Solved: Issues with Multiple IP Phones Getting Stuck into a Configuring IP State

Matthew Martin · ‎02-13-2020

Hello All,

ISE: v2.3.0.298 Patch 3

Switch: 4510R+E

We seem to keep having a few User's IP Phones who keep getting stuck in a configuring IP state. When I look at the auth session on the switch, it shows the following:

#show auth sess int Gi10/12 det
            Interface:  GigabitEthernet10/12
          MAC Address:  001f.cae8.xxx
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  00-1F-CA-E8-XX-XX
               Status:  Unauthorized
               Domain:  VOICE
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  C0A80201000B1F411F903E0C
      Acct Session ID:  0x0008D681
               Handle:  0xA2000B3C
       Current Policy:  POLICY_Gi10/12

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Method status list:
       Method           State
       dot1x            Stopped
       mab              Authc Success

The difference in the output above, from a normal/working IP Phone, is that this output does not show an IP Address and it does not show a section for Server Policies, like below:

Server Policies:
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-56161e32

If the user is to unplug power from the phone it re-authenticates and starts working, or if I clear the auth session for this device from the switch it then starts working again as well.

This appears to happen for the same users from time to time. The majority of users have no issues at all.

Thanks,

Matt

Damien Miller · ‎02-13-2020

First things first, because of the number of components at play here, I would suggest working on the issue through TAC. But some tips still.

Get to the latest patch on the ISE side, 2.3 patch 7 for reference, there are a few hundred bugs fixed since patch 3 released. Patch 7 is the final patch for 2.3 and it's recommended to be on it if running the release.

On the NAD side, do a bug scrub and consider moving to the recommended code if you're not already. Because the 4510 can be configured with various sups, I am unable to pick the recommended target.

On a unrelated note, TAC will stop supporting ISE 2.3 on June 17th 2020. Start planning the deployment upgrade.

View solution in original post

Damien Miller · ‎02-13-2020

First things first, because of the number of components at play here, I would suggest working on the issue through TAC. But some tips still.

Get to the latest patch on the ISE side, 2.3 patch 7 for reference, there are a few hundred bugs fixed since patch 3 released. Patch 7 is the final patch for 2.3 and it's recommended to be on it if running the release.

On the NAD side, do a bug scrub and consider moving to the recommended code if you're not already. Because the 4510 can be configured with various sups, I am unable to pick the recommended target.

On a unrelated note, TAC will stop supporting ISE 2.3 on June 17th 2020. Start planning the deployment upgrade.

Matthew Martin · ‎02-17-2020

Hey Damien, thanks for the reply.

Yes, that's the difficult part with some many variables at play with this... We actually just had another, new user with this issue this morning as well. BTW, its Sup7-E, which we will be upgrading to Sup9-E this summer when we have some larger maintenance windows.

Who would you suggest I start with in terms of opening the TAC case? The 4510, CUCM, ISE, etc..?

Also, I'll work on getting ISE upgraded to Patch 7.

Thanks Again,

Matt

hslai · ‎02-21-2020

Because the status reporting Unauthorized, this is an AAA issue on the switch platform. Usually this is due to mismatches between the switch configurations and what sent down from AAA server; e.g. VLAN or ACL not present.

So, I would start with AAA TAC team, if I were you.