topic Re: Network drops after NAC in Network Security

Network drops after NAC

hemen.goradia — Fri, 21 Feb 2020 10:57:50 GMT

After implementation of NAC OOB VG, users are complaining random network loss. Any guess?

Re: Network drops after NAC

hadbou — Tue, 19 Aug 2008 13:28:00 GMT

Are you getting any error messages?

Re: Network drops after NAC

hemen.goradia — Tue, 19 Aug 2008 14:55:00 GMT

No errors "Destination Host Unreachable"

Hemen

Re: Network drops after NAC

dgold — Mon, 15 Sep 2008 15:32:15 GMT

If you are using Clean Access Agent v 4.1.3.0 upgrade to 4.1.3.1 and the problem will be resolved.

Re: Network drops after NAC

hemen.goradia — Mon, 15 Sep 2008 15:57:36 GMT

After upgrade also it does not work...

Hemen

Re: Network drops after NAC

felixjai — Wed, 17 Sep 2008 15:04:21 GMT

Did you get the chance to see the problem on a PC while it's occurring? Does the CCA agent keep refreshing its IP? Check to see if the PC has the IP from the user or auth vlan. If CCA Agent keeps on re-authenticating and goes in loop. You might want to block UDP 8905 and 8906 from the user vlan.

Please give us more info in order to determine what is wrong. Find out what exactly happens on the user level is critical.

Re: Network drops after NAC

hemen.goradia — Wed, 17 Sep 2008 16:19:10 GMT

Yes i checked PC is not refreshing IP and it stays in user vlan always. I kept ping log for a day and it shows "destination host unreachable in between"

Hemen

Re: Network drops after NAC

felixjai — Wed, 17 Sep 2008 17:14:54 GMT

If the PC holds the user vlan IP address but gets the "destination host unreachable" ping error, the CAM server might have put the port for the PC back to auth vlan due to some reason.

In this case, you can do a dhcp release and renew on the PC. Or simply restart the PC. It should get an IP from the auth vlan and go through the CCA authentication and posture asessment. Then you will be good.

One thing you can check to see why the port for the PC went back to auth vlan.

Go to Device Management -> Clean Access -> Certified Devices -> Timer

If you have a scheduled cleanup rule to clear your certified devices. Your PCs might be put back to auth vlan. Just edit the rule, and check the box for "Keep Online Users".

If the above is not the cause, find out if there is any unexpected reboot on your access switch assuming your PC is connected to the port behind an IP phone. Because your PC didn't lose network connection, but the access layer switch detects a new MAC notification and triggers to switch to auth vlan.

Re: Network drops after NAC

hemen.goradia — Wed, 17 Sep 2008 17:30:29 GMT

I tried all above excercises. And this issue over the network and very frequest so to restart systems fessible solution.

There is not timer set on certified devices in CAM.

we don't have IP phone in network.

Hemen

Re: Network drops after NAC

felixjai — Thu, 18 Sep 2008 01:54:43 GMT

One more thing you can check-

Go to CAM, check Monitoring -> Event Logs -> Log Viewer

Add filter for text and set "contains" and put the IP address or the username of one of the PCs that has problem. See what kind of events have been happening to the PC. This should give you some ideas of what's going on.