Showing results for 
Search instead for 
Did you mean: 

User Idle Timeout


Is there a command that shows much time is remaining before a client will be removed due to the Contoller>User Idle Timeout (seconds) setting?


Flavio Miranda


  I dont know any command that show this information but in can see how long the client is connected  using show client detail <mac address>,

show client detail 00:...

Connected For ................................... 6994 secs




-If I helped you somehow, please, rate it as useful.-


Saravanan Lakshmanan
Cisco Employee
Cisco Employee
There is no direct way to find that detail before the fact. However, AP manages user-idle timeout for clients and can be found using the following command, use radio 0 for 2.4ghz.

AP#show controller dot11radio1 client
---Clients 0 AID VLAN Status:S/I/B/A Age TxQ-R(A) Mode Enc Key Rate Mask Tx Rx BVI Split-ACL Client-ACL WebAuth-ACL L2-ACL

d0d0.fd65.261f 5 6 30 40104 000 07E 299 0-0 (0) B398 200 0-10 00FFFFFF00000000000 020F 20F - - - - -

The value in the "Age" column (e.g. 299 in sec, in the above example) denotes the time in seconds till the user idle timeout expiry for this session.

Maybe our systems are different but with a similar command I got a nice output of the timeout, though it doesn't look great pasted in here so I bolded the fields. Thanks!



w01-a120#show controllers dot11Radio 1 client F0:76:6f:78:29:11
              mac radio vap aid state encr Maxrate is_wgb_wired      wgb_mac_addr
F0:76:6F:78:29:11     1  14 193   FWD OPEN MCS82SS        false 00:00:00:00:00:00

Configured rates for client F0:76:6F:78:29:11
Legacy Rates(Mbps): 12 18 24 36 48 54
HT Rates(MCS):M0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15
VHT Rates: 1SS:M0-8 2SS:M0-8
HT:yes     VHT:yes     80MHz:yes     40MHz:yes     AMSDU:yes     AMSDU_long:no
11w:no     MFP:no     11h:yes     encrypt_polocy: 1
_wmm_enabled:yes     qos_capable:yes     WME(11e):no     WMM_MIXED_MODE:no
short_preamble:no     short_slot_time:no     short_hdr:no     SM_dyn:yes
short_GI_20M:yes     short_GI_40M:yes     short_GI_80M:yes     LDPC:yes
is_wgb_wired:no     is_wgb:no

Additional info for client F0:76:6F:78:29:11
RSSI: -47
PS  : Legacy (Awake)
Tx Rate: 0 Kbps
Rx Rate: 0 Kbps
CCX Ver: 0

Statistics for client F0:76:6F:78:29:11
              mac    intf  TxData TxMgmt    TxUC    TxBytes TxFail TxDcrd  RxData RxMgmt   RxBytes RxErr   TxRt   RxRt idle_counter stats_ago expiration
F0:76:6F:78:29:11 apr1v14 9160349      1 9160349 2147483647      0      0 6063057      1 512621958     0 780000 866700           30  6.200000       8190

Per TID packet statistics for client F0:76:6F:78:29:11
Priority Rx Pkts Tx Pkts Rx(last 5 s) Tx (last 5 s)  QID Tx Drops Tx Cur Qlimit
       0 5756591 8870725            0             0 1384       49      7   4096
       1   22217      10            0             0 1385        0      0   4096
       2       0      11            0             0 1386        0      0   4096
       3   38583   13042            0             0 1387        0      0   4096
       4       0       0            0             0 1388        0      0   4096
       5       0       0            0             0 1389        0      0   4096
       6       0       0            0             0 1390       14      0   4096
       7       0       0            0             0 1391        0      0   4096

yes, we both are using different model APs.
are idle-time decreasing(and hit zero eventually) after client is shut down after that does debug client output showing the client is getting de-authenticated!

Much nicer output from a 3802 versus the 3602.



Anyway, with a working client getting shut down, the idle-time decrements and the debug shows the disassociation of the client. The client is removed from botht he controller and the AP.


With a client that is exhibiting the issue, the client is not even listed int the AP but is listed in the WLC.

well done!!! it sounds like the following bug!
WLC unable to timeout clients; stale client entries
WLC has stale client entries that will not time out of the client database. If the WLC is an anchor, future exports of that client from a foreign WLC may fail.

Client association exceeds all timers (session timer and idle timer).

Manually deauthenticate the client.

Further Problem Description:
Look for connected times in excess of timers with "show client detail":

(Cisco Controller) >show client detail 34:a3:xx:xx:xx:xx
Connected For ................................... 137373 secs
Policy Manager State............................. WEBAUTH_REQ

Also, these logs may appear in mobility debugs:

*Dot1x_NW_MsgTask_4: Sep 08 14:39:26.655: Mobile Announce Received from 10.x.x.x for mobile ac:5f:xx:xx:xx:xx which is marked for deletion, ignoring Announce
*Dot1x_NW_MsgTask_4: Sep 08 14:39:27.688:ac:5f:xx:xx:xx:xx Anchor Export Request Recvd for mobile ac:5f:xx:xx:xx:xx from 10.x.x.x type : 16 subtype : 0 seq no : 33417 xid : -1493276927
*Dot1x_NW_MsgTask_4: Sep 08 14:39:27.688: ac:5f:xx:xx:xx:xx IPv6 ACl Name is none

*Dot1x_NW_MsgTask_4: Sep 08 14:39:27.688: ac:5f:xx:xx:xx:xx mmAnchorExportRcv:, Mobility role is ExpAnchor
*Dot1x_NW_MsgTask_4: Sep 08 14:39:27.688: Export Anchor(for mobile ac:5f:xx:xx:xx:xx from 10.x.x.x) ignored. Reason - client is in Export Anchor role and the pem timer has exired
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: