Product and Software: This article applies to all ArubaOS versions.
Most of us are used to using the 'aaa user delete' command to delete the user manually. However some customers ask why they cannot use this command to delete the VPN users and they think this is a bug.
However, this is not a bug; it is by design. By default, VPN users are deleted automatically only when the VPN timer has expired.
To delete the VPN user manually, determine the L2TP tunnel ID of the VPN user and clear that tunnel, then the VPN user can be deleted from the user table. After that, use the 'aaa user delete' command to delete the regular user.
The following example shows how to do this:
(Meggie2400) # show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link location Roaming Essid/Bssid/Phy
192.168.10.15 00:1d:e0:12:f4:a1 meggie default-vpn-role 00:00:03 VPN 172.25.13.254 1.1.65 Associated meg-wep/00:0b:86:40:32:21/g ===>vpn user
172.25.13.254 00:1d:e0:12:f4:a1 logon 00:00:04 1.1.65 Associated meg-wep/00:0b:86:40:32:21/g ===> regular user
User Entries: 2/2
(Meggie2400) #show crypto ipsec sa | begin 172.25.13.254
Initiator IP: 172.25.13.254 =====>regular user outer IP
Responder IP: 10.168.15.8
Initiator: No
Initiator cookie:cb13227e68891ec9 Responder cookie:af7ae197b659e751
SA Creation Date: Mon Mar 17 14:40:47 2008
Life secs: 3600
Initiator Phase2 ID: 172.25.13.254/255.255.255.255
Responder Phase2 ID: 10.168.15.8/255.255.255.255
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:Transport
PFS: No
OUT SPI 2e7ae00c, IN SPI c3f0f200
L2TP tunnel ID = 6, remote id = 2, innerIP = 192.168.10.15
Reference count: 3
(Meggie2400) #clear vpdn tunnel l2tp id 6
(Meggie2400) #show user
IP MAC Name Role Age(d:h:m) Auth VPN link location Roaming Essid/Bssid/Phy
172.25.13.254 00:1d:e0:12:f4:a1 logon 00:00:05 1.1.65 Associated meg-wep/00:0b:86:40:32:21/g
User Entries: 1/1
(Meggie2400) #aaa user delete mac 00:1d:e0:12:f4:a1
1 users deleted