cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9483
Views
3
Helpful
14
Replies

NAC Invalid switch configuration-OOB Error:OOB client "mac/ip" not found.

eduardo.leyva
Level 1
Level 1

Hi everybody ! i just deployed Cisco NAC version 4.8.1 Virtual Gateway OOB on a LAN envieronment and on a WLAN envieronment, it works fine for some users , they can authenticate via the agent or web page, and then they are redirected to the access vlan, But for some other users in LAN and WLAN , when they try to authenticate via agent or web page the following error appears:

Invalid switch configuration-OOB Error:OOB client "mac/ip" not found.

I tried to find some pattern for the users but it dont match any pattern.

Can anyone help me with this issue ?

Best Regards

ELO

14 Replies 14

edwjames
Level 3
Level 3

Check your Snmp Settings on OOB Switch and CAM.

Do they Match?

Regards

eddy

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Try to bounce the switch port and see if that clears the issue. Also make sure you can manage the switch ports under devices. if you can do this you should be ok. Just make sure your snmp-server RO & RW match on the switch and Nac Mgmt.

Yes Bobby that would be things that need to checked.

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Hi , i just reviewed the snmp configuration on all the switches and WLAN and CAM and is fine, and is working because some users can authenticate , but some others cannot in both envieronments and if the snmp parameters where the cause, none of the users could authenticate .ed

See if the users in question have an entry in certified devices or discovered clients, Remove both if found and then bounce switchport.

courtnash
Level 1
Level 1

I'm having the same problem. It's happening on WLAN more than the wired LAN.  I've been working with Cisco Tac for 2 days.  I can recreate the issue in my office on the WLAN network. I'm waiting on Cisco TAC to escalate the issue.

Has anyone resolved the issue yet? Is it a bug?

Hi im still in test with this issue, i put an sniffer on CAS ports and CAM

ports, and we can see that SNMP packets are being dropped in some point of

the trace, the point that we are reviewing at this moment is the WAN link

because the CAM & CAS/Controlled Switches are being separated by a WAN.

¿ Have resolved this issue yet ?

Let me know please

Best Regards

ELO

harry.ramirez
Level 1
Level 1

I just upgraded to 4.9 from 4.8 and am now having the same issue with some clients.  The access switches are 3560s, clients can be either laptops or workstations, XP or Win7, agent can be 4.5 or 4.9, doesn't matter.  Some have been workstations that connect to the LAN with a Cisco phone in between, some are directly connected to the LAN.

The workaround that always works is to disconnect the switchport so it goes down/down, wait 10-20 seconds, and reconnect.  It's definitely not an SNMP configuration problem as 90% of users are logging in just fine with either SSO or LDAP.  Since having the port go down/down does the trick, seems to be a MAC issue maybe?  I noticed some of my switches had the default mac address aging time of 300 instead of what Cisco recommends for NAC, which is 3600.  I corrected this on one my floors to see if that makes a difference.

Any other ideas?

Ok, here's some more info.  When having the "client not found" issue, this is the state at the core switch for the affected user's mac address.  Po23 is the port-channel to the user's switch, Po35 is the port-channel to the switch that the NAC CAS is on, 232 is the authentication vlan, 132 is the access vlan:

CORE# show mac address-table dyn | i eb82

* 232     b8ac.6f98.eb82   dynamic   0         F   F Po23

* 132     b8ac.6f98.eb82   dynamic   330       F   F Po35

After the port shut/no shut, the user logs in, and NAC configures the user's port to the access vlan as it should.  Looking at the core's mac table you can see that the Vlan for the mac entry reversed to what it was previously

Core:

CORE# show mac address-table dyn | i eb82

* 232     b8ac.6f98.eb82   dynamic   30         F   F Po35

* 132     b8ac.6f98.eb82   dynamic   0         F   F Po23

So is this symptom or cause?

After the change of the Aging Time for 3600, stopped errors happen?

Sent from Cisco Technical Support iPad App

No difference.  I set aging time to 100000 on the switches that the clients are connected to and the problem persists.  The only place where I don't have that setting is at the distribution switch.

The workaround is always to shut/no shut the port, to the point that our helpdesk just tells the user over the phone to unplug at the jack, wait ten seconds, plug back in, problem goes away.  The problem makes us look like amateurs to the users, but apparently no one at Cisco cares to find a solution.  I hope ISE 2 solves the problem.

Any resolution to this bug?

We have the exact same issue on LAN with 3750s and 6509s

Yes, I entered the following on the access layer switches:

mac address-table notification mac-move

The problem went away completely.  Due to construction in our office we've even had  many user's, around 70, be relocated to other floors, and this is where most if not all of the time the problem would surface.  After the above config change, we never had one of these OOB Errors pop up through all those user relocations.

I see this prblem as users travel from site to site and from wireless to wired. Agent throughs oob error and the previous switch port and ip is on certfied device list for that user even though its a unmanaged port. It looks like the Discovered host table is not cleared. Requesting the BU look into this.

Sent from Cisco Technical Support iPad App

Review Cisco Networking for a $25 gift card