Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Connection timeout

I'm testing my new wireless setup, I have the following:

pair of 5508 Internal Controllers (running Field image

pair of 5508 DMZ Controllers (running Field image

ISE VMWare Server

AP's 3600 (AIR-CAP3602I-E-K9)

My new WLAN Guest is setup for Web policy Authentication, users get redirected to my ISE Radius server for Authentication.

I connect to SSID Guest from my laptop, ISE Guest Portal page appears in my browser, I login with my account credentials successfully (locally stored on the ISE Server). Great Logged in accepted UP, can browse the Internet. Then after a period I seem to lose connection approx 10 mins, I'm still connected to SSID Guest, still have an DHCP address...debug client mac address on the Controller doesn't show any thing out of the ordinary (please find attached).

Is there some sort of timeout setting on the ISE? when I'm not connected or lose access to the webpage, I enter another URL and ISE login GuestPortal reappears I login again, then regain access.

Any ideas why my connection is timing out?

NB: I should also note that sometimes when I lose connection if I type a URL again, on the odd ocassion the ISE guest Portal page does not appear and I need to wait sometime for this to appear again, even though I'm still connected to SSID guest.

Hall of Fame Super Silver

Connection timeout

On the WLC, change the session timeout on the guest wlan to 28800 or just disable that.  Then set the idle timer to 7200 (2hours) and see if that works better.  You have to look at the client's Policy Manager State and see if its in the RUN state.  You can also see the time let before re-auth (Re-authentication timeout) in the Monitor > Cients.

By default, the session timer is 1800 seconds and the idle timer is 300 seconds.  Idle timer affects the ipads and iphones more than any other devices.  Session timer affect all devices, and when using webauth, they are force to login again after the timers have expired.



Help out other by using the rating system and marking answered questions as "Answered"

*** Please rate helpful posts ***

Connection timeout


your debug client shows

*osapiBsnTimer: Aug 14 10:03:02.158: 18:3d:a2:42:28:4c apfMsExpireCallback (apf_ms.c:597) Expiring Mobile!

*apfReceiveTask: Aug 14 10:03:02.159: 18:3d:a2:42:28:4c apfMsExpireMobileStation (apf_ms.c:5687) Changing state for mobile 18:3d:a2:42:28:4c on AP cc:d5:39:ba:48:b0 from Associated to Disassociated

also note that your client get connected at 9:33 and get disconnected at 10:03. the period is 30 minutes.

This period is the default session timeout period on the WLAN on the WLC.

This is configurable under advanced tab of the WLAN config.

Try to increase this timer or disable it to isolate.



Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Connection timeout


As per your query i can suggest you the following solution-

A. The ARP Timeout is used to delete ARP entries on the WLC for the devices learned from the network.

The User Idle Timeout: When a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is deauthenticated by the WLC. The client has to reauthenticate and reassociate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away.

Note: In order to access ARP and User Idle Timeout on the WLC GUI , go to the Controller menu. Choose General from the left-hand side to find the ARP and User Idle Timeout fields.

The Session Timeout is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. If you use an Extensible Authentication Protocol (EAP) method with key management, the rekeying occurs at every regular interval in order to derive a new encryption key. Without key management, this timeout value is the time that wireless clients need to do a full reauthentication. The session timeout is specific to the WLAN. This parameter can be accessed from the WLANs > Edit menu.

Hope this will help you.

CreatePlease login to create content