Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wireless lan Controller Session timeout and lwapp question

Hello, I am a bit confused about the session timeout value  found in Wlan>advanced tab. our setting is set to 1800 which is the default. Our vendor just told us that this could be causing the client disconnect that we are seeing.  I was under the impression that if a wireless client is connected and active it would not time out unless it is idle for longer than a give time. Can someone please explain what the WLAN session timeout vlaue affects...

Question Q2

Our ventor also indicated to us that the LWAP was used for routing traffic through the WISM.   Our LWAPP is a layer 3 lwap.  we are using DIstributed MA-850.  Can the LWAPP tunnels cause client timeouts.


Re: Wireless lan Controller Session timeout and lwapp question


     In response to Question #1, the session timeout means that your authenticated user session expires in 1800 seconds, it is not an activity or idle timeout.  So depending on your authentication method, this could cause your client to disconnect, I typically set this to 28800 (8 hours) unless the client has a specific requirement to re-authenticate more often.

     In response to Question #2, the LWAPP tunnel that is built between the controller and the access point is used for all traffic between the Access point and the controller (Data, Management, Client). When a client attaches to a LWAPP AP their traffic is sent to the controller thru the LWAPP encapsulate tunnel, when it reaches the controller, it then routes the data and puts it onto the actual wired network, and data sent from the wired network to the client is sent to the controller, then encapsulated in the tunnel to the AP, and then the AP sends it to the client.

     The only exception to this is when you have an access point in H-REAP mode and have the WLAN terminating locally. In this case the Management traffic is sent via the LWAPP tunnel, but user traffic is terminated locally on the switch and routed as if it were a wired client.

Hope this helps answer your questions.. Feel free to rate this answer.



New Member

I know this an old post but

I know this an old post but we are testing the session timeout on the Wireless Controller if we disable the timeout will that have any adverse affects. They were set to re-authenticate every 30 minutes not sure what the magic timeout should be but we thought we would test without any. 



New Member

Re: Wireless lan Controller Session timeout and lwapp question

From this document:

(Page 13)

The Session Timeout is the maximum time for a client session with the WLC. After this

time, WLC de−authenticates the client, and the client goes through the whole authentication

(re−authentication) process again. This is a part of a security precaution to rotate the

encryption keys. If you use an Extensible Authentication Protocol (EAP) method with key

management, the rekeying occurs at every regular interval in order to derive a new encryption

key. Without key management, this timeout value is the time that wireless clients need to do a

full reauthentication. The session timeout is specific to the WLAN. This parameter can be

accessed from the WLANs > Edit menu.

New Member

Wireless lan Controller Session timeout and lwapp question

What happen if i disable the session timeout and the user change its password in ldap. Willl it ask to re-authenticate or will keep the old credential.


New Member

Wireless lan Controller Session timeout and lwapp question


By default, the session timeout parameter is configured for 1800 seconds       before a reauthentication occurs.

In order to access the session timeout parameter, click the       WLANs menu in the GUI. It displays the list of WLANs       configured in the WLC. Click the WLAN to which the client belongs. Go to       the Advanced tab and you find Enable Session       Timeout parameter. Change the default value to 180, and click       Apply for the changes to take effect.

When sent in an Access-Accept, along with a Termination-Action value of       RADIUS-Request, the Session-Timeout attribute specifies the maximum number of       seconds of service provided before re-authentication. In this case, the       Session-Timeout attribute is used to load the ReAuthPeriod constant within the       Reauthentication Timer state machine of 802.1X.

For more details please check the following cisco doc:

Hope this helps!