10-01-2024 08:27 AM
I was intending to write today looking for help, but, I may have answered my own question enough to satisfy me. But, I thought I'd still post because this could be good information for someone else about to upgrade.
Somewhere around 9/27/2024 I downloaded the 17.9.6 code for the 9300/9400 series switches, right after their security vulnerabilities were made public.
I just upgraded to 17.9.6 and the next morning was immediately hit with issues. In general, the code seems OK, however, we use dot1x NAC with Clearpass and certificate authentication for our laptops and PCs.
What is/was happening is this: The PC connects, and all of the dot1x process goes fine. Clearpass logs show the PC being allowed, and the switch shows AUTH when you do 'show auth sessions'. So everything is good. Except, the PC can't get an IP address from DHCP, and, if you put a static IP on it, it won't talk to anything either. The mac address-table gets populated but it shows as STATIC, even on a DYNAMIC port/device. The arp in our case is done on a firewall for all vlans, and there is NO arp entry that ends up on the firewall for that mac address. If you do "show interface" on that interface, you'll see 0 (zero) packets input. You will see some packets output, but not too many.
Additionally, we have some devices that use mac authentication, and those seem to be working fine. So it's just the dot1x stuff that blew up. It's almost like the layer 2 side isn't being connected once dot1x succeeds, or, that an "open the port" Dynamic default ACL isn't being applied.
I was able to get all the ports functional by removing all of the NAC config. I probably could have turned it off at the global level but was hoping I could troubleshoot and fix it. Turns out the troubleshooting wasn't giving me any real results. Debug logs clearly show the authentication successful.
So my next step was to come here and post for help, but, before I did that, I wanted to One star review the code on the download page, and comment there, to prevent others from having this issue.
When I went to the download page, that 17.9.6 version is nowhere to be seen anymore. This was the original data block on it:
Description : CAT9300/9400/9500/9600 Universal
Release : Cupertino-17.9.6
Release Date : 16-Sep-2024
FileName : cat9k_iosxe.17.09.06.SPA.bin
Min Memory : DRAM 8192 Flash 16384
Size : 1199.43 MB ( 1257688537 bytes)
So, should you be running NAC, for sure avoid the code. And, I'm not sure what other bugs they must have been finding so do research before you upgrade to that rev for sure!
Solved! Go to Solution.
10-03-2024 11:38 PM
ok, so it internal SW issue you think Mac is learn but not forward the traffic
9k#sh platform hardware fed switch active vlan 33 egress/ingress <<- check if the port add to vlan in both cases, when you use dot12x and when manually add access port to vlan
9k#sh platform software fed switch 1 matm macTable vlan 33 <<- check if the Mac successfully add to vlan 33
MHM
10-14-2024 06:43 AM
It looks like 17.9.6a is now available and there is a bug report in the system on 17.9.6 with Bug ID: CSCwm57734.
10-16-2024 06:27 AM
I have tested 17.9.6a, and it appears that NAC is once again working ok after an upgrade from 17.9.5.
I just thought I'd post and let you all know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide