cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7241
Views
5
Helpful
17
Replies

AAA status - SMD Platform State: DEAD

Walker
Level 1
Level 1

Good morning,

I am attempting to troubleshoot an odd issue I am seeing with a Cat9300 v17.3.3 pointing to a v3.1 p4 ISE Server. When configuring interfaces with 802.1x/MAB, the devices will fail to Auth. The switch configuration matches a known good working config, and I have repeatedly deleted the device and recreated it within ISE to no avail. While troubleshooting, their are a few things I don't quite understand so I am attempting to find some answers. 

When I perform a "sh access-ses brief" I see the following:

Interface MAC Address      AuthC     AuthZ        Fg  Uptime
-----------------------------------------------------------------------------
Gi2/0/4 0011.74a6.2cdf m:AD d:TO UZ: SA- FA- X 3668245s

AD = AAA Failure, TO = Timeout

When I check the AAA server status, I see the following:

RADIUS: id 1, priority 1, host X.X.X.X, auth-port 1812, acct-port 1813, hostname ISE-RADIUS
State: current UP, duration 4883s, previous duration 60s
Dead: total time 1980s, count 1
Platform State from SMD: current DEAD, duration 3668794s, previous duration 60s
SMD Platform Dead: total time 60s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No

When checking the RADIUS live logs, you can not see any attempts from this NAD from any device. The next weird issue is that when I use the "test aaa" command from the troublesome NAD, the authentication request is seen by ISE and is properly Rejected.

There are no Firewall or ACL in the path of the NAD to the PSN, so that can be ruled out.

My concern is that the Platform state from SMD is showing as DEAD and it may be the cause, but I can not find any answers within Cisco docs as to what the SMD platform is. Is there any experts on this board that can explain what I am seeing here and what exactly the SMD Platform is? I have exhausted all my troubleshooting steps and unsure how to proceed further.

 

 

17 Replies 17

hi Walker, reload works around the issue for us too,however not recovering from a dead server still, what version did you upgrade too please as we are on 17.3.6. our MAB config was upgraded a while back by ios 17.3.x.

Hi, just wanna know if the issue was solved at the end? We encounter the same on 17.9.3.

andrew_cooper
Level 1
Level 1

Upgraded a 9400 to 17.9.5 and we are seeing this behavior.  AAA was working perfectly and we just realized AAA has been dead on this thing for a week which correlates to the upgrade time.  ISSU was used.  Going to schedule a reload and see if it resolves the issue.  

Edit - reload fixed issue for us.