07-31-2018 09:13 AM
Hello,
I am seeing a strange intermittent connectivity issue for a dot1x session I'm testing out. We are currently using ISE 2.3 with patch 4. I'm testing out MDA for a Win10 machine and a Mitel 5320e IP phone. Each receive it's own authorization profile. The PC authenticates in the DATA domain (via dot1x) and the phone in the VOICE domain (via MAB). Each works as expected when connected to it's own port. However, when I place the PC behind the phone so that they both authenticate on the same port, I tend to lose connectivity randomly. I ran a constant ping on both tests and get no packet loss on separate ports but around 1% when on the same port. I also notice a brief bump in my connection to network applications. I have the machine authorization policy common task configured to reauthenticate every 4 hours but no reauthentication for the IP phone authZ profile. Here is a copy of the port config:
interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate
switchport voice vlan 30
ip device tracking probe count 1
ip device tracking probe interval 30
ip device tracking maximum 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast edge
spanning-tree bpduguard enable
end
As stated before, they work as expected with no drops in connectivity when on separate ports but when together, that's when intermittent connectivity issues occur. Let me know if you have any additional questions or need any further info.
Terence
07-31-2018 09:47 AM
07-31-2018 09:48 AM
Sure. I'll give that a try right now.
07-31-2018 09:51 AM
Ok so I have auto QoS removed from the interface I'm testing from and will monitor for about an hour. My last constant ping results sent 1,459 packets and lost 21. I've started a new continuous ping and will check the results.
In the meantime, if auto QoS is causing an issue, what alternative do I have to making sure voice traffic still gets priority over other data traffic?
Terence
07-31-2018 09:53 AM
07-31-2018 09:56 AM
I've just completed an IOS upgrade of all of our switches and dot1x issues were the main thing I looked for in the release notes. My 4500E switches are running 3.8.6 for Sup-8E and 3.6.6 for Sup-7E. My 3560CX test switch is running 15.2(4)E4 while our 2960X switches are running 15.2(2)E7.
07-31-2018 10:00 AM
07-31-2018 10:02 AM
So far just my 3560CX and one of the 4500E switches running the Sup-8E. I haven't deployed campus wide in fear of what I'm experiencing now. I'm testing various setups we have in our network to get an idea of what our users may or may not experience. So far, the MDA on a single port appears to cause random drops which will be frustrating for our end users.
07-31-2018 09:53 AM
Looks like I'm still dropping packets and getting the same results.
11-21-2018 07:29 AM
Just a blind shot but check this out:
https://community.cisco.com/t5/identity-services-engine-ise/ip-device-tracking/m-p/3750828#M20916
IP device tracking probes can cause endpoints to learn IP address of gateway ( depending on configuraiton you have ) with mac address of switchport causing packets to be dropped. You can see some intermittent connectivity issues.
Check endpoint arp table for default gw if you can se mac address changing there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide