Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Multiple user entries in user table

Jump to Best Answer
This thread has been viewed 1 times
  • 1.  Multiple user entries in user table

    Posted Feb 06, 2020 12:31 PM

    AOS8.4.0.4 cluster

    I was doing some troubleshooting for a user today and noticed that if I look in the global-user-table on the MM and filter for his username he has hundreds of entries (so many that I cancelled the search before all of the entries had been listed) ("show global list | inc <username>"). However if I run "show global list name <username>" I see a much more sane output (1 entry per MAC as you'd expect).

     

    He is connecting to a bridged dot1x SSID.

     

    If I do the same test on my own username in both cases the output is pretty normal looking.

     

    So I'm wondering if the fact that he has hundreds of entries is something to worry about? Is it an artefact of being connected to a bridged dot1x SSID? (Note that I am not connected to the same SSID, I am connected to a tunnelled dot1x SSID). What prompts an entry into the user-table?

     

    Thanks

    Guy

     

    ... as an addendum to this post, in the AP debug driver-log I see some entries for one of his devices:

     

    [7369184.346211] asap_user_add_entry: 36 callbacks suppressed
    [7369184.346239] asap_user_add_entry[1004]: User(ac:bc:32:7d:94:23 0) reach Max number
    [7369184.567076] asap_user_add_entry[1004]: User(ac:bc:32:7d:94:23 0) reach Max number
    [7369184.734326] asap_user_add_entry[1004]: User(ac:bc:32:7d:94:23 0) reach Max number
    [7369185.029109] asap_user_add_entry[1004]: User(ac:bc:32:7d:94:23 0) reach Max number
    [7369185.375181] asap_user_add_entry[1004]: User(ac:bc:32:7d:94:23 0) reach Max number

     

    There are repeated similar entries for this device. There aren't similar entries for other devices. One thing that is unique about this particular device is that it is a laptop running 2 VMs (in fact it is this device that prompted the troubleshooting - the symptoms are that only one of the VMs ever has connectivity, one always fails to connect though it is 'seen' on the network (ie his local switches and router (this is an enterprise environment)). It isn't always the same VM. The VMs are set to bridging mode. I bumped up the "Max IPv4 for wireless user" limit on his AAA profile to 4 in case he was hitting into the previous limit of 2 but this hasn't changed anything.

     



  • 2.  RE: Multiple user entries in user table
    Best Answer

    Posted Feb 11, 2020 12:59 AM

    hi Guy

     

    "What prompts an entry into the user-table"

    Any source IP address sent by a valid client mac address

     

    But, to your problem at hand, unfortunately bridge mode is limited to max ipv4 = 2 and ipv6 = 4 addresses irrespective of the setting in the aaa profile. This is to be addressed in AOS 8.7, but for now it's not possible for bridge mode.

     

     

     

     

     

     

     



  • 3.  RE: Multiple user entries in user table

    Posted Feb 11, 2020 04:55 AM

    Thank you, I think that explains the connectivity issues he is having, I'll pass the info on.

     

     

    "'What prompts an entry into the user-table'

    Any source IP address sent by a valid client mac address"

     

    So would you expect multiple entries (hundreds) as I am seeing in this case? I don't think it is limited to just him so am assuming it is either normal, or if not is affecting multiple users.

     

    Thanks for your help with this.



  • 4.  RE: Multiple user entries in user table

    Posted Feb 11, 2020 05:10 AM

    @cauliflower wrote:

    So would you expect multiple entries (hundreds) as I am seeing in this case? I don't think it is limited to just him so am assuming it is either normal, or if not is affecting multiple users.

     

    Thanks for your help with this.


    I'd have to see it - can you share some output ? If you prefer not to attach to the forum, send me a DM with a dropbox link or something like that

     

     



  • 5.  RE: Multiple user entries in user table

    Posted Feb 11, 2020 06:12 AM

    to what you sent - it looks like it might be a bridge mode bug in terms of all these repeated users (no doubt exacerbated by bumping up against the max ip4).

     

    8.4.x is dead now, so I don't know how far you want to take the issue, if you want to, send it to TAC - it's a valid concern (and should be reproducible by bumping on max ipv4).

     

    With that said, does each individual MD show the same result, e.g. what does the "show user-table verbose" show on .100 and .72 in your network ? (filtered by that same username)

     



  • 6.  RE: Multiple user entries in user table

    Posted Feb 11, 2020 09:49 AM

    No, I'm not seeing the same number of entries in the user table on the MCs, only when I run 'show global list | inc <user>' on the MM. And it does seem to be common to all users on this local SSID.

     

    I'm just looking at another dot1x bridged SSID and I can see the same thing happening. And again on a PSK bridged SSID the same thing with repeated entries for a MAC address.

     

    I'll raise it with TAC, I guess it might be nothing but it would be nice to know for sure. Thanks for your help.

     

    Guy