Hi All,
Back a couple weeks ago, when my two 7220 Mobilty Controllers and pair of Clearpass C3000V VMs had been talking happily for years, I never thought to run the command,
"show aaa authentication-server radius statistics". Now I'm wondering what "good" values look like, for both uptime, and timeouts.
This command gives lots of stats on each of your defined RADIUS servers, and the second column from the end of this lengthy output is "Uptime", in d:h:m .
Since we've been having issues with 7220s connections to Clearpass timing out (we have a case open already) these times have been very short, generally in the minutes. I'm pretty sure this is Bad, but hoping for confirmation.
If your Clearpass RADIUS auth is ticking along smoothly (the way ours used to be), can you please log in to the CLI of one of your controllers and let me know your Uptimes? I expect that they might be as long as back to your most recent Clearpass firmware update, and that the 3 to 20 minute values I'm typically seeing indicate a problem.
Also, please check the "Tmout" column, and, if it is more than a few, perhaps compute it as a percentage of the "Raw Rq" number for that server. Since we started having these timeout problems, mine are up around 1% of requests.
My understanding that the timeout column represents times when the 7220 got no answer at all from clearpass, rather than, say, indicating how many user devices timed out during their auth.
I am thinking that Clearpass should very nearly _always_ reply to the mobility controllers, even if its response is "Reject, that user timed out during the auth"
That is, if the "Tmout" count is times that Clearpass failed to answer, it should be very nearly zero, or at least, a tiny fraction of a percent of requests.
Converselly, I'd expect a count of users-timing-out-during-their-auth to be a fairly steady percentage of user auth requests.
Just not totally sure which form of timeout this counter represents.
Thanks,
Steve