Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2268
Views
0
Helpful
3
Replies

Connection timeout

stephendrkw
Level 3
Level 3

‎08-14-2013 03:39 AM - edited ‎07-04-2021 12:39 AM

I'm testing my new wireless setup, I have the following:

pair of 5508 Internal Controllers (running 7.3.101.0 Field image 7.0.112.21)

pair of 5508 DMZ Controllers (running 7.3.101.0 Field image 7.0.112.21)

ISE VMWare Server

AP's 3600 (AIR-CAP3602I-E-K9)

My new WLAN Guest is setup for Web policy Authentication, users get redirected to my ISE Radius server for Authentication.

I connect to SSID Guest from my laptop, ISE Guest Portal page appears in my browser, I login with my account credentials successfully (locally stored on the ISE Server). Great Logged in accepted UP, can browse the Internet. Then after a period I seem to lose connection approx 10 mins, I'm still connected to SSID Guest, still have an DHCP address...debug client mac address on the Controller doesn't show any thing out of the ordinary (please find attached).

Is there some sort of timeout setting on the ISE? when I'm not connected or lose access to the webpage, I enter another URL and ISE login GuestPortal reappears I login again, then regain access.

Any ideas why my connection is timing out?

NB: I should also note that sometimes when I lose connection if I type a URL again, on the odd ocassion the ISE guest Portal page does not appear and I need to wait sometime for this to appear again, even though I'm still connected to SSID guest.

Labels:
15365714-debug client 140813.txt.zip
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎08-14-2013 05:00 AM

On the WLC, change the session timeout on the guest wlan to 28800 or just disable that.  Then set the idle timer to 7200 (2hours) and see if that works better.  You have to look at the client's Policy Manager State and see if its in the RUN state.  You can also see the time let before re-auth (Re-authentication timeout) in the Monitor > Cients.

By default, the session timer is 1800 seconds and the idle timer is 300 seconds.  Idle timer affects the ipads and iphones more than any other devices.  Session timer affect all devices, and when using webauth, they are force to login again after the timers have expired.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni

‎08-14-2013 05:34 AM

Steve:

your debug client shows

*osapiBsnTimer: Aug 14 10:03:02.158: 18:3d:a2:42:28:4c apfMsExpireCallback (apf_ms.c:597) Expiring Mobile!

*apfReceiveTask: Aug 14 10:03:02.159: 18:3d:a2:42:28:4c apfMsExpireMobileStation (apf_ms.c:5687) Changing state for mobile 18:3d:a2:42:28:4c on AP cc:d5:39:ba:48:b0 from Associated to Disassociated

also note that your client get connected at 9:33 and get disconnected at 10:03. the period is 30 minutes.

This period is the default session timeout period on the WLAN on the WLC.

This is configurable under advanced tab of the WLAN config.

Try to increase this timer or disable it to isolate.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Abhishek Abhishek
Cisco Employee
Cisco Employee

‎08-14-2013 11:50 AM

Hello,

As per your query i can suggest you the following solution-

A. The ARP Timeout is used to delete ARP entries on the WLC for the devices learned from the network.

The User Idle Timeout: When a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is deauthenticated by the WLC. The client has to reauthenticate and reassociate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away.

Note: In order to access ARP and User Idle Timeout on the WLC GUI , go to the Controller menu. Choose General from the left-hand side to find the ARP and User Idle Timeout fields.

The Session Timeout is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. If you use an Extensible Authentication Protocol (EAP) method with key management, the rekeying occurs at every regular interval in order to derive a new encryption key. Without key management, this timeout value is the time that wireless clients need to do a full reauthentication. The session timeout is specific to the WLAN. This parameter can be accessed from the WLANs > Edit menu.

Hope this will help you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card