Good morning, I have a strange issue with some PCs, which have worked fine on MAB enabled switches for a while(+ 1 year), then suddenly drop off the network.
The only way to get them back online is to remove the ACL which is applied on the switchport. If I apply it again straight away, and the machine drops off! (stops pinging, can't access anything on the network)
Cisco ISE authenticates the devices, and sees that it has an IP address, but PC just doesn't respond on the network.
It only affects a handful of PCs across a few different switches, it doesn't affect all PCs on the Switch, for example, only 1 pc out of potential 100 devices on that switch stack will stop working. The rest are quite happy.
PCs would have been working normally for months before hand.
Cisco ISE 2.1.0.474 patches 2.3
Switch in this example (WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9)
Switch config:-
interface GigabitEthernetx/x/x
switchport access vlan xx
switchport mode access
switchport voice vlan xxx
ip access-group MAB-PRE-AUTH in
no logging event link-status
no logging event power-inline-status
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust dscp
spanning-tree portfast
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip access-list extended MAB-PRE-AUTH
permit udp any any eq bootps
permit udp any any eq tftp
permit udp any any eq bootpc
permit udp any any eq 4011
permit udp any host xx.xx.xx.xx range 50000 60000
deny ip any any
Would be interested to know if anyone else has come across this issue?
Thanks very much.
Denise
