Timeout setting on Wireless LAN Controller

In this post we will the check the specific timeout on WLC. I did some test on idle timeout and session timeout.
Let’s see how it works and what does it means:
Session Timeout
Session timeout is a value that forces a re-auth when the timer expires. This value starts copying down when the client is authenticated.
The Session Timeout is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. If we use an Extensible Authentication Protocol (EAP) method with key management, the rekeying occurs at every regular interval in order to derive a new encryption key. Without key management, this timeout value is the time that wireless clients need to do a full re-authentication. The session timeout is specific to the WLAN.
How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to WLAN > WLAN ID > Advanced

By default session timeout set to 1800sec, we can also uncheck this box or change the timeout value to bigger one. The session timeout can be configured as per WLAN, from 300~86400 seconds.
When the session timeout is being triggered, the PMK cache will be removed, and the client will have to do the authentication again.
Configurable session timeout range is:
• 300-86400 for 802.1x.
• 0-65535 for all other security types.
If we configure session timeout as 0, it means disabling session-timeout, in case of open system, and 86400 seconds for all other system types.

Via CLI:

 (WLAN1) >config wlan session-timeout ?
 <WLAN id> Enter WLAN Identifier between 1 and 16.
 (WLAN1) >config wlan session-timeout 8 ?
 <seconds> The duration of session in seconds (0 = infinity is true only for open system).
 (WLAN1) >config wlan session-timeout 8 65535

User Idle Timeout

The user idle timeout is a global parameter for controller. If the AP/WLC does not receive any packets from the client, after a certain period of time, the client entry will be deleted or when a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is de-authenticated by the WLC. The client has to re-authenticate and re-associate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away.
Increasing the user idle timeout utilizes more RAM on the WLC and will make the WLC client database less accurate. Default is 300 seconds (5 minutes).
The user idle timeout can be configured from 15~100000 seconds.

How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to Controller > General > User Idle Timeout

Idle Timeout


Via CLI:

Here is very simple way to configure by command line.

(WLAN1) >config network usertimeout ?
 <seconds> Recommended user idle timeout in seconds between 90 and 100000. Range <15 - 100000>. Default is 300
(WLAN1) >config network usertimeout 86400

ARP Timeout

The ARP Timeout is used to delete ARP entries on the WLC for the devices learned from the network.
Increasing this timeout increases the CPU load and distorts statistics for the number of simultaneous users. The default value is 300 seconds (5 minutes). The is a global parameter for controller.
How to configure it..

Via GUI:
Log in to WLC GUI, then go to Controller > General > ARP Timeout.

ARP Timeout
Via CLI:

Very easy way by CLI:

(WLAN1) >config network arptimeout ?
 <seconds> The ARP entry timeout in seconds. Min is 10, Default is 300
(WLAN1) >config network arptimeout 86400

So it is very important to design and configure the proper value for these timeout parameters otherwise you face the problem of re-Logining every after 5 minute.



  1. ok… umm what times do you recomend match? I mean, We have a timeout of DHCP (because we use an DHCP giving from the WLC) we use a timeout of use session on SSID and two time out that you comment on your post and the last of my doubt… so…
    any timeouts have to match from eachother or every ones working independently?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s