ip device tracking issue on 2960S-48TS-L

snyggsomfan · ‎09-28-2011

Hi,

We are authenticating users and printers via dot1x and MAB towards the ACS 5.1. The ACS then pushes out a VLAN + an access-list. Sometimes printers (MAB) and users (dot1x) end up on the wrong VLAN even though I can see that the correct VLAN is pushed out from the ACS and received on the switch. Even if I shut down the switchport for a while the device still ends up on the wrong VLAN. The workaround for this issue is to enter the command "clear ip device tracking int x". Is this normal behavior? Doesn't it work to shut down the switchport or should I disconnect the end device completely from the switch for a while in order for the device tracking feature to clear the old entry? Below is relevant logs and config:

Correct VLAN = 50

Wrong VLAN = 666

SW on switch = c2960s-universalk9-mz.122-55.SE2.bin

interface GigabitEthernet1/0/14

switchport access vlan 666

switchport mode access

ip access-group pre in

authentication event fail action next-method

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer restart 3600

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 5

dot1x max-reauth-req 1

001891: Sep 28 12:14:40: %AUTHMGR-5-START: Starting 'mab' for client (abcd.abcd.abcd) on Interface Gi1/0/14 AuditSessionID 0A0F0C060000014B50FCBA1F

001892: Sep 28 12:14:40: %MAB-5-SUCCESS: Authentication successful for client (abcd.abcd.abcd) on Interface Gi1/0/14 AuditSessionID 0A0F0C060000014B50FCBA1F

001893: Sep 28 12:14:40: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (abcd.abcd.abcd) on Interface Gi1/0/14 AuditSessionID 0A0F0C060000014B50FCBA1F

001894: Sep 28 12:14:40: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi1/0/14 AuditSessionID 0A0F0C060000014B50FCBA1F

001895: Sep 28 12:14:40: sw_host_track-ev:pm_vp_removed message posted for GigabitEthernet1/0/14 vlan 666

001896: Sep 28 12:14:40: sw_host_track-ev:MSG = 5

001897: Sep 28 12:14:40: sw_host_track-ev:pm_vp_added message posted for GigabitEthernet1/0/14 vlan 50

001898: Sep 28 12:14:40: sw_host_track-ev:MSG = 4

001899: Sep 28 12:14:40: sw_host_track-ev:Disable Event on GigabitEthernet1/0/14 vlan 666

001900: Sep 28 12:14:40: sw_host_track-ev:Disabling host abcd.abcd.abcd, 192.168.5.5 on interface GigabitEthernet1/0/14

001901: Sep 28 12:14:40: sw_host_track-ev:abcd.abcd.abcd Stopping cache timer

sh ip dev track all

IP Device Tracking = Enabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 30

---------------------------------------------------------------------

IP Address MAC Address Vlan Interface STATE

---------------------------------------------------------------------

192.168.5.5 abcd.abcd.abcd 666 GigabitEthernet1/0/14 INACTIVE

/K

snyggsomfan · ‎10-04-2011

bump

snyggsomfan · ‎02-22-2012

Anybody?

Peter Paluch · ‎02-22-2012

Hello Patrik,

I am afraid that this issue points to an IOS bug, as there is absolutely no reason why a shutdown port should retain its (incorrect) state, and why should a port randomly accept and ignore dynamically assigned VLAN. One of things to test would be upgrading the IOS. Also, if you have a TAC contract, they should definitely hear about this.

I am sorry to be not able to help you further here.

Best regards,

Peter

d.blakemore · ‎03-19-2013

I Have a similar problem with a 2960S and 2960 non S variant

the following has been authed by dot1x and supplied a vlan ID and a simple ACL

g23219ca18.es#sh authentication sessions interface gigabitEthernet 1/0/3

Interface: GigabitEthernet1/0/3

MAC Address: 109a.dd54.0d3e

IP Address: 132.234.113.96

User-Name: s578473

Status: Authz Success

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: 10

Per-User ACL: permit ip any any

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A6117120000059F46F0812A

Acct Session ID: 0x000005C3

Handle: 0x1F0005A0

Runnable methods list:

Method State

dot1x Authc Success

mab Not run

the vlan gets applied to the interface:

g23219ca18.es#sh int status

Port Name Status Vlan Duplex Speed Type

Gi1/0/1 connected 10 a-full a-1000 10/100/1000BaseTX

Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX

Gi1/0/3 connected 10 a-full a-1000 10/100/1000BaseTX

but the ACL fails to be applied:

g23219ca18.es#sh ip access-lists interface gigabitEthernet 1/0/3

Which I suspect is becouse device tracking has failed to update.

g23219ca18.es#sh ip device tracking interface gigabitEthernet 1/0/3

IP Device Tracking = Enabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 30

IP Device Tracking Probe Delay Interval = 5

-----------------------------------------------------------------------

IP Address MAC Address Vlan Interface STATE

-----------------------------------------------------------------------

169.254.49.75 109a.dd54.0d3e 1 GigabitEthernet1/0/3 INACTIVE

132.234.113.96 109a.dd54.0d3e 1 GigabitEthernet1/0/3 INACTIVE

Total number interfaces enabled: 9

Enabled interfaces:

Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/10,

Gi1/0/12, Gi1/0/16

VLAN should be 10 and STATE should be ACTIVE

I added the delay of 5 to try and solve the issue ... the default is 0 which also does not work

Software is c2960s-universalk9-mz.150-2.SE2

Patrik did you get this solved?

Thanks

Dale

Leo Laohoo · ‎03-19-2013

Your config is missing.

conf t

ip device tracking

int g 1/0/14

ip device tracking max 10

end

--- Wait for 31 seconds ---

Command: sh ip device track all

d.blakemore · ‎03-19-2013

config is all there....

g23219ca18.es#sh run | in device

ip device tracking probe delay 5

ip device tracking

g23219ca18.es#sh ip device tracking all

IP Device Tracking = Enabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 30

IP Device Tracking Probe Delay Interval = 5

-----------------------------------------------------------------------

IP Address MAC Address Vlan Interface STATE

-----------------------------------------------------------------------

169.254.49.75 109a.dd54.0d3e 1 GigabitEthernet1/0/3 INACTIVE

132.234.113.67 3c07.5446.cea5 10 GigabitEthernet1/0/1 ACTIVE

169.254.26.36 406c.8f1b.02ab 1 GigabitEthernet1/0/1 INACTIVE

132.234.113.110 406c.8f1b.02ab 1 GigabitEthernet1/0/1 INACTIVE

132.234.113.109 10dd.b1ab.29b1 1 GigabitEthernet1/0/10 INACTIVE

132.234.113.96 109a.dd54.0d3e 1 GigabitEthernet1/0/3 INACTIVE

132.234.113.151 a820.665a.fb7a 1 GigabitEthernet1/0/7 INACTIVE

132.234.120.135 c82a.140d.bc1e 1 GigabitEthernet1/0/16 INACTIVE

132.234.120.139 406c.8f1b.02ab 1 GigabitEthernet1/0/1 INACTIVE

132.234.113.189 b8ca.3ad3.a9a9 10 GigabitEthernet1/0/6 ACTIVE

169.254.3.254 406c.8f1b.02ab 1 GigabitEthernet1/0/1 INACTIVE

132.234.136.39 406c.8f1b.02ab 1 GigabitEthernet1/0/1 INACTIVE

Total number interfaces enabled: 9

Enabled interfaces:

Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/10,

Gi1/0/12, Gi1/0/16

g23219ca18.es#

I dont see the point in adding a maximum to the interface?

Thanks for your help

Dale

Leo Laohoo · ‎03-19-2013

I dont see the point in adding a maximum to the interface?

That's what we've done to all our interfaces. And it works.