Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Session-timeout not being honored. Seen with iPad and iPhones, they are not being deleted from controller after session-timeout and remainin in RUN state. Client shows "Re-Authentication Timeout" as "Timer not running" instead of showing (Remaining time: X sec) WLC9800#sh wireless client mac-address xxxx.xxxx.xxxx det | in Re-Authentication Timeout Re-Authentication Timeout : XXX sec (Timer not running)
Seen in dot1x ssid using PEAP + FT enabled, Central sw,Central auth, Local mode AP, using ISE as AAA server There is no issue in first authentication attempt, the issue is that after the session timeout the client is expected to reauthenticate, but after few session timeout events (around 5) the client is stuck in authentication failed: For testing purposes we decreased the session timeout to 300 seconds (5 min) and idle timeout to 90 s, that way we could see the issue easily: 022/09/13 14:39:34.627009 {wncd_x_R0-0}{1}: [client-orch-state] [25208]: (note): MAC: xxxx.xxxxx.xxxxx Client state transition: S_CO_IP_LEARN_IN_PROGRESS -> S_CO_RUN …. 2022/09/13 14:44:34.627465 {wncd_x_R0-0}{1}: [auth-mgr] [25208]: (info): [xxxx.xxxxx.xxxx:capwap_90000013] Accounting timer (0) expired for client xxxx.xxxx.xxxx <<<Here we expect the client to reauthenticate after 5 min … 2022/09/13 14:46:04.971532 {wncd_x_R0-0}{1}: [errmsg] [25208]: (note): %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) with reason (Timeout) on Interface capwap_90000013 AuditSessionID 8C09530A000000483825C4EF Username: XXXXX 2022/09/13 14:47:34.973572 {wncd_x_R0-0}{1}: [errmsg] [25208]: (note): %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) with reason (Timeout) on Interface capwap_90000013 AuditSessionID 8C09530A000000483825C4EF Username: XXXXX 2022/09/13 14:50:34.974548 {wncd_x_R0-0}{1}: [errmsg] [25208]: (note): %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) with reason (Timeout) on Interface capwap_90000013 AuditSessionID 8C09530A000000483825C4EF Username: XXXXX 2022/09/13 14:50:34.974671 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [25208]: (ERR): SANET_AUTHC_FAILURE - Timeout username xxxxx, audit session id 8C09530A000000483825C4EF, 2022/09/13 14:50:34.974683 {wncd_x_R0-0}{1}: [errmsg] [25208]: (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface capwap_90000013 AuditSessionID 8C09530A000000483825C4EF. Failure reason: Authc fail. Authc failure reason: Timeout. 2022/09/13 14:50:34.975163 {wncd_x_R0-0}{1}: [client-auth] [25208]: (info): MAC: xxxx.xxxx.xxxx Client auth-interface state transition: S_AUTHIF_DOT1XAUTH_DONE -> S_WAIT_FOR_CO_DELETE Surprisingly the client remains in RUN state despite the authentication failure logs seen above and as you can see the "Re-Authentication Timeout" says "Timer not running". WLC9800#sh wireless client mac-address xxxx.xxxx.xxxx det | in ime Time source is NTP, 15:36:42.498 EDT Tue Sep 13 2022 Idle state timeout : N/A Re-Authentication Timeout : 300 sec (Timer not running) Session Warning Time : Timer not running Mobility Complete Timestamp : 09/13/2022 14:39:34 EDT Client Join Time: Join Time Of Client : 09/13/2022 14:39:31 EDT Client Entry Create Time : 3428 seconds Session timeout : 300 Absolute-Timer : 300 Absolute-Timer : 300 Reassociation Timeout : 20 Client Scan Report Time : Timer not running Time : 09/13/2022 14:39:31
Need to delete manually client.
Clients getting stuck after timeout and not able to reconnect.