encapulsation faild

Mustapha Bassim · ‎07-02-2022

Hello Dears

I have an issue when i trying to reach a server on my network with ping it's reachable but when i make traffic for radius (authenticated the device using radius) it's gave me on encapsulation fail

Best Regards

marce1000 · ‎07-02-2022

- Problem description is unclear , provide screenshot of observed phenomenon,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mustapha Bassim · ‎07-02-2022

Hello dear and thnx for reply the issue i had Ise server connected with Active directory , the required is to make user login from AD users through ise one of the switches which is 9200 is working fine while anther 9200 using the same config is not working gave us the error encapsulation fail in debug take in mind the switch using management interface which is located on vrf management while the working switch using ip on vlan interface

Jon Marshall · ‎07-03-2022

Can you ping the radius server from the management vrf interface ?

Jon

Mustapha Bassim · ‎07-03-2022

yes I am able to ping server using vrf also ping the gateway but when try to authenticate using ise it's gave me an error encapsulation fail

Jon Marshall · ‎07-03-2022

Have you got this in your configuration -

ip radius source-interface <intf> vrf management <-- where <intf> is the interface you are using for the management vrf.

Jon

Mustapha Bassim · ‎07-03-2022

I try this command using source inferface one time and one time source interface with souce VRF for management but still the same issue

marce1000 · ‎07-03-2022

>.... which is 9200 is working fine while anther 9200 using the same config is not working

- Are they running the same software version ? In general check your ISE version , then lookup the 9200 according to these info's : https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html , when validating the 9200 in the table(s) look at required IOS-XE version in order to be compatible with ISE version being used, check if all of these conditions are satisfied.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mustapha Bassim · ‎07-03-2022

all of the switches are the same IOS version and also ISE version is working with one of them without any issue , when i put the ip address on vlan interface it's working fine but when the source become the management interface which is on vrf management it's give me that error

Richard Burts · ‎07-04-2022

What is the result if you try to ping ISE and specify that the source for ping is the IP in the management vrf?

HTH

Rick

Mustapha Bassim · ‎07-04-2022

hello dear

it's pingable

Georg Pauwen · ‎07-02-2022

Hello,

'encapsulation failed' usually means that a layer 3 packet cannot be forwarded because some layer 2 information is missing. One thing you could try is to create a static ARP entry for the server on the router. Let's say the IP address of the server is 192.168.1.11, then you would create a static ARP entry as below (you obviously need to use the real MAC address of the server:

arp 192.168.1.11 0b0c.7813.0290 SNAP

Mustapha Bassim · ‎07-02-2022

hello dear and thnx for reply , the server is located in anther subnet so in this case i need to put the MAC address of the gateway ?

MHM Cisco World · ‎07-02-2022

check Radius attribute return from server to SW.

Mustapha Bassim · ‎07-02-2022

hello dear and thnx for reply , the same configuration is working fine on another 9200 switch while for the another one is not ( that gave me 'encapsulation failed' )