Even distribution of FortiAP reports

Reporting intervals for FortiAP are now evenly distributed to prevent spikes in CPU usage in FortiGates that manage a large number of AP devices.

FortiAP sends periodic reports to FortiGate when WIDS profiles, DARRP, or auto-power-level are enabled in WTP profiles. Before this improvement was implemented, these periodic reports would frequently reach the wireless controller at the same time, causing spikes in CPU usage.

GUI

The following images compare the CPU usage in a FortiGate that manages 16 FortiAPs before and after the improvement was implemented.

Before the improvement, CPU usage is above 25%. The spike in usage can go as high as 90% if the FortiGate manages more than 16 devices.

After the improvement is implemented, CPU usage is approximately 10% in the same FortiGate.

CLI

The following examples show the improvements in the CLI for the same FortiGate device.

In this example, you can see 16 wireless sessions in the CLI.

FG81EP4Q16000344 (root) # diag wire wlac -c ws | grep "WTP session"

WTP session : 0-10.43.1.1:62332 CWAS_RUN

WTP session : 0-10.43.1.1:62350 CWAS_RUN

WTP session : 0-10.43.1.1:62356 CWAS_RUN

WTP session : 0-10.43.1.1:62357 CWAS_RUN

WTP session : 0-10.43.1.1:62325 CWAS_RUN

WTP session : 0-10.43.1.1:15246 CWAS_RUN

WTP session : 0-10.43.1.1:62362 CWAS_RUN

WTP session : 0-10.43.1.1:62364 CWAS_RUN

WTP session : 0-10.43.1.1:62366 CWAS_RUN

WTP session : 0-10.43.1.1:62367 CWAS_RUN

WTP session : 0-10.43.1.1:62319 CWAS_RUN

WTP session : 0-10.43.1.1:62321 CWAS_RUN

WTP session : 0-10.43.1.1:62320 CWAS_RUN

WTP session : 0-10.43.1.1:62370 CWAS_RUN

WTP session : 0-10.43.1.1:62323 CWAS_RUN

WTP session : 0-10.43.1.1:62329 CWAS_RUN

Before the improvement is implemented, the FortiAP WTP reports are not indexed, which can cause spikes in CPU usage.

FG81EP4Q16000344 (root) # diag wireless-controller wlac -c ws | grep report

FG81EP4Q16000344 (root) #

After the improvement is implemented, the AC assigns a wtp-report-index to each managed FortiAP, preventing spikes in CPU usage.

FG81EP4Q16000344 (root) # diag wireless-controller wlac -c ws | grep report

wtp-report-index : 1

wtp-report-index : 2

wtp-report-index : 3

wtp-report-index : 4

wtp-report-index : 5

wtp-report-index : 6

wtp-report-index : 7

wtp-report-index : 8

wtp-report-index : 9

wtp-report-index : 10

wtp-report-index : 11

wtp-report-index : 12

wtp-report-index : 13

wtp-report-index : 14

wtp-report-index : 15

wtp-report-index : 16

You can see the value for the wtp-report-index when you filter the data by device. In this example, the report index is 16.

FG81EP4Q16000344 (root) # diag wireless-controller wlac -c ws 10.231.40.15

-------------------------------WTP SESSION 1----------------------------

WTP session : 0-10.43.1.1:62433 CWAS_RUN

Ctrl in_ifIdx : 5/wan1

indev : 5/wan1

Data in_ifIdx : 5/wan1

indev : 0/

mesh uplink : ethernet

id : FP423E3X16000304

mgmt_vlanid : 0

wtp_wanlan_mode : wan-only

refcnt : 10

deleted : no

plain_ctl : disabled

wtp-mode : normal

wtp-report-index : 16

data-chan-sec : clear-text

ctl-msg-offload : ac=01ff/wtp_loc=01ff/wtp_rem=01ff/oper=01ff

session_id : 70386ec03c8bdcd630efda365b3f9ce0

ehapd cfg : done

message queue : 0/128 max 65

tId_10_sec : 3537

Ekahau : disabled

Aeroscout : disabled

FortiPresence : disabled

Radio 1 : AP

wlan cfg : 81ep_ssid1 81ep_ssid2 81ep_ssid4 81ep_wpa3_sae

vap-01(1) : 81ep_ssid1 90:6c:ac:dc:60:b0 lsw FOS-QA-Bruce_81ep1 Config success State RUN

vap-02(2) : 81ep_ssid2 90:6c:ac:dc:60:b1 lsw FOS-QA-Bruce_81ep2 Config success State RUN

vap-03(3) : 81ep_ssid4 90:6c:ac:dc:60:b2 lsw FOS-QA-BRUCE_roaming Config success State RUN

vap-04(4) : 81ep_wpa3_sae 90:6c:ac:dc:60:b3 lsw 81ep_wpa3_sae Config success State INIT

Radio 2 : AP

wlan cfg : 81ep_ssid1 81ep_ssid2 81ep_ssid4 81ep_wpa3_sae

vap-01(1) : 81ep_ssid1 90:6c:ac:dc:60:b8 lsw FOS-QA-Bruce_81ep1 Config success State RUN

vap-02(2) : 81ep_ssid2 90:6c:ac:dc:60:b9 lsw FOS-QA-Bruce_81ep2 Config success State RUN

vap-03(3) : 81ep_ssid4 90:6c:ac:dc:60:ba lsw FOS-QA-BRUCE_roaming Config success State RUN

vap-04(4) : 81ep_wpa3_sae 90:6c:ac:dc:60:bb lsw 81ep_wpa3_sae Config success State N/A

Radio 3 : Not Exist

Radio 4 : Not Exist

Radio 5 : Not Exist

You can also see the device's wtp-report-index value when you view the WTP configuration in FortiAP.

FortiAP-423E # cw_diag -c wtp-cfg

WTP Configuration

name : FortiAP-423E

loc : N/A

ap mode : thin AP

fmvap : FG81EP4Q16000344,(12ac979c,5e693999,1),1800,0

atf mode : disabled

dual-5g mode : disabled

poe mode : auto

poe mode oper : 802.3at

led mode : normal

led schedules : SMTWTFS 00:00->00:00,

WAN port cnt : 2

lan1 : carrier=1, speed=1000, duplex=full

lan2 : carrier=0, speed=0, duplex=

energy-efficient-eth : disable

extension info enable: enable

allowaccess : https ssh

lldp enable : enable

wtp-report-index : 16

ctl-msg-offload : ac=01ff/wtp=01ff/oper=01ff

radio cnt : 2

sta info : 0/0

echo-interval : 30

keep-alive-interval : 30

max-retransmit : 3

dc-dead-interval : 120

discovery-interval : 5

report-interval : 30

sta-stats-interval : 1

vap-stats-interval : 15

radio-stats-interval : 15

sta-cap-interval : 30

idle-timeout : 300

fpresence-interval : 3600, 30

statistics-interval : 120

fsm-state : RUN 439

wtp-ip-addr : 10.231.40.15:25246 - 10.231.40.15:36529

ac-ip-addr : 172.18.56.46:5246 - 172.18.56.46:5247 DHCP

base-mac : 90:6c:ac:dc:60:a8

bulk data seq num : -1

ap-mgmt-vlanid : 0

ac-cert-version : 1

cert-version-oper : 1

data-chan-sec-cfg : clear-text dtls ipsec

data-chan-sec-oper : clear-text

ip-frag-prevent : TCP_MSS (ul_mtu=1500 dl_mtu=1500)

ekahau : disabled

aeroscout : disabled

data-ethernet-II : disabled

fortipresence : disabled, ble enabled, rogue disabled, unassoc_sta enabled, freq 30

server 0.0.0.0:3000 secret csum [0xc6a7] project [fortipresence]

LAN mode : disabled

LAN port cnt : 0

encrypt_key[0-15] : 14-aa-7f-3e-34-a1-83-e7-ca-51-49-2c-e3-64-b3-03

encrypt_key[16-31] : 70-1a-42-5b-a5-5d-79-f0-c4-6e-e0-2f-a8-81-58-13