We have a primary controller (4402 - 50) and a small 4402-12 setup as a anchor for guest access. All guest traffic (for Internet access only) is sent through the guest controller - located on our DMZ.
Guest users were complaining that they were getting knocked off the system after 30 minutes. They needed to re-authenticate. This would happen regardless if they were VPN'd in to their host, or on the Internet.
We removed the timeout feature (deselected it) on both controllers. The issue then goes away. The users are never bumped off.
We then changed the inactivity timeout to 1 hour. Users were getting bumped off after 30 minutes.
We then changed the timeout to 2 hours. Now it appears that the connection stays in place about 40 minutes.
Note that we are changing the timeout to be the same on both controllers.
First - has anyone found that that timeout feature is not accurate fro an actual âtimeâ perspective ?
Second - why would a user that is actively on the system, surfing and moving between sites be kicked off? It is like the anchor does not see the traffic - and views the connection as idle.
Note that we do not have inactivity issue with workstations connected through our primary WLC, just with guest traffic
The timeout that I believe you are referring to is the session timeout, not the idle timeout.
This session timeout forces reauthentication at the specified interval. With non Web-Auth methods, this should be handled seamlessly in the background.
Web-auth however puts the user back in a web_auth_required state when the session timeout is reached. Normal suggestion is to set the value to the maximum duration you want a client to stay connected without having to re-authenticate (0? 8 hours? etc...)
As for your first question, I am not aware of these session times not being accurate.
You didn't mention how/what timer you changed. Please be sure that you are changing/disabling the session timeout feature (express in seconds) on the "Advanced" tab of the WLAN definition for the Guest SSID. I have not found this timer to be inaccurate with 220.127.116.11 and 18.104.22.168 code on the controller.
We have just deployed controllers with a guest anchor and getting disconnected every 30 minutes. Can anyone advise what is the best way to resolve and if changing the timers works. My worry is that we will end up with sessions that are not being disconneted properly.
If this is a standard scenario one WLC with AP's in LAN and anchor WLC in DMZ, than you need to configure the timeout on anchor WLC in DMZ, not only on the WLC in LAN controlling the AP's. The timer can be configured on advanced tab in WLAN properties (as mentioned somewhere above).
Osysel is correct. Your config needs to be identical on both the anchor and inside controllers. If not you will likely have issues if configs are not identical specific to the WLAN.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Considering the fact that you see connections break while not matching the timer and only on SSID with foreign anchors, I get the sense that this is not related to idle or user related timers, but rather a mismatch between your anchor Hello timers.
Please check "Controller -> Mobility Management -> Mobility Anchor Config" on all controllers and ensure they match (defaults are 3 keep alive count and 10 seconds interval).
This "Session Timeout" is a configurable parameter that is set under the WLAN policy config, have a look;
Here is where this is set (look at number 4);
WLAN Policy Configuration
Refer to the WLANs > Edit page for a description of these parameters.
1. The WLAN SSID box contains the current WLAN 1 SSID. If desired, enter a different SSID.
2. The Radio Policy box contains the default bands controlled by the WLAN 1 policy. If desired, enter a different WLAN 1 policy: 802.11a only, 802.11g only, 802.11b/g only, 802.11a/g only, or All.
3. The Admin Status box contains the default administrative status (unchecked, or disabled). If desired, enable the WLAN 1 policy by checking the Admin Status box.
4.*** The Session Timeout box contains the default 802.11 session timeout (0, or no timeout). If desired, enter a different 802.11 session timeout in minutes.***
5. The Quality of Service (QoS) box contains the default QoS status (Silver, or Best Effort QoS). If desired, enter a different QoS: Platinum = Voice, Gold = Video, Bronze = Background, or leave as Silver = Best Effort. VoIP clients should be set to Platinum, Gold or Silver, while low-bandwidth clients can be set to Bronze.
6. The Allow AAA Override box contains the default AAA Override status (unchecked, or disabled). If desired, enable AAA Override by checking the AAA Override box.
7. The Blacklist Exclusion List Timeout box contains the default client Exclusion List (blacklist) timeout status (checked, or enabled). If desired, disable Exclusion List (Blacklist) Timeout by unchecking the Blacklist Timeout box.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...