Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3136
Views
0
Helpful
6
Replies

How WLC calculate dirty interface

Go to solution
Safwan Hashan
Level 1
Level 1

‎07-10-2019 12:59 AM - edited ‎07-05-2021 10:41 AM

Hi,

 

I have some issue with the interface group setup.

Scenario :

Cisco WLC 5520 running 8.5.140 code.

15 interface in 1 interface group.

Open authentication SSID

Authentication in Firewall. Allowed 7 days for each client.

 

So, my question is, how do the WLC determine my VLAN is dirty and is there any ways to override this configuration so that my WLC will follow the firewall configuration which is 7 days for each client. Some of my client get the authentication page before 7days.

 

Thanks in advanced.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Safwan Hashan
Level 1
Level 1
In response to Flavio Miranda

‎07-30-2019 08:02 PM

Hi,

Thanks. We disable the session timeout but the issue is still there.

So, i'm changing the configuration for interface group to non-aggressive and we dont have any interface dirty anymore.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎07-10-2019 01:59 AM - edited ‎07-10-2019 02:00 AM

are you using webauth on SSID ?

 

If yes then adjust the timeout on WLC including sleeping client feature.

 

Regards

Dont forget to rate helpful posts

0 Helpful

Go to solution
Safwan Hashan
Level 1
Level 1
In response to Sandeep Choudhary

‎07-10-2019 02:46 AM

No, im not using webauth. Im using open authentication, 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎07-12-2019 12:30 AM

When you say "VLAN is dirty", do you mean DHCP exhaustion?  If so, then the answer is that the WLC listens for DHCP Replies and if none is received, then the WLC calculates a new hash value to select a different interface. Then same algorithm runs again.

 

0 Helpful

Go to solution
Safwan Hashan
Level 1
Level 1
In response to Arne Bier

‎07-12-2019 12:37 AM

Hi,

 

The client shouldn't be authenticate before 7 days because the mac address of the client is stored in firewall.

The only reason client get re-authenticate before 7 days is because the client is changing its IP address.

So, when the client get re-authenticate before 7 days, i check the WLC and it shows as below output.

 

(Cisco Controller) >show interface group detailed <int group>

Interface Group Name............................. <int group>
Quarantine ...................................... No
Number of Wlans using the Interface Group........ 2
Number of AP Groups using the Interface Group.... 122
Number of Interfaces Contained................... 16
mDNS Profile Name................................ Unconfigured
Failure-Detect Mode.............................. Aggressive
Interface Group Description......................
Interfaces Contained in this group ..............
pool 701
pool 702
pool 703
pool 704
pool 705
pool 706
pool 707
pool 708
pool 709
pool 710
pool 711
pool 712
pool 713
pool 714 *
pool 715
pool 716
Interface marked with * indicates DHCP dirty interface
Interface list sorted based on vlan:

Index Vlan Interface Name Dirty Failures DirtyTime(s)
----- ---- -------------------------------- ----- ------------- ---------
0 701 pool 701 No 0 0
1 702 pool 702 No 0 0
2 703 pool 703 No 0 0
3 704 pool 704 No 0 0
4 705 pool 705 No 0 0
5 706 pool 706 No 0 0
6 707 pool 707 No 0 0
7 708 pool 708 No 0 0
8 709 pool 709 No 0 0
9 710 pool 710 No 0 0
10 711 pool 711 No 0 0
11 712 pool 712 No 0 0
12 713 pool 713 No 0 0
13 714 pool 714 Yes 7 863
14 715 pool 715 No 0 0
15 716 pool 716 No 0 0

 

Is there any ways to turn this dirty interface off?

 

Thanks in advanced.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Safwan Hashan

‎07-18-2019 08:50 AM

I think you´re misinterpreting concepts here. Dirty interface, as mentioned above, is an flap indicating that something is not good on the DHCP service. This can become Dirty because you DHCP scope is full, or the DHCP request send on that interface it not reaching the DHCP server. After some failing attempt in a specific interface, WLC mark that interface as Dirty and stop asking DHCP on that interface for a while. You can see a counter on the interface Dirty.

 

  Re-Authentication and DHCP renew are different things. You can have a lease time let´s say of 5 minutes and a Session time out of 60 minutes. Which means, IP address will be renewed many times until the re-authentication take place. 

 You can configure Session timeout as 0 "zero" and then disable Session timeout. 

 

Valid ranges to Session timeout are:

 

Configurable session timeout range is:
• 300-86400 for 802.1x.
• 0-65535 for all other security types.

 

If in your case you care using Open Authentication, you can use up to 65535 seconds which means 18 hours. 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
Safwan Hashan
Level 1
Level 1
In response to Flavio Miranda

‎07-30-2019 08:02 PM

Hi,

Thanks. We disable the session timeout but the issue is still there.

So, i'm changing the configuration for interface group to non-aggressive and we dont have any interface dirty anymore.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card