommended Actions
|
Call customer support.
|
AP_MAX_ROGUE_COUNT_CLEAR
MIB Name
|
bsnApMaxRogueCountClear.
|
WCS Message
|
Fake AP or other attack on AP with MAC address ''{0}'' associated with Switch ''{2}'' is cleared now. Rogue AP count is within the threshold of ''{1}'."
|
Symptoms
|
The number of rogues detected by a switch (controller) is within acceptable limits.
|
WCS Severity
|
Informational.
|
Probable Causes
|
N/A.
|
Recommended Actions
|
None.
|
AP_MAX_ROGUE_COUNT_EXCEEDED
MIB Name
|
bsnApMaxRogueCountExceeded.
|
WCS Message
|
Fake AP or other attack may be in progress. Rogue AP count on AP with MAC address ''{0}'' associated with Switch ''{2}'' has exceeded the severity warning threshold of ''{1}."
|
Symptoms
|
The number of rogues detected by a switch (controller) exceeds the internal threshold.
|
WCS Severity
|
Critical.
|
Probable Causes
|
•There may be too many rogue access points in the network.
•A fake access point attack may be in progress.
|
Recommended Actions
|
Identify the source of the rogue access points.
|
AUTHENTICATION_FAILURE (From MIB-II standard)
MIB Name
|
AuthenticationFailure.
|
WCS Message
|
Switch ''{0}''. Authentication failure reported.
|
Symptoms
|
There was an SNMP authentication failure on the switch (controller).
|
WCS Severity
|
Informational.
|
Probable Causes
|
An incorrect community string is in use by a management application.
|
Recommended Actions
|
Identify the source of the incorrect community string and correct the string within the management application.
|
BSN_AUTHENTICATION_FAILURE
MIB Name
|
bsnAuthenticationFailure.
|
WCS Message
|
Switch ''{0}." User authentication from Switch ''{0}'' failed for user name ''{1}'' and user type ''{2}."
|
Symptoms
|
A user authentication failure is reported for a local management user or a MAC filter is configured on the controller.
|
WCS Severity
|
Minor.
|
Probable Causes
|
Incorrect login attempt by an admin user from the controller CLI or controller GUI, or a client accessing the WLAN system.
|
Recommended Actions
|
If the user has forgotten the password, the superuser may need to reset it.
|
COLD_START (FROM MIB-II STANDARD)
MIB Name
|
coldStart.
|
WCS Message
|
Switch ''{0}." Cold start.
|
Symptoms
|
The switch (controller) went through a reboot.
|
WCS Severity
|
Informational.
|
Probable Causes
|
•The switch (controller) has power-cycled.
•The switch (controller) went through a hard reset.
•The switch (controller) went through a software restart.
|
Recommended Actions
|
None.
|
CONFIG_SAVED
MIB Name
|
bsnConfigSaved.
|
WCS Message
|
Switch ''{0}''. Configuration saved in flash.
|
Symptoms
|
A configuration save to flash is performed on the switch (controller).
|
WCS Severity
|
Informational.
|
Probable Causes
|
The switch (controller) saves the configuration to the flash via a CLI command or entry via the controller GUI or WCS.
|
Recommended Actions
|
If you change the configuration using the controller CLI or controller GUI, you may need to refresh the configuration.
|
IPSEC_IKE_NEG_FAILURE
MIB Name
|
bsnIpsecIkeNegFailure.
|
WCS Message
|
IPsec IKE Negotiation failure from remote IP address ''{0}."
|
Symptoms
|
Unable to establish an IPsec tunnel between a client and a WLAN appliance.
|
WCS Severity
|
Minor.
|
Probable Causes
|
Configuration mismatch.
|
Recommended Actions
|
Validate configuration, verify that authentication credentials match (preshared keys or certificates); and verify that encryption algorithms and strengths match.
|
IPSEC_INVALID_COOKIE
MIB Name
|
bsnIpsecInvalidCookieTrap.
|
WCS Message
|
IPsec Invalid cookie from remote IP address ''{0}."
|
Symptoms
|
Cannot successfully negotiate an IPsec session.
|
WCS Severity
|
Minor.
|
Probable Causes
|
Synchronization problem. The client believes a tunnel exists while the WLAN appliance does not. This problem often happens when the IPsec client does not detect a disassociation event.
|
Recommended Actions
|
Reset the IPsec client, then restart tunnel establishment.
|
LINK_DOWN (FROM MIB-II STANDARD)
MIB Name
|
linkDown.
|
WCS Message
|
Port ''{0}'' is down on Switch ''{1}."
|
Symptoms
|
The physical link on one of the switch (controller) ports is down.
|
WCS Severity
|
Critical.
|
Probable Causes
|
•An access point or a port was manually disconnected from the network.
•A port failure.
|
Recommended Actions
|
Troubleshoot physical network connectivity to the affected port.
|
LINK_UP (FROM MIB-II STANDARD)
MIB Name
|
linkUp.
|
WCS Message
|
Port ''{0}'' is up on Switch ''{1}."
|
Symptoms
|
The physical link is up on a switch (controller) port.
|
WCS Severity
|
Informational.
|
Probable Causes
|
A physical link to the switch (controller) is restored.
|
Recommended Actions
|
None.
|
LRAD_ASSOCIATED
MIB Name
|
bsnAPAssociated.
|
WCS Message
|
AP ''{0}'' associated with Switch ''{2}'' on Port number ''{1}.''
|
Symptoms
|
An access point has associated with a switch (controller).
|
WCS Severity
|
Informational.
|
Probable Causes
|
•A new access point has joined the network.
•An access point has associated with a standby switch (controller) due to a failover.
•An access point rebooted and reassociated with a switch (controller).
|
Recommended Actions
|
None.
|
LRAD_DISASSOCIATED
MIB Name
|
bsnAPDisassociated.
|
WCS Message
|
AP ''{0}'' disassociated from Switch ''{1}.''
|
Symptoms
|
The switch (controller) is no longer detecting an access point.
|
WCS Severity
|
Informational.
|
Probable Causes
|
•A failure in the access point.
•An access point is no longer on the network.
|
Recommended Actions
|
Check if the access point is powered up and has network connectivity to the switch (controller).
|
LRADIF_COVERAGE_PROFILE_FAILED
MIB Name
|
bsnAPCoverageProfileFailed.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Coverage threshold of ''{3}'' is violated. Total no. of clients is ''{5}'' and no. failed clients is ''{4}.''
|
Symptoms
|
Number of clients experiencing suboptimal performance has crossed the configured threshold.
|
WCS Severity
|
Minor.
|
Probable Causes
|
Many clients are wandering to the remote parts of the coverage area of this radio interface with no handoff alternative.
|
Recommended Actions
|
•If the configured threshold is too low, you may need to readjust it to a more optimal value.
•If the coverage profile occurs on a more frequent basis, you may need to provide additional radio coverage.
•If the power level of this radio can be manually controlled, you may need to boost it to increase the coverage area.
|
LRADIF_COVERAGE_PROFILE_PASSED
MIB Name
|
bsnAPCoverageProfileUpdatedToPass.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Coverage changed to acceptable.
|
Symptoms
|
A radio interface that was reporting coverage profile failure has reverted to an acceptable level.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The number of clients on this radio interface with suboptimal performance has dropped below the configured threshold.
|
Recommended Actions
|
None.
|
LRADIF_CURRENT_CHANNEL_CHANGED
MIB Name
|
bsnAPCurrentChannelChanged.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Channel changed to ''{2}." Interference Energy before update was ''{3}'' and after update is ''{4}.''
|
Symptoms
|
The current channel assigned to a radio interface has automatically changed.
|
WCS Severity
|
Informational.
|
Probable Causes
|
Possible interference on a channel has caused the radio management software on the controller to change the channel.
|
Recommended Actions
|
None.
|
LRADIF_CURRENT_TXPOWER_CHANGED
MIB Name
|
bsnAPCurrentTxPowerChanged.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Transmit Power Level changed to ''{2}.''
|
Symptoms
|
The power level has automatically changed on a radio interface.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The radio management software on the controller has modified the power level for optimal performance.
|
Recommended Actions
|
None.
|
LRADIF_DOWN
MIB Name
|
bsnAPIfDown.
|
WCS Message
|
AP ''{0}'', interface ''{1}'' is down.
|
Symptoms
|
A radio interface is out of service.
|
WCS Severity
|
Critical if not disabled, otherwise Informational.
|
Probable Causes
|
•A radio interface has failed.
•An administrator has disabled a radio interface.
•An access point has failed and is no longer detected by the controller.
|
Recommended Actions
|
If the access point is not administratively disabled, call customer support.
|
LRADF_INTERFERENCE_PROFILE_FAILED
MIB Name
|
bsnAPInterferenceProfileFailed.
|
WCS Message
|
AP ''{0}'', interface ''{1}''. Interference threshold violated.
|
Symptoms
|
The interference detected on one or more channels is violated.
|
WCS Severity
|
Minor.
|
Probable Causes
|
There are other 802.11 devices in the same band that are causing interference on channels used by this system.
|
Recommended Actions
|
•If the interference threshold is configured to be too low, you may need to readjust it to a more optimum value.
•Investigate interference sources such as other 802.11 devices in the vicinity of this radio interface.
A possible workaround is adding one or more access points to distribute the current load or slightly increasing the threshold of the access point which is displaying this message. To perform this workaround, follow the steps below:
1. Choose Configure > Controllers.
2. Click on any IP address in that column of the All Controllers page.
3. From the left sidebar menu, choose 802.11a or 802.11b/g and then RRM Thresholds.
4. Adjust the Interference Threshold (%) in the Other Thresholds section.
|
LRADIF_INTERFERENCE_PROFILE_PASSED
MIB Name
|
bsnAPInterferenceProfileUpdatedToPass.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Interference changed to acceptable.
|
Symptoms
|
A radio interface reporting interference profile failure has reverted to an acceptable level.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The interference on this radio interface has dropped below the configured threshold.
|
Recommended Actions
|
None.
|
LRADIF_LOAD_PROFILE_FAILED
MIB Name
|
bsnAPLoadProfileFailed.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Load threshold violated.
|
Symptoms
|
A radio interface of an access point is reporting that the client load has crossed a configured threshold.
|
WCS Severity
|
Minor.
|
Probable Causes
|
There are too many clients associated with this radio interface.
|
Recommended Actions
|
•Verify the client count on this radio interface. If the threshold for this trap is too low, you may need to readjust it.
•Add new capacity to the physical location if the client count is a frequent issue on this radio.
|
LRADIF_LOAD_PROFILE_PASSED
MIB Name
|
bsnAPLoadProfileUpdatedToPass.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Load changed to acceptable.
|
Symptoms
|
A radio interface that was reporting load profile failure has reverted to an acceptable level.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The load on this radio interface has dropped below the configured threshold.
|
Recommended Actions
|
None.
|
LRADIF_NOISE_PROFILE_FAILED
MIB Name
|
bsnAPNoiseProfileFailed.
|
WCS Message
|
AP ''{0}'', interface ''{1}''. Noise threshold violated.
|
Symptoms
|
The monitored noise level on this radio has crossed the configured threshold.
|
WCS Severity
|
Minor.
|
Probable Causes
|
Noise sources that adversely affect the frequencies on which the radio interface operates.
|
Recommended Actions
|
•If the noise threshold is too low, you may need to readjust it to a more optimal value.
•Investigate noise sources in the vicinity of the radio interface (for example, microwave oven).
|
LRADIF_NOISE_PROFILE_PASSED
MIB Name
|
bsnAPNoiseProfileUpdatedToPass.
|
WCS Message
|
AP ''{0}'', interface ''{1}." Noise changed to acceptable.
|
Symptoms
|
A radio interface that was reporting noise profile failure has reverted to an acceptable level.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The noise on this radio interface has dropped below the configured threshold.
|
Recommended Actions
|
None.
|
LRADIF_UP
MIB Name
|
bsnAPIfUp.
|
WCS Message
|
AP ''{0}'', interface ''{1}'' is up.
|
Symptoms
|
A radio interface is back up.
|
WCS Severity
|
Informational.
|
Probable Causes
|
•An administrator has enabled a radio interface.
•An access point has turned on.
•A new access point has joined the network.
|
Recommended Actions
|
None.
|
MAX_ROGUE_COUNT_CLEAR
MIB Name
|
bsnMaxRogueCountClear.
|
WCS Message
|
Fake AP or other attack is cleared now. Rogue AP count on system ''{0}'' is within the threshold of ''{1}''.
|
Symptoms
|
The number of rogues detected by a controller is within acceptable limits.
|
WCS Severity
|
Informational.
|
Probable Causes
|
N/A.
|
Recommended Actions
|
None.
|
MAX_ROGUE_COUNT_EXCEEDED
MIB Name
|
bsnMaxRogueCountExceeded.
|
WCS Message
|
Fake AP or other attack may be in progress. Rogue AP count on system ''{0}'' has exceeded the severity warning threshold of ''{1}''.
|
Symptoms
|
The number of rogues detected by a controller exceeds the internal threshold.
|
WCS Severity
|
Critical.
|
Probable Causes
|
•There are too many rogue access points in the network.
•A fake access point attack is in progress.
|
Recommended Actions
|
Identify the source of the rogue access points.
|
MULTIPLE_USERS
MIB Name
|
multipleUsersTrap.
|
WCS Message
|
Switch ''{0}''. Multiple users logged in.
|
Symptoms
|
Multiple users with the same login ID are logged in through the CLI.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The same user has logged in multiple times through the CLI interface.
|
Recommended Actions
|
Verify that the expected login sessions for the same user are valid.
|
NETWORK_DISABLED
MIB Name
|
bsnNetworkStateChanged (bsnNetworkState set to disabled).
|
WCS Message
|
Global ''{1}'' network status disabled on Switch with IP Address ''{0}."
|
Symptoms
|
An administrator has disabled the global network for 802.11a and 802.11b/g.
|
WCS Severity
|
Informational.
|
Probable Causes
|
Administrative command.
|
Recommended Actions
|
None.
|
NO_ACTIVITY_FOR_ROGUE_AP
MIB Name
|
This is a WCS-only event generated when no rogue activity is seen for a specific duration.
|
WCS Message
|
Rogue AP ''{0}'' is cleared explicitly. It is not detected anymore.
|
Symptoms
|
A rogue access point is cleared from the management system due to inactivity.
|
WCS Severity
|
Informational.
|
Probable Causes
|
A rogue access point is not located on any managed controller for a specified duration.
|
Recommended Actions
|
None.
|
POE_CONTROLLER_FAILURE
MIB Name
|
bsnPOEControllerFailure.
|
WCS Message
|
The POE controller has failed on the Switch ''{0}.''
|
SYMPTOMS
|
A failure in the Power Over Ethernet (POE) unit is detected.
|
WCS Severity
|
Critical.
|
Probable Causes
|
The power of the Ethernet unit has failed.
|
Recommended Actions
|
Call customer support. The unit may need to be repaired.
|
RADIOS_EXCEEDED
MIB Name
|
bsnRadiosExceedLicenseCount.
|
WCS Message
|
The Radios associated with Switch ''{0}'' exceeded license count ''{1}'' The current number of radios on this switch is ''{2}''.
|
Symptoms
|
The number of supported radios for a switch (controller) has exceeded the licensing limit.
|
WCS Severity
|
Major.
|
Probable Causes
|
The number of access points associated with the switch (controller) has exceeded the licensing limits.
|
Recommended Actions
|
Upgrade the license for the switch (controller) to support a higher number of access points.
|
RADIUS_SERVERS_FAILED
MIB Name
|
bsnRADIUSServerNotResponding.
|
WCS Message
|
Switch ''{0}''. RADIUS server(s) are not responding to authentication requests.
|
Symptoms
|
The switch (controller) is unable to reach any RADIUS server for authentication.
|
WCS Severity
|
Critical.
|
Probable Causes
|
Network connectivity to the RADIUS server is lost or the RADIUS server is down.
|
Recommended Actions
|
Verify the status of all configured RADIUS servers and their network connectivity.
|
ROGUE_AP_DETECTED
MIB Name
|
bsnRogueAPDetected.
|
WCS Message
|
Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''.
|
Symptoms
|
The system has detected a rogue access point.
|
WCS Severity
|
Minor if not on a wired network, Critical if on a wired network.
|
Probable Causes
|
•An illegal access point is connected to the network.
•A known internal or external access point unknown to this system is detected as rogue.
|
Recommended Actions
|
•Verify the nature of the rogue access point by tracing it using its MAC address or the SSID, or by using location features to locate it physically.
•If the access point is a known internal or external access point, acknowledge it or mark it as a known access point. Consider adding it to the known access point template within WCS.
•If the access point is deemed to be a severity threat, contain it using the management interface.
|
ROGUE_AP_NOT_ON_NETWORK
MIB Name
|
bsnRogueAPDetectedOnWiredNetwork (bsnRogueAPOnWiredNetwork is set to false).
|
WCS Message
|
Rogue AP ''{0}'' is not able to connect to the wired network.
|
Symptoms
|
A rogue access point is no longer on the wired network.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The rogue access point is no longer reachable on the wired network.
|
Recommended Actions
|
None.
|
ROGUE_AP_ON_NETWORK
MIB Name
|
bsnRogueAPDetectedOnWiredNetwork.
|
WCS Message
|
Rogue AP ''{0}'' is on wired network.
|
Symptoms
|
The system has detected a rogue access point on the wired network.
|
WCS Severity
|
Critical.
|
Probable Causes
|
The system has detected an illegal access point on the wired network.
|
Recommended Actions
|
•Determine if this is a known or valid access point in the system. If so, place it in the known access point list.
•Contain the rogue access point using the system to prevent anyone from accessing it until the access point is traced using location or other features.
|
ROGUE_AP_REMOVED
MIB Name
|
bsnRogueAPRemoved.
|
WCS Message
|
Rogue AP ''{0}'' is removed; it was detected as Rogue AP by AP ''{1}'' Radio type ''{2}''.
|
Symptoms
|
The system is no longer detecting a rogue access point.
|
WCS Severity
|
Informational.
|
Probable Causes
|
A rogue access point has powered off or moved away and therefore the system no longer detects it.
|
Recommended Actions
|
None.
|
RRM_DOT11_A_GROUPING_DONE
MIB Name
|
bsnRrmDot11aGroupingDone.
|
WCS Message
|
RRM 802.11a grouping done; the new group leader's MAC address is ''{0}.''
|
Symptoms
|
The radio resource module is finished grouping for the A band and a new group leader is chosen.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The older RRM group leader may have gone down.
|
Recommended Actions
|
None.
|
RRM_DOT11_B_GROUPING_DONE
MIB Name
|
bsnRrmDot11bGroupingDone.
|
WCS Message
|
RRM 802.11b/g grouping done; the new group leader's MAC address is ''{0}.''
|
Symptoms
|
The radio resource module finished its grouping for the B band and chose a new group leader.
|
WCS Severity
|
Informational.
|
Probable Causes
|
The older RRM group leader may have gone down.
|
Recommended Actions
|
None.
|
SENSED_TEMPERATURE_HIGH
MIB Name
|
bsnSensedTemperatureTooHigh.
|
WCS Message
|
The sensed temperature on the Switch ''{0}'' is too high. The current sensed temperature is ''{1}''.
|
Symptoms
|
The system's internal temperature has crossed the configured thresholds.
|
WCS Severity
|
Major.
|
Probable Causes
|
•Fan failure.
•Fault in the device.
|
Recommended Actions
|
•Verify the configured thresholds and increase the value if it is too low.
|
