Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Disconnects every 5 minutes on guest WLAN with pre-authentication ACL

I have a strange situation on my guest wireless LAN.

The guest WLAN is configured as an SSID "GUEST" on Cisco 1142 lightweight APs, with WiSM controller and WLC software version 7.0.230.0.

For simple Internet access using this SSID, we have a web policy, which causes a web page to be displayed when the user opens his/her browser, and on this web page, the user must click on an "Accept" button in order to accept the terms and conditions of use. Once the user accepts, the browser will then go to the web site which the user wishes to open. When using this mode of access, everything is fine.

However, there is also a pre-authentication ACL, which allows certain types of VPN traffic to reach the Internet without the user being required to accept terms and conditions. The ACL allows ESP, IKE (UDP/500), IKE over UDP (UDP/4500), DNS, HTTPS/SSL (TCP/443), DHCP client and server (UDP/67,68).

The pre-auth ACL actually works as intended; and the ACL traffic is NOT allowed when the ACL is removed. This is exactly as it should be.

However, when using, for example, a VPN client such as the Cisco VPN client, or the Cisco AnyConnect client, via this guest SSID without user acceptance, the WLAN regularly and predictably stops passing traffic. This is 100% repeatable and predictable; it happens every 300 seconds, or possibly slightly longer. I have only used my PC clock to time it so the timing isn't all that accurate but I'm sure it's within a few seconds.

Given that the problem happens at the same time interval and is constant, I guessed there must be some configuration item which needs to be altered, but I've looked extensively at the controller GUI (we actually use WCS here) and I can't see anything that looks even remotely related to this.

Does anyone have any suggestions about what might be happening here?

Regards

Chris Slater-Walker

Senior System Analyst

Nokia UK Ltd.

5 REPLIES
Hall of Fame Super Silver

Re: Disconnects every 5 minutes on guest WLAN with pre-authentic

Increase the idle timeout and see if that helps.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Disconnects every 5 minutes on guest WLAN with pre-authenticatio

Scott,

Is this idle timeout value actually the same as configure>controllers>a.b.c.d>WLANs>WLAN Configuration>WLAN Configuration Details> Session Timeout ?

If so, this value is already enabled and set to 28800.

Thanks

Chris

Hall of Fame Super Silver

Re: Disconnects every 5 minutes on guest WLAN with pre-authentic

No it's not. The session timeout forces a reauthentication when users are in the run state. Idle timeout is in the wlc general tab above the arp timeout. This will keep a Mac address from being purged after it sits idle.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Disconnects every 5 minutes on guest WLAN with pre-authentic

Thanks for the suggestion, but it was already set to 1800. I doubled it to 3600 but it made no difference.

Hall of Fame Super Silver

Re: Disconnects every 5 minutes on guest WLAN with pre-authentic

Well I don't know if there is a workaround for that, since you want to allow traffic, but yet they don't have to login.  You might as well just have a seperate ssid and only allow that traffic and keep it open.

-Scott
*** Please rate helpful posts ***
1719
Views
0
Helpful
5
Replies
CreatePlease to create content