Solved: Re: Switchport configured in vlan 50 requests an IP from DHCP in vlan

astro-saurabh · ‎07-18-2024

Port Configuration:

interface GigabitEthernet1/0/25
description COLLABORATION
switchport access vlan 50
switchport mode access
switchport nonegotiate
ip arp inspection limit rate 30
no cdp enable
authentication periodic
authentication timer reauthenticate server
access-session host-mode single-host
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
storm-control broadcast level 5.00
storm-control multicast level 5.00
storm-control action shutdown
macro description MACRO-COLLAB
no lldp transmit
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber NAC-PM-GENRAL
ip dhcp snooping limit rate 20
end

Switch1#show mac address-table int Gi1/0/25
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
40 a417.9114.fd65 DYNAMIC Gi1/0/25
Total Mac Addresses for this criterion: 1

Syslog messages:

689753: .Jul 17 2024 14:42:39.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/b6d0.0402.0000/10.61.50.1/16:42:38 CEST Wed Jul 17 2024])
689756: .Jul 17 2024 14:42:40.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/b6d0.0402.0000/10.61.50.1/16:42:39 CEST Wed Jul 17 2024])
689758: .Jul 17 2024 14:42:41.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/b6d0.0402.0000/10.61.50.1/16:42:40 CEST Wed Jul 17 2024])
689761: .Jul 17 2024 14:42:43.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:42 CEST Wed Jul 17 2024])
689764: .Jul 17 2024 14:42:44.119 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:43 CEST Wed Jul 17 2024])
689769: .Jul 17 2024 14:42:45.120 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:44 CEST Wed Jul 17 2024])
689776: .Jul 17 2024 14:42:48.121 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:47 CEST Wed Jul 17 2024])
689780: .Jul 17 2024 14:42:49.121 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:48 CEST Wed Jul 17 2024])
689782: .Jul 17 2024 14:42:50.120 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:50 CEST Wed Jul 17 2024])

What could be going wrong here as the host is configured to recive an IP in vlan 50 but receives an ip in vlan 40 from the DHCP server?

Thanks

MHM Cisco World · ‎07-18-2024

You use dot1x so the aaa server assign vlan dynamic and it assign vlan 40 not vlan 50

See show mac table

The problem in aaa not in SW

MHM

View solution in original post

MHM Cisco World · ‎07-18-2024

You use dot1x so the aaa server assign vlan dynamic and it assign vlan 40 not vlan 50

See show mac table

The problem in aaa not in SW

MHM

astro-saurabh · ‎07-18-2024

Thanks @MHM Cisco World for the hint.

But this config worked fine for several years. The issue started since last week only.
Also, could you elaborate a bit more regarding aaa issue please..?

Many thanks once again..!!

KR,
Saurabh.

MHM Cisco World · ‎07-18-2024

Show authentication interface x/x detail

See which vlan aaa retrun to SW

MHM

astro-saurabh · ‎07-18-2024

@MHM Cisco World : Hi, I tried running the above mentioned command but it wasn't accepted by the switch.

However, I tried using show authentication sessions interface

Switch1#show authentication sessions interface Gi1/0/25
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/25 a417.9123.57fb dot1x UNKNOWN Unauth 2B146E0A000016DEC54E3B91

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
12 5 dot1xSup
8 5 dot1x
13 10 webauth
11 15 mab

Is there any otehr way to see which vlan is returned from the aaa server please?

Thanks..!!

KR,
Saurabh

MHM Cisco World · ‎07-18-2024

Switch1#show authentication sessions interface Gi1/0/25 detail

astro-saurabh · ‎07-18-2024

Thanks for sharing the corerct syntax.

Interface: GigabitEthernet1/0/25
IIF-ID: 0x1032269D
MAC Address: a417.9116.71ba
IPv6 Address: Unknown
IPv4 Address: 10.61.40.11 --> (vlan 40)
User-Name: a417911671ba
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Common Session ID: 2C146E0A0000064EC56618CD
Acct Session ID: Unknown
Handle: 0x9b000644
Current Policy: NAC-PM-GENRAL

Local Policies:
Service Template: NAC-ST-CRITICAL_VLAN (priority 150)
Vlan Group: Vlan: 40

Server Policies:

Method status list:
Method State
dot1x Stopped
mab Authc Failed

Indeed, the device is getting an ip in vlan 40 while the switchport is configured with vlan 50.

What are your recommended steps to get rid of this problem for good..?

Thanks..!!

KR,
Saurabh.

MHM Cisco World · ‎07-18-2024

NAC-ST-CRITICAL_VLAN <<- critical VLAN ?
It seem that the SW can not connect to AAA server
ping aaa server and check
or use test aaa command
MHM

astro-saurabh · ‎07-18-2024

Many thanks @MHM Cisco World .

It was indeed an issue with the ISE server. ISE licenses expired over the weekend & hence the authentication from the switches started failing.

809648: .Jul 18 2024 11:25:06.872 UTC: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (a417.9112.29df) on Interface GigabitEthernet1/0/25 AuditSessionID 041E3D0A00005B9EC596A2B2. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
809651: .Jul 18 2024 11:25:08.327 UTC: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (68ca.e474.14f0) on Interface GigabitEthernet1/0/48 AuditSessionID 041E3D0A00005B9FC596A862. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
809666: .Jul 18 2024 11:25:22.219 UTC: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (00e0.db54.ea78) on Interface GigabitEthernet1/0/34 AuditSessionID 041E3D0A00005B9AC5968C9A. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

We've requested new licenses from Cisco & it should be Ok in the meantime with evaluation ones.

Many thanks once again.

KR,
Saurabh.

MHM Cisco World · ‎07-18-2024

you are so so welcome
have a nice summer

MHM

Switchport configured in vlan 50 requests an IP from DHCP in vlan 40