PC Traffic blocked on the switch

peter.matuska1 · ‎04-11-2025

Hi,

we’re experiencing an issue where freshly installed Windows 11 PCs are being disconnected from the network exactly 7 days after installation. The devices are connected to a Catalyst 3650 switch (we’ve also seen this behavior on a 9200 series) running the latest software.

We have a TAC case open, but I wanted to check if anyone else has encountered this issue and knows of a solution.

After 7 days, the PC becomes completely unreachable — no network services work, and it cannot be pinged. However, when running a tcpdump on the switch, we can see that the PC does send ICMP replies to incoming ping requests. These replies are visible on the access interface, where the PC is connected, but they do not appear on the uplink interface. DHCP and 802.1x works (since it doesnt use IP addresses)

We have the following features enabled:

• DHCP snooping

• ARP inspection

• IP source guard (ip verify source)

All DHCP and ARP tables appear to be correct — the IP/MAC bindings are accurate. If we remove ip verify source, everything starts working immediately. When we re-enable it, it continues to work fine. Or shut/no shut of the interface helps.

So far, this seems to happen only once per device, around 7 days after installation. We haven’t seen it repeat after the initial incident

Has anyone else experienced this behavior or found a fix?

Thanks!

marce1000 · ‎04-16-2025

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd73477

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

peter.matuska1 · ‎04-16-2025

ipv6 sg is not enabled but we will try to configure ip verify source mac-check

edit: I found out from looking at the show run all that ip verify source and ip verify source mac-check are enabled. mac-check is not visible from the sh run output

thank you

marce1000 · ‎04-17-2025

- @peter.matuska1 >... from the network exactly 7 days after installation.
I am a bit suspicious when reading that , because it smells like a device
issue and not a network problem.

Following actions may provide insights ; check windows eventvwr when this happens, look at
networking, system, app logs ; look for problems.
Take a test Windows 11,use 'Reset this PC' , windows will re-install it and you will have a virgin
system with no apps (from which many could be influential for such issue, such anti-virus software, related
firewalling, or other apps)

Check if the virgin Windows 11 PC has the same issues or not,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

peter.matuska1 · ‎04-21-2025

interesting thing is that the PC responds to the ping packets, we can see them reaching the switch on the connected interface but cannot see them on the uplink interface of the same switch

MHM Cisco World · ‎04-18-2025

Share below

Show ip arp inspection statistics

Show ip guard

MHM

peter.matuska1 · ‎04-21-2025

switch#sh ip arp inspection statistics

Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 1373488 55076 49675 0
20 356354 196 0 0
30 0 0 0 0

Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
10 932611 0 991 0
20 356354 0 0 0
30 0 0 0 0

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
10 0 5401 0
20 0 196 0
30 0 0 0

regarding the second command, did you mean sh ip verify source ?