Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Stale user-table entry and duplicate IP address

Jump to Best Answer
  • 1.  Stale user-table entry and duplicate IP address

    Posted Apr 20, 2015 09:17 AM

    I identified an issue yesterday whereby after authenticating, my device was given an IP address by our external DHCP server but not able to access any resources.  Upon inspection of the user list, there was already a client that appeared to be using that address, and my device appeared with its external data network IP.  The DHCP logs show that the second device released its lease and that my device took the address several minutes later.

     

    I guess there is a lag between release of the IP when disconnecting, and removing it from the user table, effectively allowing DHCP to offer addresses that the controller still thinks are in use.

     

    Is this situation a case for using aaa user fast age?



  • 2.  RE: Stale user-table entry and duplicate IP address

    Posted Apr 20, 2015 09:23 AM

    Yes, or "enforce dhcp" in the AAA profile.



  • 3.  RE: Stale user-table entry and duplicate IP address

    Posted Apr 20, 2015 09:31 AM

    I was under the impression 'Enforce DHCP' simply prevented statically assigned IP addresses?  This is not the case here as both device got the address from the DHCP server, but the controller failed to acknowledge the disconnect/release in time.

     

    The odd thing is, under the client list in the GUI, the entry for the IP address that my device had been given, showed my access point, but the other user's name and device.  Is this a bug?



  • 4.  RE: Stale user-table entry and duplicate IP address

    Posted Apr 20, 2015 09:50 AM

    If you have a user that is getting another device's ip address via DHCP, I would make sure that your DHCP lease is at least 15 minutes long to prevent that.

     

    Enforce DHCP only allows a device that gets an ip address from a DHCP conversation that the controller has seen to enter the user table.  The controller does not use a DHCP release in any DHCP enforcement.

     

    I do not have your logs, so I cannot comment on the display being a bug.  If you open a case with TAC they might be able to provide clarity.



  • 5.  RE: Stale user-table entry and duplicate IP address

    Posted Apr 20, 2015 09:56 AM

    The lease is set to 1 day.  The issue is that the user is not removed from the list of users on the conrtroller quickly enough once it disconnects.  This allows a different client to legitimately re-use the IP address, but not be able to connect through the controller.



  • 6.  RE: Stale user-table entry and duplicate IP address

    Posted Apr 20, 2015 09:59 AM

    What is the output of "show aaa timers"? 



  • 7.  RE: Stale user-table entry and duplicate IP address

    Posted Apr 20, 2015 10:14 AM

    Global User idle timeout = 3600 seconds
    Auth Server dead time = 10 minutes
    Logon user lifetime = 5 minutes
    User Interim stats frequency = 300 seconds



  • 8.  RE: Stale user-table entry and duplicate IP address
    Best Answer

    Posted Apr 20, 2015 11:14 AM
    Joecarter,

    Is there a reason the idle-timeout is 3600? It is typically 300. If your lease is one day it should not matter, but I would try AAA user fast age before adjusting the timer back to the defaults.


  • 9.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 10:42 AM

    how do you change the AAA fast age? I could not find anywere.



  • 10.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 10:47 AM

    config t

    aaa user fast-age

     

     



  • 11.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 11:12 AM

    Thanks. what is the command to show what I configured.



  • 12.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 11:21 AM
    (Aruba7005-US) (config) #show aaa state configuration 
    
    Authentication State
    --------------------
    Name                            Value
    ----                            -----
    Switch IP                       192.168.1.3
    Switch IPv6                     
    Master IP                       192.168.1.3
    Switch Role                     master
    Current/Max/Total IPv4 Users    11/16/220
    Current/Max/Total IPv6 Users    0/0/0
    Current/Max/Total User Entries  11/16/228
    Current/Max/Total Stations      8/13/222
    Pending Station Deletes         0
    Captive Portal Users            0
    802.1x Users                    3
    VPN Users                       3
    MAC Users                       0
    Stateful 802.1x Users           0
    Tunneled users                  0
    Configured user roles           10
    Configured session ACL          49
    Configured destinations         25
    Configured services             96
    Configured Auth servers         3
    Auth server in service          3
    Radius server timeouts          0
    
    Successful authentications
    --------------------------
    Web  MAC  VPN  802.1x  Krb  RadAcct  SecureID  Stateful-802.1x  Management
    ---  ---  ---  ------  ---  -------  --------  ---------------  ----------
    0    0    6    501     0    0        0         0                0
    
    Failed authentications
    ----------------------
    Web  MAC  VPN  802.1x  Krb  RadAcct  SecureID  Stateful-802.1x  Management
    ---  ---  ---  ------  ---  -------  --------  ---------------  ----------
    0    0    0    0       0    0        0         0                0
    
    Idled users              = 202
    fast age                 = Enabled <--------------
    per-user log             = Enabled
    Bandwith contracts       = 0/0
    IP takeovers             = 0
    Ping/SYN/Sess/CP attacks = 0/0/0/0
    ARP/GratARP attacks      = 0/0
    


  • 13.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 11:34 AM

    Thank you very much for the information. 

     

    please see my AAA state and log messages. Do you think AAA fast-age will resolve my  issues showing in my log messages (duplicate on 172.16.4.0, etc)?

     

    Also were the idle users of 132305 too big?

     

    thanks,

     

     

    (aruba02) #show aaa state configuration

    Authentication State
    --------------------
    Name Value
    ---- -----
    Switch IP 10.80.25.25
    Switch IPv6
    Master IP 10.80.25.7
    Switch Role master
    Current/Max/Total IPv4 Users 1334/1446/836558
    Current/Max/Total IPv6 Users 0/0/0
    Current/Max/Total User Entries 1574/1752/579764
    Current/Max/Total Stations 1376/1559/578379
    Pending Station Deletes 35
    Captive Portal Users 13
    802.1x Users 388
    VPN Users 116
    MAC Users 0
    Stateful 802.1x Users 0
    Tunneled users 0
    Configured user roles 23
    Configured session ACL 68
    Configured destinations 30
    Configured services 100
    Configured Auth servers 5
    Auth server in service 5
    Radius server timeouts 49604

    Successful authentications
    --------------------------
    Web MAC VPN 802.1x Krb RadAcct SecureID Stateful-802.1x Management
    --- --- --- ------ --- ------- -------- --------------- ----------
    1360 0 782 134199 0 62 0 0 0

    Failed authentications
    ----------------------
    Web MAC VPN 802.1x Krb RadAcct SecureID Stateful-802.1x Management
    --- --- --- ------ --- ------- -------- --------------- ----------
    836 442 0 38799 0 0 0 0 0

    Idled users = 132305
    fast age = Enabled
    per-user log = Enabled
    Bandwith contracts = 0/0
    IP takeovers = 0
    Ping/SYN/Sess/CP attacks = 0/0/0/0
    ARP/GratARP attacks = 0/0

     

    show log network 50

     

    Aug 12 18:48:18 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.93: pinged before offer
    Aug 12 18:50:03 :202084: <WARN> |dhcpdwrap| Pool 172.16.4.0/24 has abandoned lease(s)
    Aug 12 18:52:07 :299801: <DBUG> |dhcpd| uid lease 172.16.4.200 for client 28:57:67:41:2c:ac is duplicate on 172.16.4.0/24
    Aug 12 19:40:28 :299801: <DBUG> |dhcpd| uid lease 172.16.4.232 for client fc:c2:de:c5:67:49 is duplicate on 172.16.4.0/24
    Aug 12 19:47:59 :299801: <DBUG> |dhcpd| uid lease 172.16.3.54 for client 68:05:71:3f:9c:0b is duplicate on 172.16.3.0/24
    Aug 12 19:53:03 :299801: <DBUG> |dhcpd| uid lease 172.16.3.232 for client 68:05:71:3f:9c:0b is duplicate on 172.16.3.0/24
    Aug 13 00:29:43 :299801: <DBUG> |dhcpd| uid lease 172.16.3.138 for client fc:c2:de:c2:98:9a is duplicate on 172.16.3.0/24
    Aug 13 06:58:25 :299801: <DBUG> |dhcpd| parse_option_buffer: malformed option dhcp.<unknown> (code 83): option length exceeds option buffer length.
    Aug 13 07:05:31 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.131: pinged before offer
    Aug 13 07:30:11 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.227: pinged before offer
    Aug 13 07:30:58 :202084: <WARN> |dhcpdwrap| Pool 172.16.4.0/24 has abandoned lease(s)
    Aug 13 07:34:13 :299801: <DBUG> |dhcpd| uid lease 172.16.3.78 for client c0:bd:d1:16:72:56 is duplicate on 172.16.3.0/24
    Aug 13 07:50:22 :299801: <DBUG> |dhcpd| uid lease 172.16.3.221 for client ac:5a:14:1e:d4:52 is duplicate on 172.16.3.0/24
    Aug 13 07:58:13 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.3.155: pinged before offer
    Aug 13 07:59:02 :202084: <WARN> |dhcpdwrap| Pool 172.16.3.0/24 has abandoned lease(s)
    Aug 13 07:59:20 :299801: <DBUG> |dhcpd| uid lease 172.16.3.34 for client ac:5a:14:1e:d4:52 is duplicate on 172.16.3.0/24
    Aug 13 08:16:55 :299801: <DBUG> |dhcpd| uid lease 172.16.4.179 for client f0:25:b7:ac:ee:39 is duplicate on 172.16.4.0/24
    Aug 13 08:19:56 :299801: <DBUG> |dhcpd| uid lease 172.16.3.102 for client f4:09:d8:f2:84:e5 is duplicate on 172.16.3.0/24
    Aug 13 08:48:57 :299801: <DBUG> |dhcpd| uid lease 172.16.4.106 for client 78:4b:87:f5:8f:5f is duplicate on 172.16.4.0/24
    Aug 13 08:49:40 :299801: <DBUG> |dhcpd| uid lease 172.16.3.139 for client f4:09:d8:f2:84:e5 is duplicate on 172.16.3.0/24
    Aug 13 09:07:21 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.3.200: pinged before offer
    Aug 13 10:20:03 :299801: <DBUG> |dhcpd| uid lease 172.16.4.175 for client 24:db:ed:92:a4:0b is duplicate on 172.16.4.0/24
    Aug 13 10:21:51 :299801: <DBUG> |dhcpd| client 24:db:ed:92:a4:0b has duplicate leases on 172.16.4.0/24
    Aug 13 10:35:59 :299801: <DBUG> |dhcpd| uid lease 172.16.3.163 for client 1c:99:4c:b9:f5:55 is duplicate on 172.16.3.0/24
    Aug 13 10:36:01 :299801: <DBUG> |dhcpd| client 1c:99:4c:b9:f5:55 has duplicate leases on 172.16.3.0/24
    Aug 13 11:00:03 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.3.231: pinged before offer
    Aug 13 11:24:58 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.93: pinged before offer
    Aug 13 11:25:50 :202084: <WARN> |dhcpdwrap| Pool 172.16.4.0/24 has abandoned lease(s)

     

     



  • 14.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 11:39 AM

    - What is the lease time for those pools?

    - What is your output of "show aaa timers"?

     

    - The output of the idled users depends on environment.



  • 15.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 11:48 AM

    The lease time for two networks in the pool is 8 hours. please see the timers below. 

     

    # Guest-WiFi-01
    subnet 172.16.3.0 netmask 255.255.255.0 {
    default-lease-time 28800;
    max-lease-time 28800;
    option vendor-class-identifier "ArubaAP";
    option vendor-encapsulated-options "10.80.25.7";
    option domain-name-servers 172.16.2.1;
    option routers 172.16.3.1;
    range 172.16.3.11 172.16.3.254;
    authoritative;
    }
    # Guest-WiFi-02
    subnet 172.16.4.0 netmask 255.255.255.0 {
    default-lease-time 28800;
    max-lease-time 28800;
    option vendor-class-identifier "ArubaAP";
    option vendor-encapsulated-options "10.80.25.7";
    option domain-name-servers 172.16.2.1;
    option routers 172.16.4.1;
    range 172.16.4.11 172.16.4.254;
    authoritative;
    }

    (aruba02) #show aaa timers

    Global User idle timeout = 300 seconds
    Auth Server dead time = 10 minutes
    Logon user lifetime = 5 minutes
    User Interim stats frequency = 600 seconds



  • 16.  RE: Stale user-table entry and duplicate IP address

    Posted Aug 13, 2015 12:00 PM

    Two Questions:

     

    Is this a guest network?  If yes, you can try reducing the DHCP lease to 30 minutes and see if that fixes your issue.  You will brobably have to remove your users with "aaa user delete role <guest role>" when you do this so that they can get new leases.

     

    You can also type "show ip dhcp statistics" to see how you are on  leases.

     



  • 17.  RE: Stale user-table entry and duplicate IP address

    Posted Oct 06, 2020 08:08 PM

    Hi Team, 

     

    Could someone explain what does "pending station deletes" in show aaa state configuration" ? 

     

     



  • 18.  RE: Stale user-table entry and duplicate IP address
    Best Answer

    Posted Oct 06, 2020 09:49 PM

    Stations that should be deleted from the station table, but have not been removed completely for whatever reason.  They are typically removed shortly thereafter.

     

    Closing this thread because it is five years old.