Cisco Systems OL-8376-01 Intrusion Detection System Troubleshooting, 1-53, Interference Detection

Chapter 1 FAQs and Troubleshooting

Intrusion Detection System FAQs and Troubleshooting

–First, a rogue is detected which has an RSSI value higher than the configured threshold. For example, it has an RSSI value of -60dBm and the configured threshold is -80dBm.

–Then, the rogue is not seen for a while, and the WLSE marks it for deletion. (Rogue APs that are not heard from for a long time are candidates for deletion from the WLSE.)

Interference Detection

Q.Are the Network-Wide > Interference Detection settings of -87dbm for 10% always the same, or are they the optimal recommended values, or are they calculated depending on the environment? Should they be left alone, or are there any recommendations?

A.This is the default setting. If it is not adequate, you will need to experiment to find the proper setting for your environment.

APs in Scanning-Only Mode

Q.Why are the APs running in scanning-only mode having problems with sporadic connection loss and image upgrade failure?

A.In a heavy-load environment, APs running in scanning-only mode may face sporadic connection loss and image upgrade failure. To resolve these problems, use the following configuration commands to balance CPU time:

scheduler interval <100-xxx>

scheduler allocate <3000-xxx> <1000-xxx>

Many newer Cisco platforms use the command scheduler allocate instead of scheduler interval. The scheduler allocate command takes two parameters: a period in microseconds for the system to run with interrupts enabled, and a period in microseconds for the system to run with interrupts masked. Please refer to the IOS documentation for more information about these commands.

Q.Which WLSE IDS functions require dedicated scanning APs?

A.Only the Unregistered Client function requires a scanning AP.

Intrusion Detection System Troubleshooting

This section contains the following information for troubleshooting the Intrusion Detection System:

•Q.I configured the Friendly AP-to-Rogue AP no-observation period as 5 minutes, moved a rogue AP (AP1) to the friendly list, and shut down its radio. After 5 minutes, AP1 was moved to the rogue AP list. When I moved AP1 back to the friendly list, it was immediately (with in 40 seconds) moved back to the rogue AP list.

•Q.What should I do when my system is overrun with rogue APs?

•Q.The SSID field in the Manage Rogues > Rogue AP List report is being displayed in hexagonal format (for example, "\x00\x00\x00\x00\x00\x00\x00\x00\x00"). What causes this?

Q.I configured the Friendly AP-to-Rogue AP no-observation period as 5 minutes, moved a rogue AP (AP1) to the friendly list, and shut down its radio. After 5 minutes, AP1 was moved to the rogue AP list. When I moved AP1 back to the friendly list, it was immediately (with in 40 seconds) moved back to the rogue AP list.

FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine