Live Sessions and Accounting showing wrong Switch IP and Port ID

Mohamed Abd Elnaser Mohamed Mohamed Ali · ‎03-09-2018

Hi Everyone

I'm facing slightly the same behaviour where in Cisco ISE 2.3 Patch 2, I can see the endpoint in the Live session with the Wrong Switch IP and Port ID and the same is true under Context Visibility.

What is even weird is that the interface (Port) ID of the wrong switch (NAD) is the uplink trunk to the correct switch where the endpoint is actually connected.

The Correct Switch is 3650 running 3.6.6E while the wrong switch is 3560V2 running 15.0(2)SE10a

In the Live logs and also under the report --> Radius Authentication This Endpoint MAC was only seen coming from the correct Switch IP and Port ID and actually it was never connected to the wrong switch ever (Both are access switches).

But under the report --> Radius Accounting i can see the wrong switch is sending Radius Interim-Update about the same Endpoint.

Under Both switches this command is enabled to keep session alive between Switches and Cisco ISE

aaa accounting update periodic 60

This issue never happened when this customer was running Cisco ISE 1.4 Patch 11 but at that time this Radius accounting command was not applied in switches.

Any thought please?

hslai · ‎03-09-2018

I would suggest to debug on the 3560V2 switch and check why it's sending accounting to an endpoint that not connected to it. Perhaps, device sensor is on and it's sending the detected info to ISE.