DACL get removed after some time
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2024 03:20 AM
Hello, our 9200 switches with code 17.9.4a receives dacl from ise and authorize clients successfully. Based on the complaints (endpoint can access to destinations that they shouldn’t as destinations not allowed in DACL) we started to see if anything goes wrong with switches and saw that while client stays as authorized and acl is applied to client port (sh authen sess int), acl does not exist on switch when we run show ip access-list command.
Anybody has the same issue? We suspect on device tracking. If device is removed from tracking table maybe switch removes ACL too but not sure on that.
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2024 03:37 AM
Hello!
I haven't encountered such issues. Have you tried the command sh access-list int gigX/X/X? Why would the device be removed from the device tracking table? I assume the device stays connected?
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2024 05:42 AM
No issues reported above 17.9.5 - so can you check upgrading the latest IOS XE and observ
other side you can reach TAC also.
