Hi everybody ! i just deployed Cisco NAC version 4.8.1 Virtual Gateway OOB on a LAN envieronment and on a WLAN envieronment, it works fine for some users , they can authenticate via the agent or web page, and then they are redirected to the access vlan, But for some other users in LAN and WLAN , when they try to authenticate via agent or web page the following error appears:
Invalid switch configuration-OOB Error:OOB client "mac/ip" not found.
I tried to find some pattern for the users but it dont match any pattern.
Can anyone help me with this issue ?
Try to bounce the switch port and see if that clears the issue. Also make sure you can manage the switch ports under devices. if you can do this you should be ok. Just make sure your snmp-server RO & RW match on the switch and Nac Mgmt.
Hi , i just reviewed the snmp configuration on all the switches and WLAN and CAM and is fine, and is working because some users can authenticate , but some others cannot in both envieronments and if the snmp parameters where the cause, none of the users could authenticate .ed
I'm having the same problem. It's happening on WLAN more than the wired LAN. I've been working with Cisco Tac for 2 days. I can recreate the issue in my office on the WLAN network. I'm waiting on Cisco TAC to escalate the issue.
Has anyone resolved the issue yet? Is it a bug?
Hi im still in test with this issue, i put an sniffer on CAS ports and CAM
ports, and we can see that SNMP packets are being dropped in some point of
the trace, the point that we are reviewing at this moment is the WAN link
because the CAM & CAS/Controlled Switches are being separated by a WAN.
¿ Have resolved this issue yet ?
Let me know please
I just upgraded to 4.9 from 4.8 and am now having the same issue with some clients. The access switches are 3560s, clients can be either laptops or workstations, XP or Win7, agent can be 4.5 or 4.9, doesn't matter. Some have been workstations that connect to the LAN with a Cisco phone in between, some are directly connected to the LAN.
The workaround that always works is to disconnect the switchport so it goes down/down, wait 10-20 seconds, and reconnect. It's definitely not an SNMP configuration problem as 90% of users are logging in just fine with either SSO or LDAP. Since having the port go down/down does the trick, seems to be a MAC issue maybe? I noticed some of my switches had the default mac address aging time of 300 instead of what Cisco recommends for NAC, which is 3600. I corrected this on one my floors to see if that makes a difference.
Any other ideas?
Ok, here's some more info. When having the "client not found" issue, this is the state at the core switch for the affected user's mac address. Po23 is the port-channel to the user's switch, Po35 is the port-channel to the switch that the NAC CAS is on, 232 is the authentication vlan, 132 is the access vlan:
CORE# show mac address-table dyn | i eb82
* 232 b8ac.6f98.eb82 dynamic 0 F F Po23
* 132 b8ac.6f98.eb82 dynamic 330 F F Po35
After the port shut/no shut, the user logs in, and NAC configures the user's port to the access vlan as it should. Looking at the core's mac table you can see that the Vlan for the mac entry reversed to what it was previously
CORE# show mac address-table dyn | i eb82
* 232 b8ac.6f98.eb82 dynamic 30 F F Po35
* 132 b8ac.6f98.eb82 dynamic 0 F F Po23
So is this symptom or cause?
No difference. I set aging time to 100000 on the switches that the clients are connected to and the problem persists. The only place where I don't have that setting is at the distribution switch.
The workaround is always to shut/no shut the port, to the point that our helpdesk just tells the user over the phone to unplug at the jack, wait ten seconds, plug back in, problem goes away. The problem makes us look like amateurs to the users, but apparently no one at Cisco cares to find a solution. I hope ISE 2 solves the problem.
Yes, I entered the following on the access layer switches:
mac address-table notification mac-move
The problem went away completely. Due to construction in our office we've even had many user's, around 70, be relocated to other floors, and this is where most if not all of the time the problem would surface. After the above config change, we never had one of these OOB Errors pop up through all those user relocations.
I see this prblem as users travel from site to site and from wireless to wired. Agent throughs oob error and the previous switch port and ip is on certfied device list for that user even though its a unmanaged port. It looks like the Discovered host table is not cleared. Requesting the BU look into this.
Sent from Cisco Technical Support iPad App