Wireless Access

I have a 200 controller running 5.0.4.16 and I've been monitoring some snmp values for the past year in cacti and about 2 months ago the count for 802.1x users seems to just climb and climb as the controller is powered on.  I looked back in the config changes and found that I had enabled the ipv6 firewall around this time.  I tried disabling it but the value still seemed wrong until I did a reload.  I even tried doing a re-init on the wms database before disabling the ipv6 firewall but after rebooting it seemed like the value would start at about 2x the number it should be and then continune to climb. 

 

.1.3.6.1.4.1.14823.2.2.1.4.1.4.1.0 = Gauge32: 17 << 802.1x user count
.1.3.6.1.4.1.14823.2.2.1.4.1.4.2.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.3.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.4.0 = Gauge32: 2
.1.3.6.1.4.1.14823.2.2.1.4.1.4.5.0 = Gauge32: 0

 

After disabling the ipv6 firewall AND reloading:

.1.3.6.1.4.1.14823.2.2.1.4.1.4.1.0 = Gauge32: 5 << 802.1x user count
.1.3.6.1.4.1.14823.2.2.1.4.1.4.2.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.3.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.4.0 = Gauge32: 2
.1.3.6.1.4.1.14823.2.2.1.4.1.4.5.0 = Gauge32: 0

 

I didn't find any KB describing this, so I'm not sure what is going on.  Any ideas?

Thanks!

Do you see ipv6 users in the user table?  Every device that is configured for ipv6 will now show as a user in that table, when you enable ipv6 firewall.

 

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1160

 

They did, but why does the count continue to grow and not reset when the stations leave?  I usually only had 5-10 stations on at any time but after enabling the ipv6 firewall it would go up to 80-100.  I can see how the controller may treat the stations as 2 stations but should that affect the layer 2 count for 802.1x stations?  See the attached graph, you can see the moment I enabled the ipv6 fw.

Thanks,

Mike

They did, but why does the count continue to grow and not reset when the stations leave?  I usually only had 5-10 stations on at any time but after enabling the ipv6 firewall it would go up to 80-100.  I can see how the controller may treat the stations as 2 stations but should that affect the layer 2 count for 802.1x stations?  See the attached graph, you can see the moment I enabled the ipv6 fw.

Thanks,

Mike

Ok I turned it on and the number seems to equal the total of both user tables.  I'll monitor it and see if it keeps growing.

So after about a day I have 6 ipv4 user table entries and 25 ipv6.  It looks like some devices have like 3-4 ipv6 addresses. I'm using eui-64 and auto config but not sure why some devices get several different ips.  I'll keep it on and see if it goes up to 100 like my graph showed.

 

My iphone shows up in the ipv6 user table 11 times with different ips. Weird.

arubasecrets,

 

ipv6 devices can have multiple addresses, yes.

 

So it seems like the ipv6 sessions never expire.   Right now there are 4 ipv4 stations present and 36 ipv6 stations present, showing devices that aren't even within range.  I set ipv6 firewall session-idle-timeout  60 to see if that changes anything and it has not.  Is it normal for stations to stay in the ipv6 list for days after they are not associated?

thanks,

Mike

Please open a support case.

I'm ok with just turning off the ipv6 firewall, I don't need it.  I just thought there was a bug with the snmp user count but now that i see its related to the ipv6 user-table I'll just turn it off.

thanks,

Mike

Please look in the actual user table on the controller to see the output there. Compare the users listed to the SNMP numbers..