03-20-2012 12:50 PM
I have a sneaking suspicion that an ongoing problem I am seeing is related to running out of user licenses on a controller.
Does anyone know if an OID I can check periodically to report license stats? I'm looking for this type for information:
(controller) #show license-usage user
User License Usage
License Limit 8192
License Usage 8074
License Exceeded 0
License Platform 8192
Station Total 8074
Station AP entries 0
Station VPN entries 0
Station VPN users 0
Station xSec users 0
IP Users 4554
Association Users 7911
As of writing this I'm realizing that it is the platform limit that I am hitting. On on another note, why is there such a different between IP Users and Association Users?
Thanks in advance,
03-20-2012 05:45 PM
Impressive user counts. Thats the highest loading I have seen on any device (and I have seen hundreds of sites...)
What you have below are indeed platform limits, rather than license limits(a sub-set of the platform limit...from 0% to 100% of platform limit in reality) persay.
I would investigate the users that you have from the 'show user' output on the controller under load. Or use Airwave to automatically generate a report of users and look at those in the pre-authentication role vs. post-authentication role.
If the vast majority are in pre-authentication role, you may consider a strategy to ensure that you don't have users doing 'drive by's' and consuming user 'space' on the controller.
Pls let us know ...
03-21-2012 04:41 AM
I have opened a support case on this subject.
If I issue the command "show user-table", there are significantly less user entries than what is reported by "License Usage". The "IP Users" field is an accurate representation of the number of users in the user table.
If I run the command "show user-table unique | include "N/A"'.. there are hundreds of entries with ages ranging from 1 minute to 15 days. This cannot be correct. These users are also in our post-auth role, where they normally would be, so it seems that they are not just drive-bys. My first guess is that users are not being cleared properly when they go away, and they are taking up a license long after.
Is there a configuration directive for ageout that I may be missing?
Any suggestions would be appreciated.
03-21-2012 06:37 AM
Thanks for the observations. Definately the path I was going down... e.g. potentially related to timeouts that may be set.
You can view some of the timeout values under configuration/authentication/advanced. See if those timeouts are very large as a starting point.
03-21-2012 07:11 AM
The longest timeout I can find is on the 802.1x authentication profile:
Reauthenticaiton: 24 hrs
On the tab you suggested, I see:
User Idle Timeout: 900 sec
Logon User Lifetime: 5 min
All of those values seem appropriate.
Ps. I appreciate the help ruling things out. The less time I have to spend troubleshooting with TAC, the better!