Wireless Access

Hello,

i have an aruba controller and the infoblox as DHCP Server.

I see sometimes a issue between computers and smartphones. When a computers try to get an IP Address the DHCP server send the IP 10.10.10.1 but in the aruba that IP is in use but the dhcp server is free that ip, and the device supossed to have that address y doesnt connected. i check and no fixed ip is in both devices.

I have a lease in the dhcp server and works fine but for strange reason when a device is idle or disconnected off the network the Aruba still have the MAC and IP on the table

what might be causing this trouble? any toughts?

by default the Aruba controller keeps the name and the mac in the table for 5 minutes.  If you have changed the user idle timer, this will be much longer and Aruba's ip spoofing mechanism will not allow a user to get that ip address as a result.

so the recomendation is 5 minutes? can i change to less minutes or i not recommended?

I noticed this when a computer trys to connect and the IP that keep the controllers is for a smartphone(iphone and android)

If you have not changed it, it should be at 5 minutes.  If you have changed it, changing it back to 5 minutes will deal with your issue.  People change this so that users do not have to login to the captive portal frequently, but it creates other problems when you extend it too much.

ok, do you know the command to change the idle time?

Type "show aaa timers" first to see what the value is.  If it is five minutes, you don't have to change anything and something else is the problem.

Then you:

(host) (config) #aaa timers idle-timeout ?
<1-15300>               User idle timeout value. Valid range is 30-15300
                        seconds in multiples of 30 seconds or 1-255 minutes.
                        Default is 300 seconds

Hi

good morning,

:smileywink:

You can run the following command:
aaa user fast-age
(via cli)
it should solve your issue.  :smileyhappy:

hat what this command is does:
When connecting to wireless, Microsoft Windows will typically leak traffic from all interfaces, creating users in the Aruba user-table that have the same MAC address, but wired or VMWARE ip addresses. These duplicate ip addresses can stay up to 5 or 7 minutes until they age out of the user table. The "aaa user fast-age" configuration command will actively send traffic to those duplicate sessions and will immediately remove them from the user table, quickly.

***Care should be taken when using this when terminating client VPN sessions directly on the Aruba controller. Client VPN users that terminate on the Aruba controller have an inner IP address, as well as an outer IP address in the table. If the user has Windows Firewall enabled so that it doesn't return pings from the inner IP address, it will not return pings and the client will be disconnected. In that case you would use the "no user aaa fast-age" command. By default (Thanks to the guys from EMEA for pointing this out).

also read cjoseph post regarding this command  here in AirHeads(COTD):
http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-aaa-user-fast-age/td-p/4098

HI,

I have mine set at - aaa timers idle-timeout 1200 seconds.  It was mentioned by cjoseph this can cause problems if set too high.  What are those problems and is there a workaround? 

Also kdisc98 mentioned keeping the dhcp timers (lease time) = to this idle-timeout.  What or where specifically are you referring to for the dhcp timers?  Our DHCP is handed out by a windows server for all but the guest wifi/captive portal users which get theirs from the controller.

Thanks

---

@istong wrote:

HI,

 

I have mine set at - aaa timers idle-timeout 1200 seconds.  It was mentioned by cjoseph this can cause problems if set too high.  What are those problems and is there a workaround? 

 

Also kdisc98 mentioned keeping the dhcp timers (lease time) = to this idle-timeout.  What or where specifically are you referring to for the dhcp timers?  Our DHCP is handed out by a windows server for all but the guest wifi/captive portal users which get theirs from the controller.

 

Thanks

---

If set too high, clients stay in the user table much longer than they do actually, giving you an inflated view of your users.  In addition, if you are using IP spoofing protection, it would seem that users still have an ip address, even though they are long gone.  It should definitely not be longer than your DHCP scope lease, but longer than the default creates an inaccurate view of how many users are connected.

---

@cjoseph wrote:

If you have not changed it, it should be at 5 minutes.  If you have changed it, changing it back to 5 minutes will deal with your issue.  People change this so that users do not have to login to the captive portal frequently, but it creates other problems when you extend it too much.

 

---

... iDevices....

Just saying - Apple needs to change how these devices work on enterprise networks....