Wireless Access

Good Morning,

I woke up to my controller this morning running 6.2.1.0 with the following error.

Apr 3 05:50:27 authmgr[1666]: <522043> <WARN> |authmgr| Configured Session limit reached for client IP=10.110.0.0
Apr 3 05:50:29 authmgr[1666]: <522043> <WARN> |authmgr| Configured Session limit reached for client IP=10.110.0.0 

It showed up over and over and over again and rendered the controller useless.  I noticed first when I couldn't authenticate to the VPN running on it.

Yesterday I changed the ip cp-redirect address to be the address of the VLAN that I'd like my guest on.  Could that have anything to do with it?  I read about where you can set the maximum sessions but could not find anywhere in the config to change that setting.  

Right now I've reloaded the controller to try to get it back.

hmm...I can't seem to find this.  Where exactly is it?

Also would it help for me to use the following command?  to  see the total number of sessions?

show datapath session counters

+----+------+-----------------------------------------------------+
|SUM/| | | |
|CPU | Addr | Description Value |
+----+------+-----------------------------------------------------+
| | | |
| G | [00] | Current Entries 8799 |
| G | [01] | High Water Mark 11848 |
| G | [02] | Maximum Entries 524288 |
| G | [03] | Total Entries 658517 |
| G | [05] | Duplicate Entries 2 |
| G | [07] | Current Max link length 3 |
| G | [08] | Max link length 5 |
| G | [09] | Stale Entries 15671 |
| G | [10] | Aged Entries 634039 |
+----+------+-----------------------------------------------------+

Is the Maximum Entries the limit we hit?

1.  Find the user role that your user end up in.

2.  Go to configuration> Security >  Access Control

3.  Find that role and Edit.

4.  Locate the Max Sessions parameter and make sure it is 65535 and click on apply.

If this is your problem, very, very, very few people manipulate that parameter and it should not be touched in practice.

Okay so I found the Max Sessions under the users roles.  I see the default is 65535.  What would be a good value to top that out at for a guest network?  Or an authenticated user network.  It seems high to leave it at the default.  Any suggestions?

Leave it at what it currently is.

What is the output of "show aaa timers"?

Here is the output of show aaa timers.

User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 600 seconds

We top out at most 500 clients any given day.  

This error began at 5:50 AM today and repeated hundreds of times.  There were probably no more than 80 connected devices this morning.  

None of which should have generated that much traffic.  No one had even come in to school yet.  We are a K-12 setting.

I think you should open a support case, because the solution is in the details that we cannot ask for in a public forum.  It does not seem obvious with limited information, but with your logs.tar support should be able to narrow it down much more quickly.

The only think I can think of is if you might have made one of your wired interfaces untrusted and now all of your wired clients are showing up in the controller.   That is my last guess.

Thanks for your suggestions.  I checked and each of my ports are marked as trusted including the Port-Channel.

My support has recently expired and am in the process of getting the funds to get it renewed.  I've never purchased the support and ahve also flew by the seat of my pants.

Chad

But are there any wired users in the user table?  You could also have a VLAN marked as untrusted.

I wanted to follow up on this issue.  It is still a mystery.   I've opened a case with TAC a week ago and they spent 3 hours today while the controller was down, attempting to figure out what was going on.

We consoled in to an AP and watched it grab an IP from DHCP but then could not connect to the controller to download the config via TFTP.

We also could not ping the gateway from the Controller or any of the APs from the controller but could ping the controller from the gateway and could ping APs from the gateway.

After 3 hours of looking for what was going on. I had to give it up and just reload the controller to get things running again.  Once we reloaded the controller could ping the gateway and APs again.  Until next time....

Duplicate ip address, perhaps?

I thought about that...browsing the network to see what I can find.