cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
5
Helpful
20
Replies

encapulsation faild

Mustapha Bassim
Beginner
Beginner

Hello Dears

 

I have an issue when i trying to reach a server on my network with ping it's reachable but when i make traffic for radius (authenticated the device using radius) it's gave me on encapsulation fail 

 

Best Regards

20 Replies 20

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

             - Problem description is unclear , provide screenshot of observed phenomenon,

 M.

Hello dear and thnx for reply the issue i had Ise server connected with Active directory , the required is to make user login from AD users through ise one of the switches which is 9200 is working fine while anther 9200 using the same config is not working gave us the error encapsulation fail  in debug take in mind the switch using management interface which is located on vrf management while the working switch using ip on vlan interface  

 

Can you ping the radius server from the management vrf interface ? 

 

Jon

yes I am able to ping server using vrf also ping the gateway but when try to authenticate using ise it's gave me an error  encapsulation fail 

 

Have you got this in your configuration - 

 

ip radius source-interface <intf>  vrf management  <-- where <intf> is the interface you are using for the management vrf. 

 

Jon

I try this command using source inferface one time and one time source interface with souce VRF for management but still the same issue 

 

                       >.... which is 9200 is working fine while anther 9200 using the same config is not working 

  - Are they running the same software version ? In general check your ISE version , then lookup the 9200 according to these info's : https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html , when validating the 9200 in the table(s) look at required IOS-XE version in order to be compatible with ISE version being used, check if all of these conditions are satisfied.

 M.

all of the switches are the same IOS version and also ISE version is working with one of them without any issue , when i put the ip address on vlan interface it's working fine but when the source become the management interface which is on vrf management  it's give me that error

 

What is the result if you try to ping ISE and specify that the source for ping is the IP in the management vrf?

HTH

Rick

hello dear

 

it's pingable

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

'encapsulation failed' usually means that a layer 3 packet cannot be forwarded because some layer 2 information is missing. One thing you could try is to create a static ARP entry for the server on the router. Let's say the IP address of the server is 192.168.1.11, then you would create a static ARP entry as below (you obviously need to use the real MAC address of the server:

 

arp 192.168.1.11 0b0c.7813.0290 SNAP

hello dear and thnx for reply , the server is located in anther subnet so in this case i need to put the MAC address of the gateway ?

MHM Cisco World
Advisor
Advisor

check Radius attribute return from server to SW.

hello dear and thnx for reply , the same configuration is working fine on another 9200 switch  while for the another one is not ( that gave me 'encapsulation failed' )

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers