Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9945
Views
0
Helpful
4
Replies

802.1x | DHCP BAD_ADDRESS | IP Conflict 0.0.0.0

Go to solution
yaplej
Level 1
Level 1

‎04-11-2018 02:00 PM - edited ‎03-08-2019 02:37 PM

Hello,

We are experiencing a lot of BAD_ADDRESSES in our DHCP scopes where 802.1x is enabled.  The problem seems to stem from IPDT or Device Tracking depending on the version of IOS you have.  This is not a unique issue to me.

https://supportforums.cisco.com/t5/security-and-network-management/ise-802-1x-ip-conflict-at-0-0-0-0/td-p/2066699

 

There have been several proposed solutions:

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html

 

So far nothing has worked in our environment.

 

The "probe delay" seems like it would be the easiest solution and it seems like that works mostly but only when there is a single switch/management-point for the site.  When there are multiple switches or "stacks" each sending their own device tracking probes the problem seems to surface again.

 

The "use-svi" method does not work because our switches are L2-only so there is no SVI in the same VLAN/subnet as the 802.1x authenticated devices.  We have the management SVI on a seprate/dedicated VLAN.

 

We have also disabled GARP on our Windows machines trying to stem this DHCP BAD_ADDRESS issue but we are coming up with nothing.

 

I was wondering if anyone else has seen and could confirm that what I am seeing is expected.

 

The "auto-source fallback override" solution MIGHT be the only working solution in our type of environment where there are multiple L2-only access switches.  I have not gotten myself enough of the 3850 switches to verify this but I am working on that.  The plan is to use a single assigned address for all device tracking probes.  I really hope that works so I dont need to use an seprate auto-source fallback address for each switch.

 

 

6 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yaplej
Level 1
Level 1
In response to patipat55

‎10-24-2019 01:01 PM

Its a problem with the IOS.  If your switch can be upgraded to a fixed one then just upgrade the IOS.  Our switch did not support a new enough/fixed IOS so we had to replace all our switches with ones that had a newer IOS.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Goga
Level 1
Level 1

‎08-15-2018 05:58 AM

Hello!
Did you find solution for your problem?
0 Helpful

Go to solution
yaplej
Level 1
Level 1
In response to Goga

‎08-15-2018 06:28 AM

This seemed to only be a problem at sites with multiple 3750 stacks.  If you can put all your access switches into a single stack then the issue seemed to go away.

 

Depending on what 3750 series you have you might be able to upgrade the IOS to a version that is fixed.

 

Unfortunately we had mostly original 3750 series switches so we could not update to any version of IOS that is fixed.  So we upgraded everything to Catalyst 3850s.  Everything is working great now.

 

0 Helpful

Go to solution
patipat55
Level 1
Level 1
In response to yaplej

‎10-19-2019 09:39 PM

Hi yaplej

 you mean for 3850 stack can solved?

 

 I was found problem on 2960X Stack.

 

0 Helpful

Go to solution
yaplej
Level 1
Level 1
In response to patipat55

‎10-24-2019 01:01 PM

Its a problem with the IOS.  If your switch can be upgraded to a fixed one then just upgrade the IOS.  Our switch did not support a new enough/fixed IOS so we had to replace all our switches with ones that had a newer IOS.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card