The Monitoring and Reports part of ACS 5.x contains information about the incoming authentication requests (TACACS+ and RADIUS) also information about the health of each ACS node in the deployment. The Monitoring and Report Dashboard gives us a quick and easy way to get to both authentication and health information.

Out of the box, the Monitoring and Reporting dashboard is populated with the “Top 5 Alarms” and “My Favourite Reports” applications (more applications can be added by clicking on the “Configure” button in the top right-hand corner of the dashboard). One of the more common alarms that appears in the “Top 5 Alarms” list is the “delete 20 000 sessions” alarm. At first glance the alarm name may give the impression that the ACS is deleting key information or perhaps that it’s unexpectedly kicking off 20 000 users. So, what does this alarm really mean?

This  alert is informational and is generated because the ACS View keeps  track of authentication sessions.

The ACS View maintains all the sessions (RADIUS/TACACS  Authentication/Authorization/Accounting). It can keep only 250,000  sessions at a time. Whenever it crosses 250k, it will try to delete 20k  sessions, and will send an alarm (the one that you see on the ACS  Dashboard).

The ACS normally keeps track of the session authentications by  following accounting records ACCOUNT_START and ACCOUNT_STOP. However, if  ACS View does not get ACCOUNT_STOP records, the number of sessions will  not be decreased. As a result, any active sessions for which the ACS  View does not receive an ACCOUNT_STOP will remain and then expire  after two days.

This is covered in the doc Secure Access Control System 5.x and Later FAQ.