ā07-18-2024 02:26 AM
Port Configuration:
interface GigabitEthernet1/0/25
description COLLABORATION
switchport access vlan 50
switchport mode access
switchport nonegotiate
ip arp inspection limit rate 30
no cdp enable
authentication periodic
authentication timer reauthenticate server
access-session host-mode single-host
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
storm-control broadcast level 5.00
storm-control multicast level 5.00
storm-control action shutdown
macro description MACRO-COLLAB
no lldp transmit
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber NAC-PM-GENRAL
ip dhcp snooping limit rate 20
end
Switch1#show mac address-table int Gi1/0/25
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
40 a417.9114.fd65 DYNAMIC Gi1/0/25
Total Mac Addresses for this criterion: 1
Syslog messages:
689753: .Jul 17 2024 14:42:39.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/b6d0.0402.0000/10.61.50.1/16:42:38 CEST Wed Jul 17 2024])
689756: .Jul 17 2024 14:42:40.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/b6d0.0402.0000/10.61.50.1/16:42:39 CEST Wed Jul 17 2024])
689758: .Jul 17 2024 14:42:41.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/b6d0.0402.0000/10.61.50.1/16:42:40 CEST Wed Jul 17 2024])
689761: .Jul 17 2024 14:42:43.118 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:42 CEST Wed Jul 17 2024])
689764: .Jul 17 2024 14:42:44.119 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:43 CEST Wed Jul 17 2024])
689769: .Jul 17 2024 14:42:45.120 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:44 CEST Wed Jul 17 2024])
689776: .Jul 17 2024 14:42:48.121 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:47 CEST Wed Jul 17 2024])
689780: .Jul 17 2024 14:42:49.121 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:48 CEST Wed Jul 17 2024])
689782: .Jul 17 2024 14:42:50.120 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/25, vlan 40.([a417.9114.fd65/10.61.50.42/0000.0000.0000/10.61.50.1/16:42:50 CEST Wed Jul 17 2024])
What could be going wrong here as the host is configured to recive an IP in vlan 50 but receives an ip in vlan 40 from the DHCP server?
Thanks
Solved! Go to Solution.
ā07-18-2024 02:52 AM
You use dot1x so the aaa server assign vlan dynamic and it assign vlan 40 not vlan 50
See show mac table
The problem in aaa not in SW
MHM
ā07-18-2024 02:52 AM
You use dot1x so the aaa server assign vlan dynamic and it assign vlan 40 not vlan 50
See show mac table
The problem in aaa not in SW
MHM
ā07-18-2024 03:03 AM
Thanks @MHM Cisco World for the hint.
But this config worked fine for several years. The issue started since last week only.
Also, could you elaborate a bit more regarding aaa issue please..?
Many thanks once again..!!
KR,
Saurabh.
ā07-18-2024 03:05 AM
Show authentication interface x/x detail
See which vlan aaa retrun to SW
MHM
ā07-18-2024 03:16 AM
@MHM Cisco World : Hi, I tried running the above mentioned command but it wasn't accepted by the switch.
However, I tried using show authentication sessions interface
Switch1#show authentication sessions interface Gi1/0/25
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/25 a417.9123.57fb dot1x UNKNOWN Unauth 2B146E0A000016DEC54E3B91
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
12 5 dot1xSup
8 5 dot1x
13 10 webauth
11 15 mab
Is there any otehr way to see which vlan is returned from the aaa server please?
Thanks..!!
KR,
Saurabh
ā07-18-2024 03:22 AM
Switch1#show authentication sessions interface Gi1/0/25 detail
ā07-18-2024 04:12 AM
Thanks for sharing the corerct syntax.
Interface: GigabitEthernet1/0/25
IIF-ID: 0x1032269D
MAC Address: a417.9116.71ba
IPv6 Address: Unknown
IPv4 Address: 10.61.40.11 --> (vlan 40)
User-Name: a417911671ba
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Common Session ID: 2C146E0A0000064EC56618CD
Acct Session ID: Unknown
Handle: 0x9b000644
Current Policy: NAC-PM-GENRAL
Local Policies:
Service Template: NAC-ST-CRITICAL_VLAN (priority 150)
Vlan Group: Vlan: 40
Server Policies:
Method status list:
Method State
dot1x Stopped
mab Authc Failed
Indeed, the device is getting an ip in vlan 40 while the switchport is configured with vlan 50.
What are your recommended steps to get rid of this problem for good..?
Thanks..!!
KR,
Saurabh.
ā07-18-2024 04:25 AM
NAC-ST-CRITICAL_VLAN <<- critical VLAN ?
It seem that the SW can not connect to AAA server
ping aaa server and check
or use test aaa command
MHM
ā07-18-2024 05:14 AM
Many thanks @MHM Cisco World .
It was indeed an issue with the ISE server. ISE licenses expired over the weekend & hence the authentication from the switches started failing.
809648: .Jul 18 2024 11:25:06.872 UTC: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (a417.9112.29df) on Interface GigabitEthernet1/0/25 AuditSessionID 041E3D0A00005B9EC596A2B2. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
809651: .Jul 18 2024 11:25:08.327 UTC: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (68ca.e474.14f0) on Interface GigabitEthernet1/0/48 AuditSessionID 041E3D0A00005B9FC596A862. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
809666: .Jul 18 2024 11:25:22.219 UTC: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (00e0.db54.ea78) on Interface GigabitEthernet1/0/34 AuditSessionID 041E3D0A00005B9AC5968C9A. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
We've requested new licenses from Cisco & it should be Ok in the meantime with evaluation ones.
Many thanks once again.
KR,
Saurabh.
ā07-18-2024 05:16 AM
you are so so welcome
have a nice summer
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide