You could probably use your logging solution to graph connections, i.e. Splunk or Kibana, etc. You would just need to figure out the login log and disconnect log. I know I've searched in Kibana to see logins before so if you have done any graphs in one of those tools, it should be straight forward. That being said, the functionality you are looking for does not exist to my knowledge. Thanks, Alex
... View more
Did you try any other methods besides 802.11r? https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html I have had some luck with CCKM and you should look into opportunistic key caching.
... View more
I had a couple of questions regarding authentication periodic. If you do not have authentication periodic configured on a switch port, does that mean a device will only have to authenticate 1 time until the inactivity timer expires? Would it be a bad practice to only authenticate devices 1 time?
... View more
I ended up rebuilding one of the ISE policy nodes with the correct size hard drive. Over time, we have done some upgrades and the hard drive requirements went from 200 to 300 GB.
... View more
Thanks for the reply. I actually did some reporting on the ISE policy nodes that are being marked as dead and they are actually going offline at 6:00 AM. The reports show that the server latency spikes to over 5 seconds at that time. Since the latency is checked only 1 every hour, I believe that some type of process is happening at 6:00 AM causing the issue on the Radius servers. I opened a TAC case and I will update this thread when it is resolved.
... View more
We have an issue where a 2960x is marking our ISE Policy nodes down at 6:00 AM every morning. There may be a handful of other switches doing this as well. It would not make sense for the ISE policy nodes to be down. Has anybody had a similar issue where the policy nodes actually stopped responding or does this sound like a switch bug? I do think it could be ISE related because it happens near the same time every morning. The 2960x is running 15.02a(EX5). RADIUS-3-ALLDEADSERVER: Group ISE_RADIUS: No active radius servers found. Id 88
... View more
I agree with Charlie. We have a medium/large deployment and have successfully deployed to multiple international locations with latency up to 250 ms. 300 ms is the same time we used when planning. We have ran 2 upgrades and multiple patches and they have all worked even over relatively low bandwidth (10 Mbps). You can also use Cisco Live slide decks for planning purposes.
... View more
It looks like seeing these drops are normal traffic on the network. I have not been able to find any additional information other than that I have multiple firewalls and there are a lot of drops for nat-no-xlate-to-pat-pool.
... View more
We just ran into the exact same or very similar problem. We had 4 switches go down near the exact same time. We are going to work with Cisco on a TAC case. Did you ever find a bug or specific command that was causing the problem?
... View more
I was wondering if it is normal to have millions of drops for the below asp drop. I have a situation where an internet firewall has 34 million over 5 days. I have multiple other firewalls that have a lot less traffic on them and they do have millions of drops over significantly longer periods of time. Is there anything I should look at? One comment would be that the traffic looks like legitimate return traffic from public web servers. Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool)
... View more
Figured out the solution. ISP was blocking traffic to that port on 80 and 443. I believe they were also blocking one other port. Here is some more info: 1. It was possible to ping the IP address on the outside. 2. Wireshark capture showed no response on 80 or 443. 3. Switching to a different outside IP address worked. 4. Changing to a different port worked as well. The IT manager on sight contacted the ISP and sure enough, they were blocking it. It has to do with the domain not being registered to the specific IP address. We may even have to change our URL to a different domain that we have physically in that location.
... View more
.jpg "VIP Advocate"){kind=icon}
