https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459854#M528384 <HTML><HEAD></HEAD><BODY><P>Hi Kashyap,</P><P></P><OL><LI>What is the switch platform and software version?</LI><LI>What does the 'show aaa servers' command show? </LI><LI>*92.92ea endpoint on Gi 1/0/12 seems to be authenticated successfully, don't you see it under ISE live sessions?</LI><LI>Do you have TAC case open for this?</LI></OL><P></P><P>-Hari</P></BODY></HTML> Thu, 20 Jul 2017 00:01:07 GMT hariholla 2017-07-20T00:01:07Z https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459853#M528383 <HTML><HEAD></HEAD><BODY><P>Hello Experts,</P><P></P><P>I am seeing authentication unknown status in swithc for some ports on a switch. The ISE server is up and on 2.1 version. See the screenshot below,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P><IMG alt="" class="image-1 jive-image" height="191" src="https://community.cisco.com/legacyfs/online/fusion/109438_pastedImage_0.png" style="width: 427px; height: 191.461px;" width="427" /></P><P>when I check for the auth session details for one of the ports, it displyas "Blocked on: AAA Not Ready" error. and on ISE I am seeing logs only for port g1/0/10. </P><P><IMG alt="" class="jive-image image-2" height="418" src="https://community.cisco.com/legacyfs/online/fusion/109439_pastedImage_1.png" style="width: 350px; height: 417.742px;" width="350" /></P><P>As this switch is in production so I can not bounce the port without a request and approval.</P><P>Therefore what would be the possible reason for this error and how to resolve it?</P><P></P><P>Any help on this is highly appreciated.</P><P></P><P>Thanks,</P><P>Kashyap</P></BODY></HTML> Wed, 19 Jul 2017 18:38:55 GMT https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459853#M528383 kachavda 2017-07-19T18:38:55Z https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459854#M528384 <HTML><HEAD></HEAD><BODY><P>Hi Kashyap,</P><P></P><OL><LI>What is the switch platform and software version?</LI><LI>What does the 'show aaa servers' command show? </LI><LI>*92.92ea endpoint on Gi 1/0/12 seems to be authenticated successfully, don't you see it under ISE live sessions?</LI><LI>Do you have TAC case open for this?</LI></OL><P></P><P>-Hari</P></BODY></HTML> Thu, 20 Jul 2017 00:01:07 GMT https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459854#M528384 hariholla 2017-07-20T00:01:07Z https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459855#M528385 <HTML><HEAD></HEAD><BODY><P>Hello Hari, </P><P></P><P>Please see my answers below,</P><P>&nbsp;&nbsp; 1. What is the switch platform and software version?</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The switch platform is "WS-C3850-24P" and a version is 03.07.00E. </P><P>&nbsp;&nbsp;&nbsp; 2. What does the 'show aaa servers' command show?</P><P><IMG alt="" class="image-1 jive-image" height="249" src="https://community.cisco.com/legacyfs/online/fusion/109571_pastedImage_8.png" style="width: 317px; height: 248.998px;" width="317" /></P><P></P><P>&nbsp;&nbsp;&nbsp; 3. *92.92ea endpoint on Gi 1/0/12 seems to be authenticated successfully, don't you see it under ISE live sessions?</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I could see a session on port g1/0/12 for *92.92ea MAC. </P><P>&nbsp;&nbsp;&nbsp; 4. Do you have TAC case open for this?</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I have not opened up a case yet. </P><P></P><P>Let me know if you need more details.</P><P></P><P>Thanks,</P><P>Kashyap Chavda </P></BODY></HTML> Thu, 20 Jul 2017 16:10:30 GMT https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459855#M528385 kachavda 2017-07-20T16:10:30Z https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459856#M528386 <HTML><HEAD></HEAD><BODY><P>Hi Kashyap,</P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">I shared this case with a friend of mine who is a developer, and he said you seem to be running in to CSCuu66531 (internal defect). The defect details are not publicly available now, since it is not release-noted or associated to a TAC case. </SPAN></P><P></P><P>The AAA not ready state is potentially a memory leak issue which happens on some random trigger, thats unknown. The issue however is fixed in the 03.07.03E version or later. The only workaround known for now (apart from a switch reload) is to disable aaa system accounting with the “aaa accounting system” global command. Note, this does not disable dot1x/mab accounting for endpoints, however will disable system level aaa accounting that appears during a switch boot up. </P><P></P><P><SPAN style="font-size: 10pt;">I suggest you open a Cisco TAC case, so that you get formal instructions on how to proceed on this issue. </SPAN></P><P></P><P>Cheers!</P><P>-Hari</P></BODY></HTML> Fri, 21 Jul 2017 03:54:51 GMT https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459856#M528386 hariholla 2017-07-21T03:54:51Z https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459857#M528387 <HTML><HEAD></HEAD><BODY><P>Thanks Hari for helping on this issue. </P></BODY></HTML> Fri, 21 Jul 2017 14:21:13 GMT https://community.cisco.com/t5/network-access-control/quot-blocked-on-aaa-not-ready-quot-status-on-switch/m-p/3459857#M528387 kachavda 2017-07-21T14:21:13Z