topic Re: Intermittent Connectivity Issues w/DOT1X MDA in Network Access Control

Intermittent Connectivity Issues w/DOT1X MDA

Terence Lockette — Tue, 31 Jul 2018 16:13:24 GMT

Hello,

I am seeing a strange intermittent connectivity issue for a dot1x session I'm testing out. We are currently using ISE 2.3 with patch 4. I'm testing out MDA for a Win10 machine and a Mitel 5320e IP phone. Each receive it's own authorization profile. The PC authenticates in the DATA domain (via dot1x) and the phone in the VOICE domain (via MAB). Each works as expected when connected to it's own port. However, when I place the PC behind the phone so that they both authenticate on the same port, I tend to lose connectivity randomly. I ran a constant ping on both tests and get no packet loss on separate ports but around 1% when on the same port. I also notice a brief bump in my connection to network applications. I have the machine authorization policy common task configured to reauthenticate every 4 hours but no reauthentication for the IP phone authZ profile. Here is a copy of the port config:

interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate
switchport voice vlan 30
ip device tracking probe count 1
ip device tracking probe interval 30
ip device tracking maximum 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast edge
spanning-tree bpduguard enable
end

As stated before, they work as expected with no drops in connectivity when on separate ports but when together, that's when intermittent connectivity issues occur. Let me know if you have any additional questions or need any further info.

Terence

Re: Intermittent Connectivity Issues w/DOT1X MDA

Timothy Abbott — Tue, 31 Jul 2018 16:47:51 GMT

One of the things I've seen in the past is that QoS could be causing the problem. Have you tried removing the QoS config and retest?

Regards,
Tim

Re: Intermittent Connectivity Issues w/DOT1X MDA

Terence Lockette — Tue, 31 Jul 2018 16:48:48 GMT

Sure. I'll give that a try right now.

Re: Intermittent Connectivity Issues w/DOT1X MDA

Terence Lockette — Tue, 31 Jul 2018 16:51:59 GMT

Ok so I have auto QoS removed from the interface I'm testing from and will monitor for about an hour. My last constant ping results sent 1,459 packets and lost 21. I've started a new continuous ping and will check the results.

In the meantime, if auto QoS is causing an issue, what alternative do I have to making sure voice traffic still gets priority over other data traffic?

Terence

Re: Intermittent Connectivity Issues w/DOT1X MDA

Terence Lockette — Tue, 31 Jul 2018 16:53:31 GMT

Looks like I'm still dropping packets and getting the same results.

Re: Intermittent Connectivity Issues w/DOT1X MDA

Timothy Abbott — Tue, 31 Jul 2018 16:53:50 GMT

If it does turn out to be QoS, I would look to see if there is a defect for the switch code you are using and if it is resolved in a newer release.

Regards,
timn

Re: Intermittent Connectivity Issues w/DOT1X MDA

Terence Lockette — Tue, 31 Jul 2018 16:56:50 GMT

I've just completed an IOS upgrade of all of our switches and dot1x issues were the main thing I looked for in the release notes. My 4500E switches are running 3.8.6 for Sup-8E and 3.6.6 for Sup-7E. My 3560CX test switch is running 15.2(4)E4 while our 2960X switches are running 15.2(2)E7.

Re: Intermittent Connectivity Issues w/DOT1X MDA

Timothy Abbott — Tue, 31 Jul 2018 17:00:06 GMT

Just out of curiosity, are you seeing the issue across all switch types?

Regards,
Tim

Re: Intermittent Connectivity Issues w/DOT1X MDA

Terence Lockette — Tue, 31 Jul 2018 17:02:19 GMT

So far just my 3560CX and one of the 4500E switches running the Sup-8E. I haven't deployed campus wide in fear of what I'm experiencing now. I'm testing various setups we have in our network to get an idea of what our users may or may not experience. So far, the MDA on a single port appears to cause random drops which will be frustrating for our end users.

Re: Intermittent Connectivity Issues w/DOT1X MDA

dawid.karol.bednarczyk — Wed, 21 Nov 2018 15:29:25 GMT

Just a blind shot but check this out:

https://community.cisco.com/t5/identity-services-engine-ise/ip-device-tracking/m-p/3750828#M20916

IP device tracking probes can cause endpoints to learn IP address of gateway ( depending on configuraiton you have ) with mac address of switchport causing packets to be dropped. You can see some intermittent connectivity issues.

Check endpoint arp table for default gw if you can se mac address changing there.