Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
980
Views
0
Helpful
4
Replies

Where to configure Timeouts? anchor or foriegn?

ndr_eds
Level 1
Level 1

‎11-11-2015 07:19 AM - edited ‎07-05-2021 04:12 AM

I have a guest wireless environment with an anchor controller (5508) in my DMZ fed by several "foriegn" controllers (WiSM2's, 5508's, 4400's)

my question is: Where is it best to configure the Session and user idle timeouts? On each of the foriegn WLC's Guest SSID's  or should they be configured on just the one guest wireless anchor WLC? I assume it would not be a good idea to have it on both at the same time, which setting would take precedence?

Labels:
0 Helpful
4 Replies 4

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎11-12-2015 12:18 AM

Hi,

I think your config needs to be identical on both the anchor/foreign WLC. If not you will likely have issues if configs are not identical specific to the WLAN.

Regards

Dont forget to rate helpful posts

0 Helpful

ndr_eds
Level 1
Level 1
In response to Sandeep Choudhary

‎11-12-2015 06:47 AM

Hi, thanks for the reply and i understand about the WLAN's needing to be identical (SSID, profile name, etc) but are not these timers on each controller independent?? Are they syncronized in some way or do they control the client sessions independently?  I have been runing for quite a long time with the timeouts set only on the foriegn controllers (disabled on the anchor) and have had no issues that I am aware of but I have always wondered if that was the correct way to do it.

Thanks

0 Helpful

Freerk Terpstra
Level 7
Level 7
In response to ndr_eds

‎11-15-2015 04:06 AM

This is what I discovered with the foreign and anchor setup based on AirOS 8.0:

Session timeout
The most "short" configured session timeout is leading. If the session is no longer valid on the foreign WLC it will also be cleared on the anchor. This happens the other way around as well. If you are using layer3 auth the client will be prompted with the webportal again.

User idle timeout
The user idle timeout is a feature on the WLC to get the clients removed even before the session timeout has expired. This setting is completely being ignored on the anchor WLC. Once this timer has been hit on the foreign WLC the results are the same as with the session timeout.  

If you don't configure any specific timers on the SSID itself, the system default timers are being used which is 1800 seconds session timeout and 300 seconds user idle timeout. Which settings are the best for your deployment depends on user friendliness, security and also performance (because all those sessions needs to stay in the WLC database which has it limits).

You have to experiment with this if you don't really know how much clients your deployment has to support. A good starting point for a SSID with layer3 auth is 8 hours session time-out with an idle time-out of 2 hours.

Please rate useful posts... :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card