Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
'aaa user fast-age' - Typically, this command is used to time-out IP spoofing sessions quickly. When the controller detects multiple user sessions with same MAC address, the controller pings those IPs. If no ICMP reply is received, the user entries are deleted.
Note for VPN users with Windows Firewall enabled:
Any VPN user always has two IP addresses (inner IP and outer IP) bound to the same MAC address. When fast-age is enabled and both VPN user entries are created, the controller pings both entries and wait for replies. When the VPN user does not have Windows Firewall installed or enabled, it will send the ICMP reply for both inner IP and outer IP ICMP requests.
However, when the VPN user has Windows Firewall enabled, it usually drops the ICMP reply for the inner IP ('allow icmp request' in the firewall is only for the outer IP), the following entries are examples from the Windows Firewall log (if enabled):
2006-09-21 16:58:56 DROP ICMP 172.26.245.47 172.26.245.1 - - 212 - - - - 0 0 - SEND
2006-09-25 15:04:18 DROP ICMP 172.26.245.76 172.26.245.1 - - 212 - - - - 0 0 - SEND
The controller then tears down the session for the inner IP and the VPN user connection is disconnected.
So if there is a VPN user on the controller, do not use the 'aaa user fast-age' command, or disable Windows Firewall.