ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 6
Registered: ‎04-15-2010

Continuously being kicked off because of login role?

This morning I upgraded from 5.3.something to 6.1.2.3 and ever since then our clients have been getting kicked off the network every five minutes.

Based on what tech support told me, I think the problem is because everyone is in the user role, which has a five minute limit. Our configuration says to put them in the guest role though, so I'm not sure why it would do that.

I turned on user logging and found the following lines, which I think might be telling:

right before it kicks me off

Oct 11 14:23:10 Aruba3600-2 authmgr: <522005> MAC=e0:f8:47:29:f8:e0 IP=fe80::e2f8:47ff:fe29:f8e0 User entry deleted: reason=logon role lifetime reached



shortly after reconnecting:

Oct 11 14:20:57 Aruba3600-2 authmgr: <199802> user.c, ip_user_new:543: Role for user e0:f8:47:29:f8:e0 set to 'logon' since AAA profile not found



I've been working with tech support most of the day, but they have not been able to help. (and the logging they set up doesn't show the logs I found, so they are puzzled as to why it would kick me off if it was in the guest role.

I would _really_ love it if someone had any idea why that might happen. Otherwise I'll need to revert back to 5.x and I'm not sure when I'll be brave enough to try again.


Here is some more context


Oct 11 14:20:53 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 def_vlan 135 derive vlan: 0 auth_type 0 auth_subtype 0
Oct 11 14:20:53 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 def_vlan 135 derive vlan: 0 auth_type 0 auth_subtype 0
Oct 11 14:20:53 Aruba3600-1 authmgr: <124004> MM: mac=e0:f8:47:29:f8:e0, state=1, name=, role=guest, dev_type=OS X, ip=138.236.35.158
Oct 11 14:20:57 Aruba3600-2 authmgr: <522026> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User miss: ingress=0x1083, VLAN=135
Oct 11 14:20:57 Aruba3600-2 authmgr: <522026> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User miss: ingress=0x1083, VLAN=135
Oct 11 14:20:57 Aruba3600-2 authmgr: <199802> user.c, ip_user_new:543: Role for user e0:f8:47:29:f8:e0 set to 'logon' since AAA profile not found
Oct 11 14:20:57 Aruba3600-2 authmgr: <522006> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User entry added: reason=Sibyte
Oct 11 14:20:57 Aruba3600-2 authmgr: <522006> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User entry added: reason=Sibyte
Oct 11 14:20:57 Aruba3600-2 authmgr: <124004> sta_add_l3: mac e0:f8:47:29:f8:e0 ip 2001:468:1930:32:e2f8:47ff:fe29:f8e0
Oct 11 14:20:57 Aruba3600-2 authmgr: <124004> MM: mac=e0:f8:47:29:f8:e0, state=3, name=, role=logon, dev_type=, ip=32.1.4.104
Oct 11 14:20:57 Aruba3600-2 authmgr: <124004> Adding user: 10c8105c (e0:f8:47:29:f8:e0:2001:468:1930:32:e2f8:47ff:fe29:f8e0:) to ap group:default ap group id: 2162
Oct 11 14:20:57 Aruba3600-2 authmgr: <522050> MAC=e0:f8:47:29:f8:e0,IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User data downloaded to datapath, new Role=logon/1, bw Cod
Oct 11 14:20:57 Aruba3600-2 authmgr: <522050> MAC=e0:f8:47:29:f8:e0,IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User data downloaded to datapath, new Role=logon/1, bw Cod






Oct 11 14:23:10 Aruba3600-2 authmgr: <124004> MM: mac=e0:f8:47:29:f8:e0, state=2, name=, role=logon, dev_type=OS X, ip=254.128.0.0
Oct 11 14:23:10 Aruba3600-2 authmgr: <522005> MAC=e0:f8:47:29:f8:e0 IP=fe80::e2f8:47ff:fe29:f8e0 User entry deleted: reason=logon role lifetime reached
Oct 11 14:23:10 Aruba3600-2 authmgr: <522005> MAC=e0:f8:47:29:f8:e0 IP=fe80::e2f8:47ff:fe29:f8e0 User entry deleted: reason=logon role lifetime reached
Oct 11 14:23:10 Aruba3600-2 authmgr: <124004> sta_del_l3: mac e0:f8:47:29:f8:e0 ip fe80::e2f8:47ff:fe29:f8e0
Oct 11 14:23:18 Aruba3600-1 stm: <501065> Sending STA e0:f8:47:29:f8:e0 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x87, 0
Oct 11 14:23:18 Aruba3600-1 stm: <501065> Sending STA e0:f8:47:29:f8:e0 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x87, 0
Oct 11 14:23:18 Aruba3600-1 mobileip: <500511> Station e0:f8:47:29:f8:e0, 0.0.0.0: Received disassociation on ESSID: GACsecure Mobility service ON, HA Discovery on As5
Oct 11 14:23:18 Aruba3600-1 mobileip: <500511> Station e0:f8:47:29:f8:e0, 0.0.0.0: Received disassociation on ESSID: GACsecure Mobility service ON, HA Discovery on As5
Oct 11 14:23:18 Aruba3600-1 authmgr: <522036> MAC=e0:f8:47:29:f8:e0 Station DN: BSSID=00:24:6c:ab:9d:19 ESSID=GACsecure VLAN=135 AP-name=Olin GTS Wireless
Oct 11 14:23:18 Aruba3600-1 mobileip: <500010> Station e0:f8:47:29:f8:e0, 255.255.255.255: Mobility trail, on switch 138.236.16.251, VLAN 135, AP Olin GTS Wireless, Ga
Oct 11 14:23:18 Aruba3600-1 authmgr: <522036> MAC=e0:f8:47:29:f8:e0 Station DN: BSSID=00:24:6c:ab:9d:19 ESSID=GACsecure VLAN=135 AP-name=Olin GTS Wireless
Oct 11 14:23:18 Aruba3600-1 stm: <501000> Station e0:f8:47:29:f8:e0: Clearing state
Oct 11 14:23:18 Aruba3600-1 mobileip: <500010> Station e0:f8:47:29:f8:e0, 255.255.255.255: Mobility trail, on switch 138.236.16.251, VLAN 135, AP Olin GTS Wireless, Ga
Oct 11 14:23:18 Aruba3600-1 stm: <501000> Station e0:f8:47:29:f8:e0: Clearing state
Oct 11 14:23:18 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 ingress 0x10b9 (tunnel 57), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP0
Oct 11 14:23:18 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 ingress 0x10b9 (tunnel 57), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP0
Oct 11 14:24:23 138.236.65.215 stm: <501109> <138.236.16.251 138.236.16.251> Auth request: e0:f8:47:29:f8:e0: AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless auth_alg 0
Oct 11 14:24:23 138.236.65.215 stm: <501093> <138.236.16.251 138.236.16.251> Auth success: e0:f8:47:29:f8:e0: AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless
Oct 11 14:24:23 Aruba3600-1 stm: <501095> Assoc request @ 14:24:23.725630: e0:f8:47:29:f8:e0 (SN 214): AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless
Oct 11 14:24:23 138.236.65.215 stm: <501095> <138.236.16.251 138.236.16.251> Assoc request @ 14:24:23.194719: e0:f8:47:29:f8:e0 (SN 214): AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless
Oct 11 14:24:23 Aruba3600-1 stm: <501095> Assoc request @ 14:24:23.726047: e0:f8:47:29:f8:e0 (SN 214): AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless
Oct 11 14:24:23 138.236.65.215 stm: <501100> <138.236.16.251 138.236.16.251> Assoc success @ 14:24:23.195526: e0:f8:47:29:f8:e0: AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless
Oct 11 14:24:23 Aruba3600-1 stm: <501100> Assoc success @ 14:24:23.729692: e0:f8:47:29:f8:e0: AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless
Oct 11 14:24:23 Aruba3600-1 stm: <501100> Assoc success @ 14:24:23.730154: e0:f8:47:29:f8:e0: AP 138.236.65.215-00:24:6c:ab:9d:19-Olin GTS Wireless
Oct 11 14:24:23 Aruba3600-1 stm: <501065> Sending STA e0:f8:47:29:f8:e0 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x87, wmm:1, rsn_cap:0
Oct 11 14:24:23 Aruba3600-1 stm: <501065> Sending STA e0:f8:47:29:f8:e0 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x87, wmm:1, rsn_cap:0
Oct 11 14:24:23 Aruba3600-1 authmgr: <522035> MAC=e0:f8:47:29:f8:e0 Station UP: BSSID=00:24:6c:ab:9d:19 ESSID=GACsecure VLAN=135 AP-name=Olin GTS Wireless
Oct 11 14:24:23 Aruba3600-1 authmgr: <522035> MAC=e0:f8:47:29:f8:e0 Station UP: BSSID=00:24:6c:ab:9d:19 ESSID=GACsecure VLAN=135 AP-name=Olin GTS Wireless
Oct 11 14:24:23 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 ingress 0x13d0 (tunnel 848), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Oct 11 14:24:23 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 ingress 0x13d0 (tunnel 848), u_encr 32, m_encr 32, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Oct 11 14:24:23 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0, wired: 0, vlan:135 ingress:0x13d0 (tunnel 848), new_aaa_prof: GACsecure-aaa-profile, stored profile: GACsecure-aaa-profile stored wired: 0 stored essid: GACsecure
Oct 11 14:24:23 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0, wired: 0, vlan:135 ingress:0x13d0 (tunnel 848), new_aaa_prof: GACsecure-aaa-profile, stored profile: GACsecure-aaa-profile stored wired: 0 stored essid: GACsecure
Oct 11 14:24:23 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 def_vlan 135 derive vlan: 0 auth_type 0 auth_subtype 0
Oct 11 14:24:23 Aruba3600-1 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 def_vlan 135 derive vlan: 0 auth_type 0 auth_subtype 0
Oct 11 14:24:23 Aruba3600-1 authmgr: <124004> MM: mac=e0:f8:47:29:f8:e0, state=1, name=, role=guest, dev_type=OS X, ip=138.236.35.158
Oct 11 14:24:23 Aruba3600-1 mobileip: <500511> Station e0:f8:47:29:f8:e0, 0.0.0.0: Received association on ESSID: GACsecure Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name Olin GTS Wireless Group default BSSID 00:24:6c:ab:9d:19, phy a, VLA5
Oct 11 14:24:23 Aruba3600-1 mobileip: <500511> Station e0:f8:47:29:f8:e0, 0.0.0.0: Received association on ESSID: GACsecure Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name Olin GTS Wireless Group default BSSID 00:24:6c:ab:9d:19, phy a, VLA5
Oct 11 14:24:23 Aruba3600-1 mobileip: <500010> Station e0:f8:47:29:f8:e0, 0.0.0.0: Mobility trail, on switch 138.236.16.251, VLAN 135, AP Olin GTS Wireless, GACsecure/00:24:6c:ab:9d:19/a
Oct 11 14:24:23 Aruba3600-1 mobileip: <500010> Station e0:f8:47:29:f8:e0, 0.0.0.0: Mobility trail, on switch 138.236.16.251, VLAN 135, AP Olin GTS Wireless, GACsecure/00:24:6c:ab:9d:19/a
Oct 11 14:27:11 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 1 of 3 (id=8214, seq=20115)
Oct 11 14:27:11 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 1 of 3 (id=8214, seq=20115)
Oct 11 14:27:17 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 2 of 3 (id=8214, seq=20134)
Oct 11 14:27:17 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 2 of 3 (id=8214, seq=20134)
Oct 11 14:27:22 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 3 of 3 (id=8214, seq=20151)
Oct 11 14:27:22 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 3 of 3 (id=8214, seq=20151)
Oct 11 14:27:27 Aruba3600-2 authmgr: <124004> MM: mac=e0:f8:47:29:f8:e0, state=2, name=, role=logon, dev_type=OS X, ip=32.1.4.104
Oct 11 14:27:27 Aruba3600-2 authmgr: <522005> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User entry deleted: reason=idle timeout
Oct 11 14:27:27 Aruba3600-2 authmgr: <522005> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User entry deleted: reason=idle timeout
Oct 11 14:27:27 Aruba3600-2 authmgr: <124004> sta_del_l3: mac e0:f8:47:29:f8:e0 ip 2001:468:1930:32:e2f8:47ff:fe29:f8e0
Oct 11 14:29:00 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=138.236.35.158 Send mobility delete message, flags=0x0
Oct 11 14:29:00 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=138.236.35.158 Send mobility delete message, flags=0x0
Oct 11 14:29:00 Aruba3600-2 authmgr: <522004> Deleting RAP Wired User (tunnel) e0:f8:47:29:f8:e0/138.236.35.158 from STM stats tree
Guru Elite
Posts: 20,373
Registered: ‎03-29-2007

Re: Continuously being kicked off because of login role?

If your device is in the "logon" role, it will get kicked off. That is normally the role users are in before they authenticate. What I also see is that your devices cannot be pinged. if the user is not passing traffic and cannot be pinged 4 times (about 5 minutes), they get logged off:


: <522004>    MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 1 of 3 (id=8214, seq=20115)
Oct 11 14:27:11 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 1 of 3 (id=8214, seq=20115)
Oct 11 14:27:17 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 2 of 3 (id=8214, seq=20134)
Oct 11 14:27:17 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 2 of 3 (id=8214, seq=20134)
Oct 11 14:27:22 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 3 of 3 (id=8214, seq=20151)
Oct 11 14:27:22 Aruba3600-2 authmgr: <522004> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 Sending ping6 3 of 3 (id=8214, seq=20151)
Oct 11 14:27:27 Aruba3600-2 authmgr: <124004> MM: mac=e0:f8:47:29:f8:e0, state=2, name=, role=logon, dev_type=OS X, ip=32.1.4.104
Oct 11 14:27:27 Aruba3600-2 authmgr: <522005> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User entry deleted: reason=idle timeout
Oct 11 14:27:27 Aruba3600-2 authmgr: <522005> MAC=e0:f8:47:29:f8:e0 IP=2001:468:1930:32:e2f8:47ff:fe29:f8e0 User entry deleted: reason=idle timeout


The only way around this is to change the user idle timer for more than 5 minutes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎04-15-2010

Re: Continuously being kicked off because of login role?

We don't have any authentication (that the aruba system knows about)

The "initial role" on the config is set to guest, not logon. But it is going to logon anyway.

(and we didn't have this problem prior to upgrading)

How long can the timeout be set to? Unless it is unlimited, that sounds like a big problem. Why can't I set up a network that doesn't have that timeout?
Guru Elite
Posts: 20,373
Registered: ‎03-29-2007

Re: Continuously being kicked off because of login role?

Since you have already engaged with support and they have the details of your case, please let them troubleshoot it so that this can get resolved. Getting help for this type of problem will be slow and painful on this forum.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 47
Registered: ‎06-15-2010

Re: Continuously being kicked off because of login role?

I have a similiar issue with 6.1.2.3. Clients authenticate through the captive portal and are put into their correct role based on LDAP server derivation rules (staff,student,guest etc). They are then immediately kicked off a put into the logon role, judging from the dubug reason being, "User entry deleted: reason=essid change".

sommere did you get any feedback from support in regards to this issue? Your problem appears to be different but but strangely similiar, could be that they are related.
Contributor I
Posts: 27
Registered: ‎05-13-2010

Re: Continuously being kicked off because of login role?

In my opinion it is slow and painful with TAC for them to diagnose the issues. Where is the QA?

I have a different but similar problem on 6.1.2.3 where my client will be sitting there passing traffic and all of the sudden all my traffic will stop. I get thrown out of the user table because the controller says I am idle but my client still says I am connected to the AP.
Guru Elite
Posts: 20,373
Registered: ‎03-29-2007

Re: Continuously being kicked off because of login role?

- Not every problem is easy to discover, replicate, diagnose, patch, QA and deploy. The most troublesome corner cases take more time and effort just to replicate.
- Everyone who has a problem should get a case open so that Aruba can be aware and start the process, because different problems may present themselves as similar to others, while the solution may not be the same
- While you can compare symptoms, the cause and solution could be markedly different, so ALL issues should be reported to TAC
- Nobody on the forum is equipped to deal with really difficult issues, because there is a limit to what can be conveyed here due to privacy.
- Everyone who can say "I am experiencing the same thing" should have a TAC case open.
- The more people that open a case with the same symptoms, the quicker that TAC can find out what is in common and come to a resolution that works for all.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: