Wireless Access

Reply
Contributor I

SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

I have a 200 controller running 5.0.4.16 and I've been monitoring some snmp values for the past year in cacti and about 2 months ago the count for 802.1x users seems to just climb and climb as the controller is powered on.  I looked back in the config changes and found that I had enabled the ipv6 firewall around this time.  I tried disabling it but the value still seemed wrong until I did a reload.  I even tried doing a re-init on the wms database before disabling the ipv6 firewall but after rebooting it seemed like the value would start at about 2x the number it should be and then continune to climb. 

 

.1.3.6.1.4.1.14823.2.2.1.4.1.4.1.0 = Gauge32: 17 << 802.1x user count
.1.3.6.1.4.1.14823.2.2.1.4.1.4.2.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.3.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.4.0 = Gauge32: 2
.1.3.6.1.4.1.14823.2.2.1.4.1.4.5.0 = Gauge32: 0

 

After disabling the ipv6 firewall AND reloading:

.1.3.6.1.4.1.14823.2.2.1.4.1.4.1.0 = Gauge32: 5 << 802.1x user count
.1.3.6.1.4.1.14823.2.2.1.4.1.4.2.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.3.0 = Gauge32: 0
.1.3.6.1.4.1.14823.2.2.1.4.1.4.4.0 = Gauge32: 2
.1.3.6.1.4.1.14823.2.2.1.4.1.4.5.0 = Gauge32: 0

 

I didn't find any KB describing this, so I'm not sure what is going on.  Any ideas?

Thanks!

Guru Elite

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

Do you see ipv6 users in the user table?  Every device that is configured for ipv6 will now show as a user in that table, when you enable ipv6 firewall.

 

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1160

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

They did, but why does the count continue to grow and not reset when the stations leave?  I usually only had 5-10 stations on at any time but after enabling the ipv6 firewall it would go up to 80-100.  I can see how the controller may treat the stations as 2 stations but should that affect the layer 2 count for 802.1x stations?  See the attached graph, you can see the moment I enabled the ipv6 fw.

Thanks,

Mike

Contributor I

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

They did, but why does the count continue to grow and not reset when the stations leave?  I usually only had 5-10 stations on at any time but after enabling the ipv6 firewall it would go up to 80-100.  I can see how the controller may treat the stations as 2 stations but should that affect the layer 2 count for 802.1x stations?  See the attached graph, you can see the moment I enabled the ipv6 fw.

Thanks,

Mikegraph_image.png

Guru Elite

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

Please look in the actual user table on the controller to see the output there. Compare the users listed to the SNMP numbers..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

Ok I turned it on and the number seems to equal the total of both user tables.  I'll monitor it and see if it keeps growing.

Contributor I

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

So after about a day I have 6 ipv4 user table entries and 25 ipv6.  It looks like some devices have like 3-4 ipv6 addresses. I'm using eui-64 and auto config but not sure why some devices get several different ips.  I'll keep it on and see if it goes up to 100 like my graph showed.

 

My iphone shows up in the ipv6 user table 11 times with different ips. Weird.

Guru Elite

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

arubasecrets,

 

ipv6 devices can have multiple addresses, yes.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

So it seems like the ipv6 sessions never expire.   Right now there are 4 ipv4 stations present and 36 ipv6 stations present, showing devices that aren't even within range.  I set ipv6 firewall session-idle-timeout  60 to see if that changes anything and it has not.  Is it normal for stations to stay in the ipv6 list for days after they are not associated?

thanks,

Mike

Guru Elite

Re: SNMP 802.1x user count is inaccurate if ipv6 firewall is enabled?

Please open a support case.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: