Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1287
Views
0
Helpful
0
Replies

ip device tracking getting disabled on 2960x ports

jeremy.hinton
Level 1
Level 1

‎09-29-2020 08:27 AM

In the process of rolling out dot1x with ACLs, we've been seeing an issue recently where it seems like device tracking stops working on some ports on our 2960X switches. As just recently went to low-impact mode with ACLs, we're seeing device unable to communicate after a re-authentication, as the switch "forgets" their IP and can't construct the ACL appropriately.

 

Standard port config is :

 

template DOT1X_MAB_PORT
dot1x pae authenticator
switchport mode access
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X_THEN_MAB

 

interface GigabitEthernet1/0/1
description HCD-14-01
switchport access vlan 89
switchport mode access
switchport voice vlan 462
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip access-group ACL_PREAUTH in
no logging event link-status
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
no snmp trap link-status
mls qos trust cos
dot1x timeout tx-period 7
storm-control broadcast level 30.00 10.00
source template DOT1X_MAB_PORT

 

Here's what we should see for device tracking on a port:

 

850Ent-HDC-Cardio#show ip device tracking interface g1/0/2
--------------------------------------------
Interface GigabitEthernet1/0/2 is: STAND ALONE
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IPv6 Device Tracking Client Registered Handle: 2
IP Device Tracking Enabled Features:
HOST_TRACK_CLIENT_SM
--------------------------------------------
172.21.89.201 5065.f344.a18c 89 GigabitEthernet1/0/2 30 ACTIVE ARP
10.90.212.125 b4b0.1782.3b3f 462 GigabitEthernet1/0/2 30 ACTIVE ARP

 

And here's where it's stopped working on this port:

850Ent-HDC-Cardio#show ip device tracking interface g2/0/9
--------------------------------------------
Interface GigabitEthernet2/0/9 is: STAND ALONE
IP Device Tracking = Disabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IPv6 Device Tracking Client Registered Handle: 51
IP Device Tracking Enabled Features:
--------------------------------------------

 

As you see, it's like the feature requiring it is no longer bound to the port (and yet it still is).

 

Access session for the non-working port is missing IPv4 info as a result:

850Ent-HDC-Cardio#show access-session interface g2/0/9 details
Interface: GigabitEthernet2/0/9
MAC Address: c465.16ae.454f
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: host/NEUR-HAMP-DR1.rhs.RIVHS.LOCAL
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 21600s (server), Remaining: 15872s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 5747s
Common Session ID: AC155805000006A99FC438C8
Acct Session ID: 0x0000082F
Handle: 0x2C000681
Current Policy: DOT1X_THEN_MAB

Server Policies:

Method status list:
Method State

dot1x Authc Success

 

On this stack of two 2960X switches, this is affecting about 8 ports, the rest are fine. We're running 15.2(2)E10, which we had the most success with on these models until now.

 

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card