Poor network performance, clients are getting disconnected regularly

lnw-team · ‎03-14-2022

Hello,

There’s a growing number of users who are experiencing network performance issue in one of our locations.

They are getting disconnected at some point and reconnected after a couple of seconds. After analyzing log messages on the switch I’ve noticed it’s related to macro configured on the switch. When the macro is executed, interface state is changed to „Down“ and after three seconds it goes up again.

This is the macro that is configured on the switch:

macro auto execute CRITICAL_AUTH_Clients {

if [[ $LINKUP == YES ]]

then conf t

interface $INTERFACE

authentication event server dead action authorize vlan 201

end

fi

We do not know what event triggers the macro to be executed.

I’ve also done some digging and I’ve found that the problem might be related to misconfigured Auto Smaprtports feature. (https://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/12-2_55_se/configuration/guide/asp_cg.pdf)

MHM Cisco World · ‎03-14-2022

Tty use inactivity dot1x timeout, this make sw not reauth unless the client is inactive.

Without inactivity timeout the sw will reauth the client after specific time.

lnw-team · ‎03-14-2022

The following command is configured on the switchport:

dot1x timeout tx-period 11

Shall we replace it?

MHM Cisco World · ‎03-14-2022

authentication timer inactivity <Sec>

Under interface add this command.

Do this for only one switch port if success then apply it to all.

lnw-team · ‎03-16-2022

Hello,

I've replaced "authentication timer inactivity server" with "authentication timer inactivity 3600". Furthermore, I wanted to replace "dot1x timeout tx-period 11" command but it doesn't show in the configuration.

MHM Cisco World · ‎03-16-2022

No need to replace this,

The tx timeout is need even if you delete it the sw will use defualt.

Check stability after add inactivity command.

MHM Cisco World · ‎03-16-2022

by default there is timeout between the EAP, you can config it or use default.
instead you can reduce the number of EAP retransmit to be at least two, But I recommend use default.

MHM Cisco World · ‎03-17-2022

Any update for this issue?

Leo Laohoo · ‎03-14-2022

Turn off ASP.

lnw-team · ‎03-16-2022

Hello,

What is ASP? I don't think it's enabled on the switch.

Leo Laohoo · ‎03-16-2022

@lnw-team wrote:

What is ASP? I don't think it's enabled on the switch.

ASP means Auto SmartPorts. And yes, it is turned on. The picture says so and the TCL script says so.

lnw-team · ‎03-17-2022

Hello,

Thank you. I think that instead of disabling ASP on the switch, we can try to remove that particular MACRO that seems to be causing the issue, right?

Georg Pauwen · ‎03-15-2022

Hello,

what switch model do you have ? Is this an SMB switch ?

lnw-team · ‎03-16-2022

Hello,

Switch model is WS-C3850-12X48U. SOftware version is 19.9.5.

MHM Cisco World · ‎03-17-2022

Client-SW-Radius
1- Client - SW exchange the Dot1x message
this time depend on tx and max-reauth
2- Your client as I understand don't support dot1x
3- SW assign VLAN to these client according to critical macro
4- Client SW start forward packet
5- inactivity timeout <-here your inactivity was before use server response to apply this timeout BUT here the client never exchange dot1x and SW never use Server !!!
6- the re-auth timeout end and client must re-auth again "return to step 1"<-here the client see that it disconnect and reconnect again.

we can minimize the time by change x and max-reauth which is not so effect the disconnect connect case
So we need inactivity under each interface that not support dot1x.
make it long as much as you can if this client is busy all day.