Even distribution of FortiAP reports
Reporting intervals for FortiAP are now evenly distributed to prevent spikes in CPU usage in FortiGates that manage a large number of AP devices.
FortiAP sends periodic reports to FortiGate when WIDS profiles, DARRP, or auto-power-level are enabled in WTP profiles. Before this improvement was implemented, these periodic reports would frequently reach the wireless controller at the same time, causing spikes in CPU usage.
GUI
The following images compare the CPU usage in a FortiGate that manages 16 FortiAPs before and after the improvement was implemented.
Before the improvement, CPU usage is above 25%. The spike in usage can go as high as 90% if the FortiGate manages more than 16 devices.
After the improvement is implemented, CPU usage is approximately 10% in the same FortiGate.
CLI
The following examples show the improvements in the CLI for the same FortiGate device.
In this example, you can see 16 wireless sessions in the CLI.
FG81EP4Q16000344 (root) # diag wire wlac -c ws | grep "WTP session"
WTP session : 0-10.43.1.1:62332 CWAS_RUN
WTP session : 0-10.43.1.1:62350 CWAS_RUN
WTP session : 0-10.43.1.1:62356 CWAS_RUN
WTP session : 0-10.43.1.1:62357 CWAS_RUN
WTP session : 0-10.43.1.1:62325 CWAS_RUN
WTP session : 0-10.43.1.1:15246 CWAS_RUN
WTP session : 0-10.43.1.1:62362 CWAS_RUN
WTP session : 0-10.43.1.1:62364 CWAS_RUN
WTP session : 0-10.43.1.1:62366 CWAS_RUN
WTP session : 0-10.43.1.1:62367 CWAS_RUN
WTP session : 0-10.43.1.1:62319 CWAS_RUN
WTP session : 0-10.43.1.1:62321 CWAS_RUN
WTP session : 0-10.43.1.1:62320 CWAS_RUN
WTP session : 0-10.43.1.1:62370 CWAS_RUN
WTP session : 0-10.43.1.1:62323 CWAS_RUN
WTP session : 0-10.43.1.1:62329 CWAS_RUN
Before the improvement is implemented, the FortiAP WTP reports are not indexed, which can cause spikes in CPU usage.
FG81EP4Q16000344 (root) # diag wireless-controller wlac -c ws | grep report
FG81EP4Q16000344 (root) #
After the improvement is implemented, the AC assigns a wtp-report-index to each managed FortiAP, preventing spikes in CPU usage.
FG81EP4Q16000344 (root) # diag wireless-controller wlac -c ws | grep report
wtp-report-index : 1
wtp-report-index : 2
wtp-report-index : 3
wtp-report-index : 4
wtp-report-index : 5
wtp-report-index : 6
wtp-report-index : 7
wtp-report-index : 8
wtp-report-index : 9
wtp-report-index : 10
wtp-report-index : 11
wtp-report-index : 12
wtp-report-index : 13
wtp-report-index : 14
wtp-report-index : 15
wtp-report-index : 16
You can see the value for the wtp-report-index when you filter the data by device. In this example, the report index is 16.
FG81EP4Q16000344 (root) # diag wireless-controller wlac -c ws 10.231.40.15
-------------------------------WTP SESSION 1----------------------------
WTP session : 0-10.43.1.1:62433 CWAS_RUN
Ctrl in_ifIdx : 5/wan1
indev : 5/wan1
Data in_ifIdx : 5/wan1
indev : 0/
mesh uplink : ethernet
id : FP423E3X16000304
mgmt_vlanid : 0
wtp_wanlan_mode : wan-only
refcnt : 10
deleted : no
plain_ctl : disabled
wtp-mode : normal
wtp-report-index : 16
data-chan-sec : clear-text
ctl-msg-offload : ac=01ff/wtp_loc=01ff/wtp_rem=01ff/oper=01ff
session_id : 70386ec03c8bdcd630efda365b3f9ce0
ehapd cfg : done
message queue : 0/128 max 65
tId_10_sec : 3537
Ekahau : disabled
Aeroscout : disabled
FortiPresence : disabled
Radio 1 : AP
wlan cfg : 81ep_ssid1 81ep_ssid2 81ep_ssid4 81ep_wpa3_sae
vap-01(1) : 81ep_ssid1 90:6c:ac:dc:60:b0 lsw FOS-QA-Bruce_81ep1 Config success State RUN
vap-02(2) : 81ep_ssid2 90:6c:ac:dc:60:b1 lsw FOS-QA-Bruce_81ep2 Config success State RUN
vap-03(3) : 81ep_ssid4 90:6c:ac:dc:60:b2 lsw FOS-QA-BRUCE_roaming Config success State RUN
vap-04(4) : 81ep_wpa3_sae 90:6c:ac:dc:60:b3 lsw 81ep_wpa3_sae Config success State INIT
Radio 2 : AP
wlan cfg : 81ep_ssid1 81ep_ssid2 81ep_ssid4 81ep_wpa3_sae
vap-01(1) : 81ep_ssid1 90:6c:ac:dc:60:b8 lsw FOS-QA-Bruce_81ep1 Config success State RUN
vap-02(2) : 81ep_ssid2 90:6c:ac:dc:60:b9 lsw FOS-QA-Bruce_81ep2 Config success State RUN
vap-03(3) : 81ep_ssid4 90:6c:ac:dc:60:ba lsw FOS-QA-BRUCE_roaming Config success State RUN
vap-04(4) : 81ep_wpa3_sae 90:6c:ac:dc:60:bb lsw 81ep_wpa3_sae Config success State N/A
Radio 3 : Not Exist
Radio 4 : Not Exist
Radio 5 : Not Exist
You can also see the device's wtp-report-index value when you view the WTP configuration in FortiAP.
FortiAP-423E # cw_diag -c wtp-cfg
WTP Configuration
name : FortiAP-423E
loc : N/A
ap mode : thin AP
fmvap : FG81EP4Q16000344,(12ac979c,5e693999,1),1800,0
atf mode : disabled
dual-5g mode : disabled
poe mode : auto
poe mode oper : 802.3at
led mode : normal
led schedules : SMTWTFS 00:00->00:00,
WAN port cnt : 2
lan1 : carrier=1, speed=1000, duplex=full
lan2 : carrier=0, speed=0, duplex=
energy-efficient-eth : disable
extension info enable: enable
allowaccess : https ssh
lldp enable : enable
wtp-report-index : 16
ctl-msg-offload : ac=01ff/wtp=01ff/oper=01ff
radio cnt : 2
sta info : 0/0
echo-interval : 30
keep-alive-interval : 30
max-retransmit : 3
dc-dead-interval : 120
discovery-interval : 5
report-interval : 30
sta-stats-interval : 1
vap-stats-interval : 15
radio-stats-interval : 15
sta-cap-interval : 30
idle-timeout : 300
fpresence-interval : 3600, 30
statistics-interval : 120
fsm-state : RUN 439
wtp-ip-addr : 10.231.40.15:25246 - 10.231.40.15:36529
ac-ip-addr : 172.18.56.46:5246 - 172.18.56.46:5247 DHCP
base-mac : 90:6c:ac:dc:60:a8
bulk data seq num : -1
ap-mgmt-vlanid : 0
ac-cert-version : 1
cert-version-oper : 1
data-chan-sec-cfg : clear-text dtls ipsec
data-chan-sec-oper : clear-text
ip-frag-prevent : TCP_MSS (ul_mtu=1500 dl_mtu=1500)
ekahau : disabled
aeroscout : disabled
data-ethernet-II : disabled
fortipresence : disabled, ble enabled, rogue disabled, unassoc_sta enabled, freq 30
server 0.0.0.0:3000 secret csum [0xc6a7] project [fortipresence]
LAN mode : disabled
LAN port cnt : 0
encrypt_key[0-15] : 14-aa-7f-3e-34-a1-83-e7-ca-51-49-2c-e3-64-b3-03
encrypt_key[16-31] : 70-1a-42-5b-a5-5d-79-f0-c4-6e-e0-2f-a8-81-58-13