Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5234
Views
0
Helpful
12
Replies

Error disable ports with cisco phone and computer daisy chained together

John Coccioletti
Level 1
Level 1

‎04-15-2014 12:34 PM - edited ‎03-10-2019 09:38 PM

I have a WS-C2960S-48FPS-L stack running software version  15.0(2)SE2  , I keep getting intermittent error disable on some

ports after configuring 802.1x on the ports

Port config

interface GigabitEthernet3/0/37
 switchport access vlan 101
 switchport mode access
 switchport voice vlan 11
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event server dead action authorize vlan 101
 authentication event no-response action authorize vlan 963
 authentication event server alive action reinitialize
 authentication port-control auto
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

syslog server output .

Apr 15 07:38:45 10.42.245.5 5057: .Apr 15 12:38:32.441: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 
GigabitEthernet3/0/37, changed state to down
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
153 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5056: Apr 15 12:38:31.418: %PM-4-ERR_DISABLE: security-violation error detected on Gi3/0/37,
 
putting Gi3/0/37 in err-disable state (CPAHP-CR-STK1-3)
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
154 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5055: .Apr 15 12:38:31.419: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface
 
GigabitEthernet3/0/37, new MAC address (d4be.d92d.2363) is seen.AuditSessionID  Unassigned
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options ( mac address from phone on data)
155 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5054: .Apr 15 12:38:31.377: %AUTHMGR-5-START: Starting 'dot1x' for client (d4d7.48ff.e809) on
 
Interface Gi3/0/37 AuditSessionID 0A2AF505000008E5648AEE19
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
156 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5053: .Apr 15 12:38:31.361: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on
 
port Gi3/0/37, port's configured trust state is now operational.
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
157 » 4/15/14
7:38:31.000 AM
Apr 15 07:38:31 10.42.245.5 5052: .Apr 15 12:38:20.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 
GigabitEthernet3/0/37, changed state to up
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
158 » 4/15/14
7:38:31.000 AM
Apr 15 07:38:31 10.42.245.5 5051: .Apr 15 12:38:19.030: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/37, changed state to
 
up
 
I am using Cisco 4945 IP phones at this site, at another site running the same phones the same IOS and the same mod switch

with the configs I am not experiencing any issues.
 
At both site computers are daisy chained through the phone. I see the phone is trusted first so it would be sending tagged

packets the switch trying to authenticate the computer picks up both mac address and going into error disable. if I shut

and no shut the port it clears and only show the 2 mac addresses phone and compute .
Any input would be greatly appreciated.
 

 

Labels:
0 Helpful
12 Replies 12

andrewswanson
Level 7
Level 7

‎04-15-2014 01:51 PM

Hello
Is it possible that your users are unpatching PC's from the phones and moving them to other phones?

If so, the "Cisco Discovery Protocol Enhancement for Second Port Disconnect" should inform the upstream switch. This enhancement is supported in certain phone firmwares and switch ios - see below link

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389517

hth
Andy

0 Helpful

John Coccioletti
Level 1
Level 1
In response to andrewswanson

‎04-15-2014 02:01 PM

No they all employees have  assigned seating. This problem actually appeared when I first  NAC ed the switchports.

It came up error disabled. I did a mac address look-up on the port and  notice that the mac address of the phone was appearing in both the voice and data vlans , 3 mac address on the port which is most likely causing the issue. I checked Cisco and I found there was a firmware issue with an different phone module , not this mod. 7945. I checked the other site were there isn't any issues and all the phone parameters match exactly.

Thank you

0 Helpful

Bruno Siqueira
Level 1
Level 1
In response to John Coccioletti

‎12-22-2014 06:19 AM

Hi anthonny225,

 

I have experienced an issue like yours.

The interface was entering into err-disabled status as i connected the phone at this interface.

I have tried a lot to solve this issue but i didnt have success.

You can try to change the IOS version, that was the way i solve my problem. I was having problems using IOS 15.2(2)E1. Changing to the 15.0(2)SE7, wich is a MD version, my problem was solved.

I hope it can help you.

 

0 Helpful

hdussa
Level 1
Level 1

‎04-16-2014 02:35 AM

Hi,

you need to configure:

authentication host-mode multi-domain (1 PC + 1 IP-PHONE)

OR

authentication host-mode multi-domain (many PCs + 1 IP-Phone )

AND

authentication order mab dot1x

 

Regard Horst

0 Helpful

John Coccioletti
Level 1
Level 1
In response to hdussa

‎04-16-2014 05:28 AM

Thank you so much I will try it, I really do appreciate the help.


 

0 Helpful

hdussa
Level 1
Level 1

‎04-16-2014 06:12 AM

.don´t forget to send the cisco-av-pair  "device-traffic-class=voice" from Radius to the switch.

If you´re using ACS...

 
Policy Elements >Authorization and Permissions >Network Access >Authorization Profiles >
Voice VLAN
Permission to Join:
Yes (device-traffic-class=voice)
0 Helpful

John Coccioletti
Level 1
Level 1
In response to hdussa

‎04-16-2014 08:30 AM

ACS is good we have hundred of switches with the same policy no issues. I tried adding the commands to the switch port .Also  if I make changes to the ACS policy it will effect the enterprise.

added to switch port :

authentication host-mode multi-domain

authentication order mab dot1x

port went into error disable - I could not clear it

 11    203a.xxxx.xxxx   DYNAMIC     Gi2/0/31    cisco  phone
 101    1803.xxxx.xxxx    DYNAMIC     Gi2/0/31 computer
 101    203a.xxxx.xxxx   DYNAMIC     Gi2/0/31  cisco phone

Very Respectfully

John

 

0 Helpful

hdussa
Level 1
Level 1

‎04-16-2014 09:30 AM

What happens when you

1. only connect the IP-Phone. Is the Phone in the voice vlan?

Verify with "Show authentication session "

2. Disconnect the Phone and connect the PC

Is the PC in the Data VLAN

How do you authenticate the IP-Phone (MAC-ADDRESS or USER/PASSWORD) ?

 

Horst

 

0 Helpful

John Coccioletti
Level 1
Level 1
In response to hdussa

‎04-16-2014 10:34 AM

phone is authenticated through mac address  and is in the voice Vlan  11


Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  11    20bb.xxxx.xxxx    STATIC      Gi2/0/35 Cisco phone 7945


Total Mac Addresses for this criterion: 1
CPAHP-CR-STK2#sh run int Gi2/0/35
Building configuration...

Current configuration : 661 bytes
!
interface GigabitEthernet2/0/35
 switchport access vlan 101
 switchport mode access
 switchport voice vlan 11
 power inline auto max 15400
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event server dead action authorize vlan 101
 authentication event no-response action authorize vlan 963
 authentication event server alive action reinitialize
 authentication port-control auto
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

====================================

computer authenticates in data Vlan 101 which is correct

0 Helpful

hdussa
Level 1
Level 1
In response to John Coccioletti

‎04-17-2014 09:12 AM

is this output a "Show vlan"  or the result of "Show authentication session" ?

Very helpful is a "debug radius" . Can you post both Outputs?

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to John Coccioletti

‎02-27-2018 08:34 AM

Hi,

Can you please add authentication violation replace on switchport and test?

Usually when a phone is brought online, its MAC will be placed in data VLAN and after that it will be both in data and voice VLAN.

This command will replace the phone's MAC (from data VLAN) with the MAC address of the PC.


Thanks,

Octavian

0 Helpful

MEB
Level 1
Level 1

‎02-27-2018 07:05 AM

Hi...Any Luck in Solving such issues As i am suffering from a very Similar one 

Below is the associated discussion 

************************

https://supportforums.cisco.com/t5/lan-switching-and-routing/catalyst-45-series-sup8e-802-1x-ports-getting-error-disabled/m-p/3338773#M406548

***************************

Bregards

0 Helpful
Customers Also Viewed These Support Documents