Avoiding the Rabbit Hole: Network Troubleshooting with Wyebot

Avoiding the Rabbit Hole: Direct Answers and Quick Resolution with Wyebot

February 18, 2019

THE PROBLEM: A school was having issues with their network and were unsure why. The teachers and students were having serious performance issues on the secure network versus the guest network. Therefore, staff was frequently using the guest network instead of the secure network.

WIP INVESTIGATES: The School was doing a trial of the Wyebot WIP sensor. When Wyebot reviewed their dashboard in preparation for a call with them, the following signature was observed:

This signature is designed to report when one or more SSIDs on an access point is operating below its full capability.  There are sometimes valid reasons for an administrator to configure an SSID like this, but that was not the case at this school.

UNDERSTANDING THE ROOT CAUSE: The school uses an external consultant to configure and manage their wireless network.  The school staff have limited wireless experience and it’s unknown whether they even have access to their WLAN controller.  They are using a Cisco WLC controller with a mix of 802.11n and 802.11ac APs. Cisco gives you *a lot* of configurable options on its controller and very much allows you to misconfigure a network.

The network consultant had gone into the SSID profile and changed the default setting for WMM Policy from Allowed to Disabled inadvertently. This caused the WLAN controller to remove 802.11n and 802.11ac data rates and force that SSID to use only legacy 802.11abg data rates.  Even worse, this was only on one SSID. Their Guest SSID was configured correctly and wasn’t affected by this problem. So clients connected to the Guest network had a better experience than everyone connected to the production network.

This setting is buried in a sub-menu of the SSID profile.  Cisco even has a footnote on the page which reads “WMM and open or AES security should be enabled to support higher 11n rates.”  While this statement is factually correct, it’s written in a way that very few people will understand what it means or what the implications of it are.

THE QUICK AND CORRECT RESOLUTION: By finding the root cause of the issue, it was easy to fix with a click of a button to change the SSID setting and wireless experience instantly was improved.

DIAGNOSING WITHOUT WYEBOT: This problem manifests itself as low throughput, which is a common, vague problem that can have many different causes which means it would have been very difficult to diagnose the root cause.  

In order to diagnose the problem, an experienced WiFi engineer would have needed to do the following:

  1. Go onsite to the customer’s location and take a wireless packet capture.

  2. Manually parse the packet capture to see that the production SSID’s beacon was not advertising the HT and VHT information elements, while the Guest SSID was.

  3. Understand the 802.11 standard well enough to know that the reason the HT/VHT elements were missing is that WMM was not enabled.

Even for an experienced network engineer, these steps would have taken a lot of time since this isn’t a common problem.  If a customer were paying an external consultant to do this, it would be very expensive.

The beacon from the properly configured Guest SSID is shown below.  The highlighted fields show the HT and VHT fields being advertised. The WMM field is outlined in red.

A beacon from the misconfigured Production SSID below shows that it is missing several of the fields that the Guest SSID is advertising.

There is no other troubleshooting tool that could have automatically diagnosed this problem.