User Tracking Oddity

Unanswered Question
Oct 2nd, 2007


WIth User Tracking and LMS 2.6, we are having an issue where we put in a query, and IP address for example, and the results open in a new window, but the window closes quickly.

Anyone else had this issue? Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Joe Clarke Tue, 10/02/2007 - 12:24

Sounds like a pop-up blocker to me. If you put in a query that has no hits, the window will quickly disappear, and a pop-up window will appear in its place. If you have a popup blocker in your browser, then the popup window telling you that there was no data matched by the query.

ernestly Tue, 10/02/2007 - 17:15

Hi jclarke,

how accurate is this user tracking from LMS/Campus manager. There are times that I tried using this feature to find out if a particular IP address is being used by any host in the network. So just wondering how accurate it is when the user tracking returns a result saying that the IP does not belongs to any host in the network.


Joe Clarke Wed, 10/03/2007 - 07:06

User Tracking 4.x is only as accurate as your acquisition interval. It is quite possible that you could miss users on your network if they connect then disconnect between acquisitions. As for the accuracy of the information acquired, it should be perfect given properly configured devices with no bugs (ha!). In other words, the algorithm is sound. If you're certain an IP address must exist, then it is either that a new UT acquisition needs to run, or there is a config or device problem.

User Tracking 5.0 is more accurate since it can use MAC address notification traps to detect users entering and exiting the network in near real-time. Wed, 10/10/2007 - 00:38

Hey there jclarke -

So UT has done a discovery and all, but another strange thing... A lot of addresses simply have the MAC address listed, but not the IP address. I am using the host I am browsing to Ciscoworks on as an example. It lists the switch, port, VLAN, MAC, but no IP address. Please advise! Thanks!

jedavis Thu, 10/11/2007 - 04:34

Someone correct me if I am wrong, but I believe that UT has to poll the ARP table of a layer 3 device to resolve the MAC/IP relationship. This would preferably be the default gateway(s) for the LAN.

I have a similar situation with some internal LANs that are behind ASA firewalls. Devices behind the ASAs use the ASA as the default gateway address, and the IP addresses for these devices do not show up in UT reports. To add them, I dump the ASA ARP table into an MS Excel spreadsheet and use a VLOOKUP function to match the MAC to the IP. Any hope of ever getting UT to recognize the ASA as an L3 device and automating this process?

Joe Clarke Thu, 10/11/2007 - 08:16

Since the ASA, PIX, and FWSM devices do not support CDP, it is unlikely they will ever be supported by Campus Manager. As a workaround to this, I use a sacrificial router on my DMZ subnet that collects ARP entries. It isn't perfect, but it gets a lot of the active hosts.

jedavis Thu, 10/11/2007 - 04:22

One thing to watch out for with user tracking is that it seems to key on the switch CAM tables. In other words, a switch port may be active, but unless there is a MAC address associated with the port then user tracking will not record an entry in it's DB. So if you have devices that don't communicate for long periods of time they will not show up in user tracking. For example, in my environment we have some devices that start talking on the network only when an exceptional condition occurs, which may be once a month or so. These do not show up in user tracking.

A practice which helps mitigate this problem is to raise the mac address aging times on your switches. The default is 5 minutes. I generally use 4 hours to match the layer 3 ARP aging.

Joe Clarke Thu, 10/11/2007 - 08:16

Performing ping sweeps prior to UT acquisition should get around this problem.

jedavis Thu, 10/11/2007 - 10:43

Oddly enough, I just noticed that sometimes the IP address does show up in the UT report on these firewalled LANs. On a LAN where the ASA is the only layer 3 Cisco device, the IP address shows up for 25 of the 91 entries. Where would UT be picking these up?

Also, I was going to suggest that it would be great if a ping sweep option was built into UT acquisition. Then I checked and discovered there already was (been a long time since I configured this!). A couple of questions though:

1) Wait interval. What is this? Wait interval between what events?

2) The documentation states that ping sweeps will not be performed for "large subnets", but doesn't define exactly what constitutes a large subnet. It states "For example, subnets containing Class A and B addresses". What does this mean? If I have an address that falls within the classic class B range, yet it has say, a /22 mask, will it be excluded?

Joe Clarke Thu, 10/11/2007 - 10:50

You need to put a supported router on the subnet, crank its ARP timeout to max, and see what entries you get.

1. Wait between pings. By default, this is 0. That could cause some interesting IDS events on some networks.

2. Ping sweep will only sweep subnets that are class C or smaller. Any thing bigger than a /24 will not be swept.

jedavis Thu, 10/11/2007 - 10:56

Thanks. But on the first point, my question is where UT is getting the few addresses that it does on these firewalled Vlans today. There is no supported router with an interface on this particular LAN, yet UT is coming up with IP addresses somewhere. Where?


This Discussion