Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Stale user-table entry and duplicate IP address

I identified an issue yesterday whereby after authenticating, my device was given an IP address by our external DHCP server but not able to access any resources.  Upon inspection of the user list, there was already a client that appeared to be using that address, and my device appeared with its external data network IP.  The DHCP logs show that the second device released its lease and that my device took the address several minutes later.

 

I guess there is a lag between release of the IP when disconnecting, and removing it from the user table, effectively allowing DHCP to offer addresses that the controller still thinks are in use.

 

Is this situation a case for using aaa user fast age?

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Stale user-table entry and duplicate IP address

Yes, or "enforce dhcp" in the AAA profile.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Re: Stale user-table entry and duplicate IP address

I was under the impression 'Enforce DHCP' simply prevented statically assigned IP addresses?  This is not the case here as both device got the address from the DHCP server, but the controller failed to acknowledge the disconnect/release in time.

 

The odd thing is, under the client list in the GUI, the entry for the IP address that my device had been given, showed my access point, but the other user's name and device.  Is this a bug?

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Stale user-table entry and duplicate IP address

If you have a user that is getting another device's ip address via DHCP, I would make sure that your DHCP lease is at least 15 minutes long to prevent that.

 

Enforce DHCP only allows a device that gets an ip address from a DHCP conversation that the controller has seen to enter the user table.  The controller does not use a DHCP release in any DHCP enforcement.

 

I do not have your logs, so I cannot comment on the display being a bug.  If you open a case with TAC they might be able to provide clarity.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Re: Stale user-table entry and duplicate IP address

The lease is set to 1 day.  The issue is that the user is not removed from the list of users on the conrtroller quickly enough once it disconnects.  This allows a different client to legitimately re-use the IP address, but not be able to connect through the controller.

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Stale user-table entry and duplicate IP address

What is the output of "show aaa timers"? 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Re: Stale user-table entry and duplicate IP address

Global User idle timeout = 3600 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Stale user-table entry and duplicate IP address

Joecarter,

Is there a reason the idle-timeout is 3600? It is typically 300. If your lease is one day it should not matter, but I would try AAA user fast age before adjusting the timer back to the defaults.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 6
Registered: ‎02-11-2015

Re: Stale user-table entry and duplicate IP address

how do you change the AAA fast age? I could not find anywere.

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Stale user-table entry and duplicate IP address

config t

aaa user fast-age

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: