Showing results for 
Search instead for 
Did you mean: 

encapulsation faild

Mustapha Bassim

Hello Dears


I have an issue when i trying to reach a server on my network with ping it's reachable but when i make traffic for radius (authenticated the device using radius) it's gave me on encapsulation fail 


Best Regards

20 Replies 20

VIP Mentor VIP Mentor
VIP Mentor


             - Problem description is unclear , provide screenshot of observed phenomenon,


Hello dear and thnx for reply the issue i had Ise server connected with Active directory , the required is to make user login from AD users through ise one of the switches which is 9200 is working fine while anther 9200 using the same config is not working gave us the error encapsulation fail  in debug take in mind the switch using management interface which is located on vrf management while the working switch using ip on vlan interface  


Can you ping the radius server from the management vrf interface ? 



yes I am able to ping server using vrf also ping the gateway but when try to authenticate using ise it's gave me an error  encapsulation fail 


Have you got this in your configuration - 


ip radius source-interface <intf>  vrf management  <-- where <intf> is the interface you are using for the management vrf. 



I try this command using source inferface one time and one time source interface with souce VRF for management but still the same issue 


                       >.... which is 9200 is working fine while anther 9200 using the same config is not working 

  - Are they running the same software version ? In general check your ISE version , then lookup the 9200 according to these info's : , when validating the 9200 in the table(s) look at required IOS-XE version in order to be compatible with ISE version being used, check if all of these conditions are satisfied.


all of the switches are the same IOS version and also ISE version is working with one of them without any issue , when i put the ip address on vlan interface it's working fine but when the source become the management interface which is on vrf management  it's give me that error


What is the result if you try to ping ISE and specify that the source for ping is the IP in the management vrf?



hello dear


it's pingable

Georg Pauwen
VIP Master VIP Master
VIP Master



'encapsulation failed' usually means that a layer 3 packet cannot be forwarded because some layer 2 information is missing. One thing you could try is to create a static ARP entry for the server on the router. Let's say the IP address of the server is, then you would create a static ARP entry as below (you obviously need to use the real MAC address of the server:


arp 0b0c.7813.0290 SNAP

hello dear and thnx for reply , the server is located in anther subnet so in this case i need to put the MAC address of the gateway ?

check Radius attribute return from server to SW.

hello dear and thnx for reply , the same configuration is working fine on another 9200 switch  while for the another one is not ( that gave me 'encapsulation failed' )

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers