Solved: Re: show authentication session taken about 1 min to run

rojesara.prashant · ‎02-20-2018

C9300-48U : when I issue the command 'sh auth sess' it takes over a minute to produce output :

xxxx#sh clock
13:14:15.613 AEDT Fri Feb 9 2018
xxxx#sh auth sess
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 00e0.db45.9a69 mab DATA Auth 1D1418AC0000012B2C326D3F
Gi1/0/3 00e0.db45.9a79 mab DATA Auth 1D1418AC0000309C783476B8
Gi1/0/1 00e0.db0f.ee68 mab DATA Auth 1D1418AC00002C0F4E9886A4
Gi1/0/4 00e0.db0e.e6e3 mab DATA Auth 1D1418AC000030B178451404

Session count = 4

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

xxxx#sh clock
13:15:35.953 AEDT Fri Feb 9 2018

I'm also seeing this throughout the log

Feb 9 10:29:44.695 AEDT: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 1 R0/0: fman_fp_image: WRClient 0x165c44f3 download to DP failed
Feb 9 10:42:25.707 AEDT: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 1 R0/0: fman_fp_image: WRClient 0x113aa674 download to DP failed

We decided to upgrade to latest version Everest-16.6.2 ED and but same logs still coming and still slow in running the same command.

xxxx#sh clock

09:59:32.542 AEDT Mon Feb 19 2018
xxxx#sh auth sess
Interface                MAC Address    Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2                  00e0.db45.9a69 mab     DATA    Auth        1D1418AC00000030A300AEDC
Gi1/0/4                  00e0.db0e.e6e3 mab     DATA    Auth        000000000000000BA300A053
Gi1/0/1                  00e0.db0f.ee68 mab     DATA    Auth        1D1418AC00000032A300B4B7
Gi1/0/3                  00e0.db45.9a79 mab     DATA    Auth        1D1418AC00000035A300BC37

Session count = 4

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

xxxx#sh clock
10:00:38.237 AEDT Mon Feb 19 2018

doing this command also takes a long time

xxxx#sh auth brief switch active r0

but doing either of these commands :

xxxx#sh auth sess int g1/0/1
xxxx#sh auth sess int g1/0/1 detail

is instant. Only issue with running show authentication session & sh auth brief switch active r0

Does any one have faced same issue and found resolution ?

Config of one of the interface is as below.

!
interface GigabitEthernet1/0/1
description VC-Restricted
switchport access vlan 805
switchport mode access
switchport nonegotiate
authentication control-direction in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
macro description abs-vc-restricted
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end

!

Run through few debug but nothing came out.

rojesara.prashant · ‎04-03-2018

Cisco recently released new version Everest-16.6.3 ED (02-Mar-2018). After upgrading to that version issue got fixed. One minute reduced to 2 second to produce output.

View solution in original post

Mohammed al Baqari · ‎02-20-2018

Check CPU usage and mainly dot1x process?

rojesara.prashant · ‎02-20-2018

We tested by doing no ip domain-lookup but no luck. Also CPU was normal. Except that command everything works fine.

We also taken few mab and aaa related debug but nothing showing clue.

Mohammed al Baqari · ‎02-20-2018

Lookup for bugs related to your IOS. Also, check mem usage and how much mem
allocated for that process.

rojesara.prashant · ‎02-21-2018

Memory and CPU normal. We initially suspected IOS issue hence upgraded to latest version but still no luck. We have another spare 9300 where without MAB configured on port and running show authentication session has no issue.

Also Mac authentication bypass (MAB) is working perfectly fine with 3850 platform so not suspecting any issue towards ISE end.

Not sure if something to due with hardware of 9300.

rojesara.prashant · ‎04-03-2018

Cisco recently released new version Everest-16.6.3 ED (02-Mar-2018). After upgrading to that version issue got fixed. One minute reduced to 2 second to produce output.