cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


199
Views
0
Helpful
1
Replies
Highlighted
Beginner

IDLE timeout and probing for access-session IBNS2.0

Hello Friends!

 

In IBNS 2.0 Deployment Guide I read that we can define IDLE timeout for our access-session in policy

If we use additional "probe" parameter switch have to check availability of silent endpoint(arp probing)

I defined service template for inactivity timer with probing.

 

service-template INACTIVITY-TIMER
 inactivity-timer 60 probe
......
event authentication-success match-all
10 class always do-until-failure
10 activate service-template INACTIVITY-TIMER
event inactivity-timeout match-all
10 class always do-until-failure
10 unauthorize
.......

 

If I understand correct it must instruct the switch to probe endpoint every 30 seconds of inactivity.

But it doesn`t work this way.

Default timer for arp-probing(device-tracking) on switch is 300 seconds and it doesn`t changed even if we applied those sevice-template.

In the end after 60 seconds of inactivity host will become unauthorized because switch didn`t adjusted arp-probing timer.

 

Guide says

Intelligent Aging

IDLE_TIMER_PROBE.JPG
When the inactivity timer is enabled, the switch monitors the activity from authenticated endpoints.
 When the inactivity timer expires, the switch removes the authenticated session.

.........
To counter these types of cases, an arp-probe can be enabled along with the inactivity-timer, so that the switch periodically sends ARP probes to endpoints in the IP Device Tracking table. As long as the endpoint is connected and responds to these probes, the inactivity timer is not triggered, and the endpoint is not inadvertently removed from the network.
.........

 

Please help me to understand does the ARP_Probe timer adjustes himself accordingly to inactivity-timer settings with "probe" keyword or not.

 

Thanks in advance,

Tom

Everyone's tags (2)
1 REPLY
Beginner

Re: IDLE timeout and probing for access-session IBNS2.0

I tested it on 9300 with 16.9 -> It works there.

"show device-tr database" shows adjusted "Time left" value.

 

Sorry Tommy- I know it doesn't help in your case, but might be helpful for other users.

 

 

CreatePlease to create content
Content for Community-Ad
Blog-Cisco Community Designated VIP Dinner CLEUR2019