Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
aaa timer idle-timeout: This timer is for the datapath to detect if there are no more new sessions or traffic initiated for a user record. When the time has come, it signals the control plane "authmgr" to ping the client. The ping is three consecutive checks with 1 sec interval. If there is no ping response, you should issue an "aaa user delete w.x.y.z" command to clean up the user record. If the client can reply, the user record is kept for another round of idle timer.
The system administrator usually lowers the lease time when they run out of IP addresses. When the lease time is equal or lower than the idle timer, the IP spoofing event is triggered. Lower the idle timer to age out the old entries.
(SanLeandro2400) #show aaa timers
User idle timeout = 30 minutes
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes