02-20-2018 05:53 PM - edited 02-21-2020 10:46 AM
C9300-48U : when I issue the command 'sh auth sess' it takes over a minute to produce output :
xxxx#sh clock
13:14:15.613 AEDT Fri Feb 9 2018
xxxx#sh auth sess
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 00e0.db45.9a69 mab DATA Auth 1D1418AC0000012B2C326D3F
Gi1/0/3 00e0.db45.9a79 mab DATA Auth 1D1418AC0000309C783476B8
Gi1/0/1 00e0.db0f.ee68 mab DATA Auth 1D1418AC00002C0F4E9886A4
Gi1/0/4 00e0.db0e.e6e3 mab DATA Auth 1D1418AC000030B178451404
Session count = 4
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
xxxx#sh clock
13:15:35.953 AEDT Fri Feb 9 2018
I'm also seeing this throughout the log
Feb 9 10:29:44.695 AEDT: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 1 R0/0: fman_fp_image: WRClient 0x165c44f3 download to DP failed
Feb 9 10:42:25.707 AEDT: %FMFP-3-OBJ_DWNLD_TO_DP_FAILED: Switch 1 R0/0: fman_fp_image: WRClient 0x113aa674 download to DP failed
We decided to upgrade to latest version Everest-16.6.2 ED and but same logs still coming and still slow in running the same command.
xxxx#sh clock
09:59:32.542 AEDT Mon Feb 19 2018
xxxx#sh auth sess
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 00e0.db45.9a69 mab DATA Auth 1D1418AC00000030A300AEDC
Gi1/0/4 00e0.db0e.e6e3 mab DATA Auth 000000000000000BA300A053
Gi1/0/1 00e0.db0f.ee68 mab DATA Auth 1D1418AC00000032A300B4B7
Gi1/0/3 00e0.db45.9a79 mab DATA Auth 1D1418AC00000035A300BC37
Session count = 4
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
xxxx#sh clock
10:00:38.237 AEDT Mon Feb 19 2018
doing this command also takes a long time
xxxx#sh auth brief switch active r0
but doing either of these commands :
xxxx#sh auth sess int g1/0/1
xxxx#sh auth sess int g1/0/1 detail
is instant. Only issue with running show authentication session & sh auth brief switch active r0
Does any one have faced same issue and found resolution ?
Config of one of the interface is as below.
!
interface GigabitEthernet1/0/1
description VC-Restricted
switchport access vlan 805
switchport mode access
switchport nonegotiate
authentication control-direction in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
macro description abs-vc-restricted
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end
!
Run through few debug but nothing came out.
Solved! Go to Solution.
04-03-2018 12:59 AM
Cisco recently released new version Everest-16.6.3 ED (02-Mar-2018). After upgrading to that version issue got fixed. One minute reduced to 2 second to produce output.
02-20-2018 06:44 PM
02-20-2018 06:59 PM
We tested by doing no ip domain-lookup but no luck. Also CPU was normal. Except that command everything works fine.
We also taken few mab and aaa related debug but nothing showing clue.
02-20-2018 08:30 PM
02-21-2018 05:38 PM
Memory and CPU normal. We initially suspected IOS issue hence upgraded to latest version but still no luck. We have another spare 9300 where without MAB configured on port and running show authentication session has no issue.
Also Mac authentication bypass (MAB) is working perfectly fine with 3850 platform so not suspecting any issue towards ISE end.
Not sure if something to due with hardware of 9300.
04-03-2018 12:59 AM
Cisco recently released new version Everest-16.6.3 ED (02-Mar-2018). After upgrading to that version issue got fixed. One minute reduced to 2 second to produce output.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide