Solved: Re: "Blocked On: AAA Not Ready" Status on Switch

kachavda · ‎07-19-2017

Hello Experts,

I am seeing authentication unknown status in swithc for some ports on a switch. The ISE server is up and on 2.1 version. See the screenshot below,

when I check for the auth session details for one of the ports, it displyas "Blocked on: AAA Not Ready" error. and on ISE I am seeing logs only for port g1/0/10.

As this switch is in production so I can not bounce the port without a request and approval.

Therefore what would be the possible reason for this error and how to resolve it?

Any help on this is highly appreciated.

Thanks,

Kashyap

hariholla · ‎07-20-2017

Hi Kashyap,

I shared this case with a friend of mine who is a developer, and he said you seem to be running in to CSCuu66531 (internal defect). The defect details are not publicly available now, since it is not release-noted or associated to a TAC case.

The AAA not ready state is potentially a memory leak issue which happens on some random trigger, thats unknown. The issue however is fixed in the 03.07.03E version or later. The only workaround known for now (apart from a switch reload) is to disable aaa system accounting with the “aaa accounting system” global command. Note, this does not disable dot1x/mab accounting for endpoints, however will disable system level aaa accounting that appears during a switch boot up.

I suggest you open a Cisco TAC case, so that you get formal instructions on how to proceed on this issue.

Cheers!

-Hari

View solution in original post

hariholla · ‎07-19-2017

Hi Kashyap,

What is the switch platform and software version?
What does the 'show aaa servers' command show?
*92.92ea endpoint on Gi 1/0/12 seems to be authenticated successfully, don't you see it under ISE live sessions?
Do you have TAC case open for this?

-Hari

kachavda · ‎07-20-2017

Hello Hari,

Please see my answers below,

1. What is the switch platform and software version?

The switch platform is "WS-C3850-24P" and a version is 03.07.00E.

2. What does the 'show aaa servers' command show?

3. *92.92ea endpoint on Gi 1/0/12 seems to be authenticated successfully, don't you see it under ISE live sessions?

I could see a session on port g1/0/12 for *92.92ea MAC.

4. Do you have TAC case open for this?

I have not opened up a case yet.

Let me know if you need more details.

Thanks,

Kashyap Chavda

hariholla · ‎07-20-2017

Hi Kashyap,

I shared this case with a friend of mine who is a developer, and he said you seem to be running in to CSCuu66531 (internal defect). The defect details are not publicly available now, since it is not release-noted or associated to a TAC case.

The AAA not ready state is potentially a memory leak issue which happens on some random trigger, thats unknown. The issue however is fixed in the 03.07.03E version or later. The only workaround known for now (apart from a switch reload) is to disable aaa system accounting with the “aaa accounting system” global command. Note, this does not disable dot1x/mab accounting for endpoints, however will disable system level aaa accounting that appears during a switch boot up.

I suggest you open a Cisco TAC case, so that you get formal instructions on how to proceed on this issue.

Cheers!

-Hari

kachavda · ‎07-21-2017

Thanks Hari for helping on this issue.