Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
9
Replies

Intermittent Connectivity Issues w/DOT1X MDA

Terence Lockette
Level 1
Level 1

‎07-31-2018 09:13 AM

Hello,

 

I am seeing a strange intermittent connectivity issue for a dot1x session I'm testing out.  We are currently using ISE 2.3 with patch 4.  I'm testing out MDA for a Win10 machine and a Mitel 5320e IP phone.  Each receive it's own authorization profile.  The PC authenticates in the DATA domain (via dot1x) and the phone in the VOICE domain (via MAB).  Each works as expected when connected to it's own port.  However, when I place the PC behind the phone so that they both authenticate on the same port, I tend to lose connectivity randomly.  I ran a constant ping on both tests and get no packet loss on separate ports but around 1% when on the same port.  I also notice a brief bump in my connection to network applications.  I have the machine authorization policy common task configured to reauthenticate every 4 hours but no reauthentication for the IP phone authZ profile.  Here is a copy of the port config:

 

interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate
switchport voice vlan 30
ip device tracking probe count 1
ip device tracking probe interval 30
ip device tracking maximum 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast edge
spanning-tree bpduguard enable
end

 

As stated before, they work as expected with no drops in connectivity when on separate ports but when together, that's when intermittent connectivity issues occur.  Let me know if you have any additional questions or need any further info.

 

Terence

0 Helpful
9 Replies 9

Timothy Abbott
Cisco Employee
Cisco Employee

‎07-31-2018 09:47 AM

One of the things I've seen in the past is that QoS could be causing the problem. Have you tried removing the QoS config and retest?

Regards,
Tim
0 Helpful

Terence Lockette
Level 1
Level 1
In response to Timothy Abbott

‎07-31-2018 09:48 AM

Sure.  I'll give that a try right now.

0 Helpful

Terence Lockette
Level 1
Level 1
In response to Timothy Abbott

‎07-31-2018 09:51 AM

Ok so I have auto QoS removed from the interface I'm testing from and will monitor for about an hour.  My last constant ping results sent 1,459 packets and lost 21.  I've started a new continuous ping and will check the results.

 

In the meantime, if auto QoS is causing an issue, what alternative do I have to making sure voice traffic still gets priority over other data traffic?

 

Terence

0 Helpful

Timothy Abbott
Cisco Employee
Cisco Employee
In response to Terence Lockette

‎07-31-2018 09:53 AM

If it does turn out to be QoS, I would look to see if there is a defect for the switch code you are using and if it is resolved in a newer release.

Regards,
timn
0 Helpful

Terence Lockette
Level 1
Level 1
In response to Timothy Abbott

‎07-31-2018 09:56 AM

I've just completed an IOS upgrade of all of our switches and dot1x issues were the main thing I looked for in the release notes.  My 4500E switches are running 3.8.6 for Sup-8E and 3.6.6 for Sup-7E.  My 3560CX test switch is running 15.2(4)E4 while our 2960X switches are running 15.2(2)E7.

0 Helpful

Timothy Abbott
Cisco Employee
Cisco Employee
In response to Terence Lockette

‎07-31-2018 10:00 AM

Just out of curiosity, are you seeing the issue across all switch types?

Regards,
Tim
0 Helpful

Terence Lockette
Level 1
Level 1
In response to Timothy Abbott

‎07-31-2018 10:02 AM

So far just my 3560CX and one of the 4500E switches running the Sup-8E.  I haven't deployed campus wide in fear of what I'm experiencing now.  I'm testing various setups we have in our network to get an idea of what our users may or may not experience.  So far, the MDA on a single port appears to cause random drops which will be frustrating for our end users.

0 Helpful

Terence Lockette
Level 1
Level 1
In response to Timothy Abbott

‎07-31-2018 09:53 AM

Looks like I'm still dropping packets and getting the same results.

0 Helpful

dawid.karol.bednarczyk
Level 1
Level 1
In response to Terence Lockette

‎11-21-2018 07:29 AM

Just a blind shot but check this out:

 

https://community.cisco.com/t5/identity-services-engine-ise/ip-device-tracking/m-p/3750828#M20916

 

IP device tracking probes can cause endpoints to learn IP address of gateway ( depending on configuraiton you have ) with mac address of switchport causing packets to be dropped. You can see some intermittent connectivity issues.

Check endpoint arp table for default gw if you can se mac address changing there.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents