cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1785
Views
5
Helpful
4
Replies
kachavda
Beginner

"Blocked On: AAA Not Ready" Status on Switch

Hello Experts,

I am seeing authentication unknown status in swithc for some ports on a switch. The ISE server is up and on 2.1 version. See the screenshot below,                        

when I check for the auth session details for one of the ports, it displyas "Blocked on: AAA Not Ready" error. and on ISE I am seeing logs only for port g1/0/10.

As this switch is in production so I can not bounce the port without a request and approval.

Therefore what would be the possible reason for this error and how to resolve it?

Any help on this is highly appreciated.

Thanks,

Kashyap

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Kashyap,


I shared this case with a friend of mine who is a developer, and he said you seem to be running in to CSCuu66531 (internal defect). The defect details are not publicly available now, since it is not release-noted or associated to a TAC case.

The AAA not ready state is potentially a memory leak issue which happens on some random trigger, thats unknown. The issue however is fixed in the 03.07.03E version or later. The only workaround known for now (apart from a switch reload) is to disable aaa system accounting with the “aaa accounting system” global command. Note, this does not disable dot1x/mab accounting for endpoints, however will disable system level aaa accounting that appears during a switch boot up.

I suggest you open a Cisco TAC case, so that you get formal instructions on how to proceed on this issue.

Cheers!

-Hari

View solution in original post

4 REPLIES 4
hariholla
Cisco Employee

Hi Kashyap,

  1. What is the switch platform and software version?
  2. What does the 'show aaa servers' command show?
  3. *92.92ea endpoint on Gi 1/0/12 seems to be authenticated successfully, don't you see it under ISE live sessions?
  4. Do you have TAC case open for this?

-Hari

Hello Hari,

Please see my answers below,

   1. What is the switch platform and software version?

         The switch platform is "WS-C3850-24P" and a version is 03.07.00E.

    2. What does the 'show aaa servers' command show?

    3. *92.92ea endpoint on Gi 1/0/12 seems to be authenticated successfully, don't you see it under ISE live sessions?

         I could see a session on port g1/0/12 for *92.92ea MAC.

    4. Do you have TAC case open for this?

         I have not opened up a case yet.

Let me know if you need more details.

Thanks,

Kashyap Chavda

Hi Kashyap,


I shared this case with a friend of mine who is a developer, and he said you seem to be running in to CSCuu66531 (internal defect). The defect details are not publicly available now, since it is not release-noted or associated to a TAC case.

The AAA not ready state is potentially a memory leak issue which happens on some random trigger, thats unknown. The issue however is fixed in the 03.07.03E version or later. The only workaround known for now (apart from a switch reload) is to disable aaa system accounting with the “aaa accounting system” global command. Note, this does not disable dot1x/mab accounting for endpoints, however will disable system level aaa accounting that appears during a switch boot up.

I suggest you open a Cisco TAC case, so that you get formal instructions on how to proceed on this issue.

Cheers!

-Hari

Thanks Hari for helping on this issue.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube