we have phones connecting to a private APN through ACS4.2 that then auth to backend servers. Once auth'd the ACS provides IP addressing from IP pools.

IP pools are set up on 2 possible ACS servers. Access requests are from 2 source NAS-port IPs.

The pools across the 2 servers are split so they are not identical but they each have an upper and lower pool depending on which NAS-port makes the request.

--

Example:

multiple users -> request for auth/IP -> src= either NAS-10.1.1.1 or NAS-10.1.1.2

server 1:

if 10.1.1.1 give lower range - 10.2.2.1 - 10.2.2.127

if 10.1.1.2 give upper range - 10.2.2.128 - 10.2.2.254

server 2:

if 10.1.1.1 give lower range - 10.2.3.1 - 10.2.3.127

if 10.1.1.2 give upper range - 10.2.3.128 - 10.2.3.254

--

The problem is that the ACS is giving out IP addressing that is already in use on the APN by another device to a new request. We then see multiple 'Passed Authentications' before a single Radius 'Start' packet as the requests cycle through until a free IP is gained. Even though each auth is successful the device is dropped from the APN due to 'duplicate IP' messages. Troubleshooting with the provider shows the problem to be at the ACS side.

The pools have address recovery enabled for every 12 hours.

The devices sent 'interim updates' every 30 minutes. So no IP should ever be re-issued without definitely being inactive (the interim updates count as valid traffic).

My questions - why is the ACS still issuing IP addressing that it should know is in use from its own database? Is there any way to further prevent it from doing this?