Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
5
Helpful
1
Replies

Cisco 8800 & 7800 devices dropping registration

RAustin70
Level 1
Level 1

‎01-09-2019 10:10 AM - edited ‎03-18-2019 12:35 PM

Our site uses 802.1x w/MAC Address Bypass List for port authentication.  This has not been a problem for the past 2 years.  A couple weeks ago our Network Team lead implemented an auto configuration on the ports with ISE where the device gets plugged in, gets power and vlan, DHCP and Option 150 to the TFTP servers.  And the devices Authenticate after ~15 seconds when the three 5-second attempts time out and it goes to MAB.  The devices come up and work fine for about 2,000 phones on site.

Problems began when this autoconfiguration came into play, and a port config looks like this on our 3750-x switches:

!
interface GigabitEthernet2/0/23
switchport access vlan 333
switchport mode access
switchport nonegotiate
switchport voice vlan 334
switchport port-security maximum 10
switchport port-security
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
no mdix auto
storm-control broadcast level 10.00
storm-control multicast level 10.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast edge

 

Now, we have a few sporadic instances where phones are up and working, then they just drop registration to the CUCM.  Show interface on the port shows UP UP (connected)  Show Auth Session on the port shows Auth MAB, I can get to the device interface if I click on the IP of the device in CUCM, BUT the device will not register, When I do a show IP arp | i <MAC add> it is not arp'ing to the core.

 

Bouncing the port does not really work, physically unplugging the device does not really work, BUT moving the cable from one port to another free port on the switch almost always works.

 

Our network team is looking into something with cached credentials on the ISE servers, as the devices seem to be re-authing a lot, but the Servers are set up to Auth once and be done.

 

Is there anything I can look into on the CUCM (11.5.1) or the Devices (7841, 7811, 8861, 8865, 7960) that could be causing loss of registration?

 

Thank you for your time

 

Rob

Labels:
0 Helpful
1 Reply 1

Mohammed al Baqari
Level 11
Level 11

‎01-09-2019 11:53 PM

I had similar problem and opened tac case but they never fixed it. I had to
work around it by using authentication open and explicit ACL to deny any any
Customers Also Viewed These Support Documents