02-15-2016 11:18 PM - edited 03-10-2019 12:35 AM
Hello all,
I'm currently deploying the 802.1x solution to the Cisco 3560x switches, and it will cover multi domain 802.1x authentication with MAB and dynamic VLAN assignment. All function is working fine, however a very strange issue has occur. The switchport will error disabled suddenly due to a "new mac address" heard, but actually there is no any action on user side, and that "new mac address" is similar with IP Phone mac address. The issue was happened on different switch and port, and the symptom are same. So that pretty sure not some people to have an unauthorized action.
Do you guys have any idea or experience like this before? Is it a bug on switch or IP phone?
Many thanks for your help
Phone Version:
SCCP42.9-1-1SR1S
Switch Version:
15.0(2)SE8
Interface Configuration:
interface GigabitEthernet0/16
switchport mode access
switchport voice vlan 99
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize vlan 999
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout server-timeout 3
dot1x timeout tx-period 1
dot1x max-reauth-req 3
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
Switch Status on normal operation:
Switch#sh authentication sessions interface g0/16
Interface: GigabitEthernet0/16
MAC Address: 001e.138d.179c
IP Address: 10.10.156.95
User-Name: 001e138d179c
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 156
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8FE9500000B76C34CF590
Acct Session ID: 0x000018BB
Handle: 0xBE000B77
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
----------------------------------------
Interface: GigabitEthernet0/16
MAC Address: cc52.af4b.11dc
IP Address: 172.16.162.15
User-Name: XXXX\user1
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 162
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8FE9500000B78C3508ED5
Acct Session ID: 0x000018CB
Handle: 0x7C000B79
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Problem Occur Logging:
Jan 19 01:00:46.408 HKT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/16, new MAC address (ac44.f212.179c) is seen.AuditSessionID Unassigned
Jan 19 01:00:46.408 HKT: %PM-4-ERR_DISABLE: security-violation error detected on Gi0/16, putting Gi0/16 in err-disable state
Jan 19 01:00:47.498 HKT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to down
Jan 19 01:00:48.505 HKT: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to down
Jan 19 01:00:57.103 HKT: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Gi0/16, operational port trust state is now untrusted.
02-17-2016 06:18 PM
I have not personally seen that happen. If you show the mac address table for the port when it happens, what does it report?
To me it sounds like it is a phone bug, but can't be sure. I searched the Cisco Bug database and could not find anything related to that particular problem for the 3560-X family of switches.
The code you're on is relatively new, but is not the Cisco recommended safe harbor version of 15.0(2)SE9. You could try upgrading to that version and see if the problem goes away.
07-21-2017 11:12 AM
Hello Jim,
Did you every resolve this issue? We are seeing the same thing very random and infrequent. It only seems to happen on 3750X switches and not other models.
08-27-2017 06:48 PM
Hi Menezesa,
The problem not yet solved...I just thinking it is related to the IP phone bug before. I have to upgraded the CUCM and also with the updated IP phone firmware, but the issue still occur, I will try to open a TAC case regarding this issue.
08-31-2017 01:44 AM
08-31-2017 06:35 PM
Hi Srivastava,
Thanks for your suggestion. But I'm not really agree for your point. As the case is not related to any devices movement, and the occur security violation is not a same IP phone MAC address but quite similar. So that I personally do think that issue is caused by the IP phone itself instead of the switch side.
02-27-2018 06:38 AM
Good Day Guys,
Any progress on this issue...I got a similar one but only on 45 Series SUP8 Switches
discussion created here :
***************************************************
**************************************************
Bregards
11-29-2018 01:08 PM
Hey JY109.
The mystery IP's that you saw, were the MAC addresses similar to your phones in THIS way?
First 8 characters of one phone...+ last 4 characters of another phone = New MAC that creates the security violation.
We are seeing this in our environment. Did you ever find a resolution for yours?
12-18-2018 07:56 PM
Guys, at the end I didn't contact Cisco TAC to follow up this issue, as I was quit that company during the time... Did you tried to upgrade the switch IOS?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide