Rogue reporting in WCS

Similar Messages

• Reporting in WCS Question

  Is there any way to generate report in WCS for clients associated / authenticated by AP's. I was able to get Client count by controller, What I need is client count by Access Point.
  If anyone has any suggestions please contribute. WCS Version 7.0.172.0
  Thanks
  Anil Jacob

  Have you used a beta version or earlier pre release version?
  You have an issue that is related some how to entries that were in beta codes of WCS.
  A few things to try, first make a backup of your db.
  Then, go on the CLI, bin folder of WCS and after run:
  1.StopWCS
  2.dbamin checkschema
  3.StartWCS
  See if this helps.
  I dont want to push you for opening a TAC case and would like to avoid it, but if you are concerned about keeping the same db and not loose any data, we need a TAC case to be opened. That will involve that you upload me your database so we can try to fix this manually.
  If you dont care about the DB and you are ok to rebuild it then from the CLI
  1. StopWCS
  2. dbadmin reinitdb
  3. StartWCS
  Reconfigure your WCS, the issue will be gone.
  If you decide that you can not loose the db and the previous steps did not help, open a TAC SR between now and the next couple of hours and ask for lavramov, I can help you out.

• Reporting MSE (WCS)

  Hi@all,
  we have a small problem with the "Client Location Tracking"-report in WCS.
  If we make create a job for this kind and activate the schedule, we get empty reports. If we open the job and press "run", we get all clients listed. (eport is possible, too).
  If the job is running via the schedule, we get "Report ran successfully and the run result has no data" but this is impossible.
  Our infrastructure:
    MSE 3355 (7.0.240)
    WCS     (7.0.240)
     WLC 4404 (7.0.240).
  I hope anybody could help.
  kind regards
    René

  So, yesterday we cleared the database of the MSE via WCS.
  After this procedure we got our reports.
  Now, round about 24h later, they are corrupt.
  If we look at the CPU-Status of the MSE, we see that some oracle -instances have 100%CPU (also 1 core full) and a report takes ~ 10 Minutes.
  If execute the report now, we get it in 20-30 sec.
  Also it seems a bug. TAC case is opened, but it looks like that we don´t get help, missing contract *argh*
  Edit:
  What i have been realized, that the DB disk memory is 4199696000. It seems, that the db, couldn´t be larger than 4GB, because yesterday we have nearly the same amount of data befoor we cleaned the database. This couldn´t be correct, or?

• Mapping a rogue CLIENT in WCS with 4404

  Hi.
  Im running a 4404 (4.1.171.0) and WCS. I imported all the maps, placed the AP's etc.
  Looks great! I can find rogue AP's no problem and place them on the map with the skull and crossbones.
  However I cant figure out how to do rogue CLIENT mapping. Im almost positive It can be done but cant find it anywhere in the docs or forums.
  Any help appreciated.
  Bob

  Change the Search In to 'WCS Controllers'' under the Monitor->Security->Rogue Clients and search for rogue clients on the controller directly and then click on it and now you will see that Detecting APs are shown as well as the location if this rogue client was detected by location server.

• Reporting in WCS 6.0.132

  I recently upgraded from WCS 5.2 to 6.0. I have a number of Client Count reports set up, which are run weekly to generate PDF graphs of usage on all APs in each building. Since the conversion, all of them fail with the message "Failed to run report". I've tried deleting and re-defining them, but get the same result. Running them manually makes no difference. Has anyone seen anything similar? Is there anything I can do, or is reporting just broken in 6.0? The message is singularly unhelpful
  Regards
  Max Caines
  University of Wolverhampton

  Have you used a beta version or earlier pre release version?
  You have an issue that is related some how to entries that were in beta codes of WCS.
  A few things to try, first make a backup of your db.
  Then, go on the CLI, bin folder of WCS and after run:
  1.StopWCS
  2.dbamin checkschema
  3.StartWCS
  See if this helps.
  I dont want to push you for opening a TAC case and would like to avoid it, but if you are concerned about keeping the same db and not loose any data, we need a TAC case to be opened. That will involve that you upload me your database so we can try to fix this manually.
  If you dont care about the DB and you are ok to rebuild it then from the CLI
  1. StopWCS
  2. dbadmin reinitdb
  3. StartWCS
  Reconfigure your WCS, the issue will be gone.
  If you decide that you can not loose the db and the previous steps did not help, open a TAC SR between now and the next couple of hours and ask for lavramov, I can help you out.

• Detailed client Report in WCS

  Hi,
  what exactly mean the fields of the traps  that appear in the Detailed Client report of the WCS?
  07/08/10 08:09,"00:04:23:71:67:bf",,"Campus> Ome > CN.OM.P03","XSFK2MP345","10.120.205.25",07/08/10 08:09,"0 secs","0.0.0.0",0,-128,"802.11b","N/A",0,0,0,0,"No","Associated","Client '00:04:23:71:67:bf' is associated with AP '00:23:eb:2d:8a:e0', interface '0'."
  which means many  associations of  "0Sec" with no IP assigned?
  Thanks!

  Hi,
  Are you still facing this issue?
  thanks,
  Vinay

• Interpretations of 802.11 counters report on WCS

  Dear Sir,
  My customer recently deployed WLCs and WCS in their environment. However, recently they experienced slow performance. To futher finding out the root cause, I generated the 802.11 counters report from the WCS and noticed the following parameters is shown.
  Tx/Rx Fragment Count/Sec and FCS Error Count/Sec
  1. Can I make the assumptions that the overall transfer of packet rate in that interval is the Total of Tx/Rx Fragment Count/Sec and FCS Error Count/Sec?
  2. If the output rate of Tx/Rx Fragment Count/Sec and FCS Error Count/Sec are the same, does it mean that 50% of the packet are corrupted and this high FCA Error Count/Sec will cause performance degradation to the wireless througphput?
  3. What is the baseline of the FCS Error Count/Sec that is acceptable? As for the case with wired, 1% error rate is acceptable. Will wireless have the same baseline?
  Thanks
  -delon

  FCS error count is the number of frames that were transmitted/received with a bad checksum (CRC value) in the ethernet frame. These frames are dropped and not propagated onto other ports. Usually we check FCS errors at the asic level so they never even hit the backplane. Few of these errors are OK, but could also be an indication of bad cables, NICs,etc.
  Catalyst keeps track of Tranmit FCS and Receive FCS. The Receive FCS is normal since its coming from the cable, Transmit FCS errors, however, should not occur and are an indication of bad hardware in the Catalyst. The FCS counter is a sum of Tx and Rx FCS errors.

• Generation of Client summary report on WCS

  Hi,
  I have four WLCs running the IOS  version 7.0 at different locations. All these WLCs are joined to the WCS at one location.
  I am trying to generate the client summary report. But i am not able to generate the report as per the requirements.
  Please let me know is it possible to generate the client summary report for each controller.(i.e) The report providing the details of the users at each location. If so, Please let me know the procedure.

  Hi,
  Client summary cannot be narrowed down to Controller ip.. However, the "Client session report" will help you out in getting the report per Controller and this gives the client TX, RX and you can custpmize it as well!!
  here is the link to do it..
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0reps.html#wp1135765
  lemme know if this answered ur question!!
  Regards
  Surendra

• MFP Error reported in WCS

  I've searched for the following errors but cant find anything on the MFP Invalid Sequence Number error
  I have just enabled Management Frame Protection (MFP) under AP Authentication / Wireless Protection Ploicies.  Since then I have seen the follwoing MFP related errors on WCS.
  MFP Anomaly Detected - 11 'Invalid Sequence Number' violation(s) have  originated from the AP with BSS '00:11:20:8e:91:50'.  This was detected  by the radio with Slot ID '0' of the AP with MAC '00:1a:e3:76:fd:50'  when observing 'Deauthentication' frames.
  MFP Anomaly Detected - 20 'No MIC' violation(s) have originated from the  AP with BSS '00:26:cb:ac:7e:71'.  This was detected by the radio with  Slot ID '0' of the AP with MAC '00:26:cb:d1:b2:b0' when observing  'Deauthentication' frames.
  The WLC's are running 6.0.196.0 and WCS is on 6.0.170.0.
  My question is what do these errors refer toand how do I get rid of them??  What caveats are there for impleementing this globally or on a per WLAN basis?
  Any ideas?
  Thanks
  Martin

  Hello,
  I have exact the same error message 8 or 10 times per days, but we have MFP enabled on our system from long time and we have WLC Version 7.0.98.0 and WCS 7.0.164.0.
  Did you get solutions for that?
  Thanks for your help

• LWAPP Rogue AP report

  Hi
  In my WCS, I see hundreds of rogue AP. Most of them are my AP also controled by my WiSMs. Wy does I get rogue report for them? The radio mac of the rogue report is usualy one digit higher then the base mac of the AP

  I don't know if this is related or not:
  I have been working with Cisco TAC and they indicate that the following false alarm: "Disassociation Flood" alarm is due to a software bug that is to be fixed in the November timeframe (aka Concannon release):
  "IDS Signature attack detected. Signature Type: Standard, Name: Disassoc flood, Description: Disassociation flood, Track: per-signature, Detecting AP Name"
  What caught my attention to relate this to what you are describing is that the error/trap indicates that the supposed disassociation flood is coming from the radio MAC addresses of our own trusted APs being controlled by the WLC.
  Bug is identified as CSCse70641
  Externally found severe defect: Assigned (A) Problems with signatures in 4.0.155.0 Symptom:High number of 'Disassoc flood' and 'Broadcast Probe floo' alarms. In3.2 this is not showing up, for controllers on the same area The shorter mask of 4.0 seems to match additional frames resulting infalse positives Conditions: Between 3.2 and 4.0 versions, there are several changes on the standardsignature database. For 3.2, for example, signature 7 (Disassoc flood)was 0:0x00A0:0x03FF, on 4.0 now is 0:0:0x00A0:0x00FF Additionally thisdoes not matches the information present on the header of the signaturefile. If the byte stream is compared, for a disasociation flood, theframe starts with 0xA000, after applying either of the twomasks, results in 0, failing the verification. For the signature to becorrect, it a double byte swapping is needed, which is not documented orpresent.
  The current workaround is as follows:
  Workaround:
  Disable signatures
  To disable the signature file -
  In the controller, go to 'Security' --> 'Wireless Protection Policies'
  --> 'Standard Signatures' and click 'detail' on the far right of the
  signature you wish to disable. You will see a 'State' check box, simply
  uncheck and
  hit apply. The signature will now show in a disabled state.
  Hope this helps

• Limiting reported rogues

  I'm running WCS ver 7.0.164 and the controllers are running 7.0.98 code.  I have a daily rogue report configured to email me the rogue access points reported by the controllers and access points.  How do I limit the reporting so that any rogue with a RSSI of less than -85 is not reported?  I created a "rogue ap rule" and set the match conditition to a minimum RSSI of -85.  Then I applied that to a "rogue ap rule group" and applied that to the controllers, but I still get the same number of rogues in my report.
  Thanks,
  Al

  Post the rogue message you are getting for starters.
  Also how is your rogue policies configured? Here is the users guide for configuring rogue policies using the templates.
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0temp.html#wp1100222
  You modify the rogue ap rules to prevent those rogues from appearing:
  Viewing or Editing Rogue Access Point Rules
  You can view or edit current rogue access point rules on a single WLC. Follow these steps to access the rogue access point rules. See the "Configuring a Rogue AP Rules Template" section on page 12-77 for more information.
  Step 1 Choose Configure > Controllers.
  Step 2 Click an IP address under the IP Address column.
  Step 3 From the left sidebar menu, choose Security > Rogue AP Rules. The Rogue AP Rules displays the rogue access point rules, the rule types (malicious or friendly), and the rule sequence.
  Step 4 Choose a Rogue AP Rule to view or edit its details.

• Reporting problems with Cisco WCS

  hi all,
  I was wondering whether anyone has experienced the following symptoms on Reporting.
  WCS Rogue AP reports do not run and show up as 'Expired'
  this does not occur to all the Rouge AP  reports though (they are being created based on floor areas; one report per campus)
  customer is using the following
  WCS Version: 7.0.230.0
  any idea on this, could this be a software bug?
  thanks a lot
  with kind regards,
  Lancellot

  Hi,
  The report expires when it is scheduled report and configured for some specific time. After the time passed the report expires. re-schedule the report time and change the start-date time of the schedule and that should resolve your issue.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• WCS Busiest Client Report Problem

  We are using Wism 4.0.155.5 and WCS 4.0.81.0. Everytime I run "busiest client report" on WCS, I get some clients with throughput more than 70Mbps and utilization more than 600%!!! It is very weird. Anyone see this as well? Thanks.

  zhenningx:
  I see it too. It definitely appears to be a bug, but I will do some checking. Mine show upwards of 2000% and most of my top 25 show an almost identical tx/tx amount of 4gb.
  If I make any headway with TAC, I'll let you know.

• WCS Unique Client report problem

  If I run a "Unique Client" report in WCS (based on 4 controllers) using the range "last 1 day", I get plenty of data.  But if I choose a specific range of time, even within the last 24 hours, I don't get any data.  Seems like a bug.  Anyone else experience this issue?
  It's WCS 7.0.172

  Seems you are facing below bug and needs a patch uniqueclients.xml which can be provided by TAC.CSCtq64813
  Apply the workaround which done by the following steps:  1. Stop WCS 2. cd to /webnms/classes/com/cisco/server/reports/conf 3. Backup UniqueClients.xml 4. Copy the attached file to UniqueClients.xml (batch file attached in the case) 5. Restart the server

• WCS reporting -128db

  I have a WISM LWAPP deployment with 4 WISM blades (2 are for backup), 400 1231 and 1242 AP's. I use WCS to monitor the WLAN. My problem is tracking down why stationairy clients are frequently reporting through WCS a -128db signal strength when the client is located less than 50 feet from an AP. This is happening on all SSID's and in multiple buildings. It does not happen to all of the clients on a given AP, and does not seem to happen on all clients. It happens at random times. My thought is that WCS only polls clients every 10 minutes (I changed this from the default 15 minutes) so the signal loss indicated by -128db is probably happening much more frequently. This is happening to iPAQ's, tablets, symbol mc70's, laptops both windows and MAC.
  I am also seeing very high MIC and FCS error counts.
  Any suggestions on a command to monitor a client to see whats goiing on.
  Thanks

  You can use the WCS navigator. The Cisco WCS Navigator provides network administrators with easy, cost-effective access to information from multiple geographically diverse Cisco WCS management platforms. This innovative platform allows network managers to partition the unified wireless network at the management level.