I recently had a TAC case that was not particularly enlightening. My initial request was as follows:
On 2019-07-12, some KNOWN clients where suddenly purged out of our endpoint repository. The cluster-wide parameters for cleanup intervalls were as follows:
Cleanup interval for Session log details in the database: 7 days
Cleanup interval for information stored on the disk: 7 days
Old Audit Records cleanup interval: 90 days
Known endpoints cleanup interval: 90 days
Unknown endpoints cleanup interval: 30 days
Expired guest accounts cleanup interval: 365 days
Profiled Unknown endpoints cleanup interval: 30 days
Profiled Known endpoints cleanup option: TRUE
Static IP endpoints cleanup option: FALSE
Examples for purged MAC addresses:
MAC Added at Cleaned up Delta
1458d0000000 07.03.19 12.07.19 127
40b034000000 07.03.19 12.07.19 127
e4b97a000000 08.03.19 12.07.19 126
So, according to the User Guide here https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_clusterwideparams.htm#Cleanup the "Known endpoints cleanup interval" will be evaluated based on the "Added at" date. As it was set to 90 days and the delta was already 127 days that might not be the case. On the other hand the "Unknown endpoints cleanup interval" is oriented to the "Updated at" date.
According to TAC engineer the endpoints were cleaned because of the "Profiled Known endpoints cleanup option" set to TRUE. I assumed that this option will also use the "Known endpoints cleanup interval" and orientate on the "Added at" date. The User Guide is not very precise here.
TAC told me that the "Profiled Known endpoints cleanup option" will clean known, profiled endpoints every day and will orientate on the "Added at" date. That contradicts itself and is unlikely.
So, how is this option really working? Why were my endpoints cleaned up?