Implementing 802.1x for IP Phones - issue with UCM timeout
We are working on implementing 802.1x with our 8851 ip phones. We have installed the LSC cert and enabled 802.1x on a few phones for testing. We are using Cisco ISE and the switch is configured for host mode multi domain. Everything seemed to be working fine, until we noticed the phones were resetting about every 48 minutes. Looking at the logs on the phone it seems it is being reset due to a timeout with CUCM. Back out 802.1x and the issue goes away.
My Cisco ISE admin didn’t see anything on that side that he thinks is causing the timeout, and we do not see the phone reauthenticating on the port.
I have opened a TAC case and collected traces and network captures from the phone and CUCM. Keepalives look good up until that 48 minute mark and then we see TCP retransmits from the phone, and CUCM Unregister reason 6 which is connectivity error. After some milliseconds TCP is reestablished and the phone re-registers. They believe something in the network is causing the failure. We have several hundred phones and do not see any issues except for our 802.1x enabled phones.
Any guidance on troubleshooting this issue further?
CUCM v 11.5(1) SU6
IP phones are on latest firmware 12.7.1 or 12.8.1
Phones and UCS connected to Cisco 6880/6800ia switching
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...
ISE Node TerminologyISE DeploymentsISE Deployment Scale and LimitsISE Hardware PlatformsISE PSN PerformanceISE TrustSec ScalingISE Storage RequirementsISE ERS ScaleISE WAN Bandwidth CalculatorSources
About this Document
Cisco Secure Endpoint (for...