ACS - reject on failure instead of dropping packets

Similar Messages

• Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.

  Hi,
  Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.
  %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to
  Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792
  If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.
  Ta
  Jim

  This may help:
  Caveat "CSCsj30582"
  http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html
  Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
  Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
  For example:
  class-map type inspect match-any cm-esp match access-group 100
  policy-map type inspect in2out class type inspect cm-esp pass
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
  Workaround: Configure the access list so that the source is "any", for example:
  access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2
  First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".
  Further Problem Description: If an explicit deny rule is added to the above example, for example:
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any
  Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
  Router# show access-lists 100
  Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match)

• High CPU Usage / Dropped Packets - Switch Blade WS-CBS3120X-S

  Hi all,
  I have a couple of Switches Blade 3120, working as active-standby model (HSRP) on a new site deployment. There are other 20 sites more or less, working on the same model, without issues. But in this one, we are seeing a high cpu usage. The traffic going through the platform is 600Mbps (on peaks), and in this case we have 40% of CPU usage. Traffic should be close to 3 Gbps. When we tried to send the whole traffic through the platform, active switch began to drop packets on the majority of interfaces.
  When we analyze the CPU usage, there is a special process called "HL3U bkgrd proce" always have the most CPU use, but we do not know what concerns. We do not know if it is caused because there are PBRs configured. It should not matter. How I mentioned, there are other sites working fine and have had always the same PBR number.
  Could you guys help us?. Any idea what is causing the high usage?. Is there a special debug we could to perform to diagnose the issue?. Also, we have seen a high interrupt CPU usage (9% in this case).
  Find attached the whole diagnosis outputs.
  Thanks for your assistance guys.
  Cheers,
  Juan Pablo
  bog-sib-INT-rtr-1#show processes cpu sorted 5sec
  CPU utilization for five seconds: 30%/9%; one minute: 25%; five minutes: 23%
  PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
  157   140004809   107071220       1307 14.24% 10.19%  9.01%   0 HL3U bkgrd proce
  119     6860957     1519183       4516  0.79%  0.59%  0.53%   0 hpm counter proc
  166     2511492      302802       8294  0.15%  0.15%  0.15%   0 HQM Stack Proces
  199     4182906    15255882        274  0.15%  0.21%  0.20%   0 IP Input        
  357      237531      782101        303  0.15%  0.03%  0.00%   0 IP SNMP         
  186         101         148        682  0.15%  0.09%  0.02%   1 Virtual Exec    
  242       63071     2330717         27  0.15%  0.02%  0.00%   0 CEF: IPv4 proces
    12      163754      620353        263  0.15%  0.01%  0.00%   0 ARP Input       
     9           0           2          0  0.00%  0.00%  0.00%   0 License Client N
     8          41        1827         22  0.00%  0.00%  0.00%   0 WATCH_AFS       
    11          50           4      12500  0.00%  0.00%  0.00%   0 Image License br
     7           0           2          0  0.00%  0.00%  0.00%   0 Timers          
  bog-sib-INT-rtr-1#sh ip cef summary
  IPv4 CEF is enabled for distributed and running
  VRF Default
  119 prefixes (119/0 fwd/non-fwd)
  Table id 0x0
  Database epoch:        2 (119 entries at this epoch)

  Hi Leolaohoo,
  I had not played with this one too !!!!...
  1). IOS version (It was recently updated)
  bog-sib-INT-rtr-1#sh ver
  Cisco IOS Software, CBS31X0 Software (CBS31X0-UNIVERSALK9-M), Version 12.2(58)SE1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Thu 05-May-11 04:08 by prod_rel_team
  ROM: Bootstrap program is CBS31X0 boot loader
  BOOTLDR: CBS31X0 Boot Loader (CBS31X0-HBOOT-M) Version 12.2(0.0.951)SE3, CISCO DEVELOPMENT TEST VERSION
  bog-sib-INT-rtr-1 uptime is 2 weeks, 3 days, 17 hours, 14 minutes
  System returned to ROM by power-on
  System restarted at 00:59:27 UTC Sat Jun 9 2012
  System image file is "flash:cbs31x0-universalk9-mz.122-58.SE1.bin"
  2). What interface do you want to see?, do you want to see all interfaces? . This switch has 16 interfaces that connect servers, and other going to our client. Below, the state of the two kind of interfaces:
  Interface to Client (Bearer)
  TenGigabitEthernet1/0/1 is up, line protocol is up (connected)
    Hardware is Ten Gigabit Ethernet, address is 001f.275d.d81b (bia 001f.275d.d81b)
    Description: BearerNContent_Aggregrate
    MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 10/255, rxload 14/255
    Encapsulation ARPA, loopback not set
    Keepalive not set
    Full-duplex, 10Gb/s, link type is auto, media type is 10GBase-LR
    input flow-control is off, output flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output 2w3d, output hang never
    Last clearing of "show interface" counters 07:07:56
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 562469000 bits/sec, 83641 packets/sec
    5 minute output rate 430500000 bits/sec, 73141 packets/sec
       2020563158 packets input, 1739897855828 bytes, 0 no buffer
       Received 13257 broadcasts (13257 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 13257 multicast, 0 pause input
       0 input packets with dribble condition detected
       1745065310 packets output, 1347244137726 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 pause output
       0 output buffer failures, 0 output buffers swapped out
  Interface to Server
  GigabitEthernet1/0/8 is up, line protocol is up (connected)
    Hardware is Gigabit Ethernet, address is 001f.275d.d808 (bia 001f.275d.d808)
    Description: bog-15
    MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 15/255, rxload 12/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseX
    input flow-control is off, output flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 00:00:17, output hang never
    Last clearing of "show interface" counters 07:09:12
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 19418
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 47705000 bits/sec, 7155 packets/sec
    5 minute output rate 58897000 bits/sec, 8011 packets/sec
       178178750 packets input, 153802177226 bytes, 0 no buffer
       Received 4091 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 0 multicast, 0 pause input
       0 input packets with dribble condition detected
       212233312 packets output, 206621942776 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 pause output
       0 output buffer failures, 0 output buffers swapped out
  Thanks for your help. I am losing my hair with this issue.
  Cheers,
  Juan P.

• Dell 2650 drops packets? B57 issues?

  In a flashback to the heady days after the dot-com bust....
  I have a new work assignment at a school that runs 3 Dell 2650's and 2 Dell
  2850 in a Novell cluster (6.5 sp 6).
  The three 2650's are having trouble w/ dropping packets -- average about 3%
  or more on a 1000 ping trial. Obviously, this is playing havoc at point, or
  at least, seeming like ghosts live in the machines.
  Are there known issues w/ the B57.lan drivers, version 9.45, June 30, 2006,
  on the 2650?
  thanks!
  Tim Wohlford

  >
  > I have a new work assignment at a school that runs 3 Dell 2650's and 2
  Dell
  > 2850 in a Novell cluster (6.5 sp 6).
  >
  > The three 2650's are having trouble w/ dropping packets -- average about
  3%
  > or more on a 1000 ping trial. Obviously, this is playing havoc at point,
  or
  > at least, seeming like ghosts live in the machines.
  >
  > Are there known issues w/ the B57.lan drivers, version 9.45, June 30,
  2006,
  > on the 2650?
  >
  we are running hp-compaq's running q57, which is a rebranded b57 driver,
  without a glitch for years.
  versions are 8.65 in production, and 10.02 in the test environment.
  keep in mind that depending on the switch you are connected to, in case of
  a 100Mb connection, you may have to set then nic as well as the switch to
  100Mb FD at both sides instead of auto.

• Equium M40X - slow internet dropped packets

  I'm using wi-fi and my pc keeps dropping packets every so often (and also does when connected via LAN) making my internet connection a bit slow.
  I have had my wifi router changed and it's still doing it.
  Thought about upgrading BIOS and wireless driver here but it's too risky, long winded and may not cure it anyway.
  My gut feeling is some process is kicking in every so often and slowing things down (my mouse movements sometimes freeze for a few secs).
  I have AVG antivirus installed, have run scan and no viruses found.
  I've defragged and run registry cleaner.
  Any ideas I can try to find what's causing it. cheers

  Hi
  I dont know if its really a problem!
  I use WiFi very often and I have noticed similar issue.
  But it depends really from the website and from server which I connect.
  However, the WLan driver update should be done at first to check if this could sort the WiFi issue but to be honest Im not sure if this is a WLan problem due to the fact that this also happens while using the LAN.
  I think you should check if a Windows updates are possible and available.
  If the new BIOS versionis available check if the BIOS update helps.
  Using a firewall could have a bad influence on the transmission too!

• ISG: Service with traffic policing counts dropped packets.

  Hello,
  Our company has a router Cisco 7304 NPEG100. ("show version" in the  bottom of this message). We are planing to start ISG services at this router, but there is a bug CSCei4190. When I set traffic policing in service, accounting in this service counts  packets that has been dropped by traffic policing.
  Here is example of my definition of service in RADIUS:
  User-Name = 'Internet-Service'
  Cisco-AVPair += "ip:traffic-class=in access-group 2000 priority 10"
  Cisco-AVPair += "ip:traffic-class=out access-group 2001 priority 10"
  Cisco-AVPair += "ip:traffic-class=in default drop"
  Cisco-AVPair += "ip:traffic-class=out default drop"
  Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"
  Cisco-AVPair += "accounting-list=ISG_ACCT"
  Cisco-Service-Info += "QU;256000;D;512000"
  Acct-Interim-Interval += '60'
  When I remove Cisco-Service-Info += "QU;256000;D;512000" from service  definition, all traffic are counting correctly.
  I did not found in Bug Details, which version of IOS, I should use in my  7304 router where this bug is fixed.
  Cisco IOS Software, 7300 Software (C7300-A3JK91S-M), Version 12.2(31)SB17,  RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Fri 30-Oct-09 12:35 by vpernank
  ROM: System Bootstrap, Version 12.2(22r)S, RELEASE SOFTWARE (fc1)
  BOOTLDR: 7300 Software (C7300-BOOT-M), Version 12.2(20)S6, RELEASE 
  SOFTWARE (fc4)
  7304 uptime is 17 hours, 24 minutes
  Uptime for this control processor is 17 hours, 24 minutes
  System returned to ROM by reload at 06:22:24 TSK Wed Feb 23 2005
  System restarted at 18:46:54 TSK Mon Mar 22 2010
  System image file is "disk0:c7300-a3jk91s-mz.122-31.SB17.bin"
  cisco 7300 (NPEG100) processor (revision B) with 983040K/65536K bytes of  memory.
  SB-1 CPU at 800Mhz, Implementation 0x401, Rev 0.2, 512KB L2 Cache
  4 slot midplane, Version 67.49
  Last reset from software reset or reload
  4 FastEthernet interfaces
  3 Gigabit Ethernet interfaces
  1021K bytes of non-volatile configuration memory.
  62592K bytes of ATA compact flash in bootdisk (Sector size 512 bytes).
  125952K bytes of ATA compact flash in disk0 (Sector size 512 bytes).
  Configuration register is 0x2102

  I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs.  Here's an example of one that does make it through:
  5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
  I am not allowing all the traffic across the box.  The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone.  That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
  And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
  Any other suggestions?
  -Mat

• AEBS; Poor throughput, Dropping Packets(Wired or Not)

  I have an AEBS that was purchased in 2007.
  So very recently I started noticing very poor network performance.  Throughput to the internet was horrible, around 2mbps at times.  Power cycling the AEBS would make it be ok for a while... about 9-10Mbps.  However I usually was getting around 20mbps even when using wifi.  This was wired!!!
  Also, I noticed that packets were dropping.  Anywhere from 1.5-4% packet loss when doing 1,000 pings to google.com.  I thought for sure it was my internet connections... but it's not
  When wired directly to the cable modem, no dropped packets over several days.  Ping response is 5-10ms better.  Also speeds are back at their max.
  I have an old Westell 7501 router, and that as well is performing stellar over wifi and wired.  Speedtests from wired connections are just under the speed when using the modem only, and even speedtests to my iDevices is near identical.
  I've tried resetting the router to default, but I immediately start dropping packets, even when using wired.
  Just thought I'd post here and see if theres anything I can try to resurrect this thing, or if it's officially done.  I really don't feel like dumping $180 on a new AEBS.  Thinking about doing dd-wrt on something.

  The first thing I would recommend that you do is to verify if the issue is data throughput performance on the local network OR on the WAN-to-LAN interface across the AEBS itself.
  To test the local network throughput performance, I would recommend a free utility, like AJA System Test. You would use it to test throughput between the System Test host device and another device on the local network. If after running a series of these tests using network connected devices that are connected by both wire or wireless, you should get a basic idea of the overall throughput performance of your local network. If all appears well here, we can go on to testing the WAN-to-LAN interface. Please post back your results for the local network tests.

• Dropped packets between Catalyst 3550 & Windows 2000

  I have a test network set up - with a 3550 switch, with a couple of Vlans configured.
  I have an Windows XP laptop & desktop connected - all is ok.
  If I connect up any Windows 2000 laptop/desktop then I find I get a connection but I find that I'm dropping packets....at about 10% when pinging devices on on other networks.....or pinging devices on the same vlan.
  This is not a port issue or cabling issue ......it seems to be related to the Operating system in some way. I've tried changing the duplex & speed at both ends....same result.
  Any input is welcome !

  I know this sounds odd.....but I have tried all settings of duplex & link speed between the switch & the W2K machines......if I place an XP machine on this same port then it works fine.
  The fact that XP works means the cabling is ok.
  I guess I'll update the nic drivers see what that brings....and maybe look at an IOS upgrade on the switch - currently 12.1 (22) EA5
  With two XP machines & one W2K machine on the switch - pinging from W2K to XP results in dropped packets......of approx 10% - between the two XP machines is ok. When pinging from either XP to the W2k - "Request timed out"

• IP dropped packets

  Hi,
  Doing a "show IP traffic" to a Cisco 6K switch, I encountered a lot of "no route" and "encapsulation failed" IP dropped packets. (a little less than 10%)
  I was wondering if someone knew what these 2 categories stood for ?
  I mean, have you got an example of packet that would be put in that category ?
  Thanks,
  Romain PAGE

  Hi Romain,
  Encapsulation failed usually indicates that the router had no ARP request entry and therefore did not send the datagram. An example situation is when there is asymmetric routing and the ARP table and MAC address table is disjointed due to different aging times in these tables. You may see a number of incomplete entries in the output of "show ip arp"
  No route is counted when the Cisco IOS software discards a datagram it did not know how to route.
  A couple of examples when this can occur is if there is no route for a given subnet and there is no default route configured on the router, or the subnet in a packet that can't be routed due to its default gateway being down.
  Documented here:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt1/1rdip.htm#wp1020634
  HTH,
  Bobby
  Please rate helpful posts

• Sg-300 52 dropping packets

  I have a sg300-52  in layer 3 mode.  I have 2 Dell access switches that connect to the sg300 in 4 port LAGs each.  Connectivity works as expected.
  Servers are on their own VLAN, and plugged directly into the sg300. 
  When somebody starts a file copy from their client workstation off a file server, the server VLAN drops everything except
  for the file copy.  Even drops packets on its own vlan, (server to server communication) until the file copy is complete. 
  Seems like the VLAN is rate limited somehow.  Anybody ever experience this?
  -Matt

  Hi Matt,
  Sure would be interesting to know, if you wish to dig deeper into the problem,
  1.  If you are using the most current version of firmware ?
  2.  Network topology Diagram showing what ports are connected to what devices ?
  3. An attached capture of the command  "show tech"  in a attached notepad (text) document.
  I wonder what would happen if you directly connected one client to the SG300  and tried the transfer again?
  But at this stage could offer much of a guess as I'm flying with a blindfold on.
  regards Dave

• SG500X Dropped packets

  I have been having issues for a long time with the SG500X units. I keep getting many "Drop Events", or dropped packets (as seen in the attachment). There are no real "errors" or issues that I can see otherwise. I have 2 stacked SG500X-48 port switches connected with 10GB cables. I have 13 different LAG groups that span the 2 switches (8 are down-links to SG200 switches for clients). I have 2 physical vmware boxes, and 1 SAN connected with 10GB cables. I have one main physical server that almost everyone accesses to connect to a foxpro database. The drops happen on the highest utilization ports, especially the physical server that is running foxpro. There are about 100 users total (connected to the SG200's).
  Any ideas? I have gone through the configurations multiple times with Cisco, and with others. But no change. I have tried everything to correct.

  Hi Aleksandra,
  Thank you for replying. Boot version is 1.3.7.01, and firmware is 1.3.7.18.
  I know there is a newer version, but I have applied about 5 new firmware versions over the last 2 years to try to fix this. I will upgrade soon, but it is a bigger process now that SAN and vmware boxes are tied together over these switches.
  EDIT: Of note is that the drops are on the highest utilization ports (vmware, SAN, and a very busy server hosting a foxpro database). We have been thinking it is a buffer issue onthe switch (whether a switch issue or us exceeding its capacity, though not sure how), but have not been able to confirm that.
  Mike

• Buyer by mistakely rejected the bid instead of publsih it ,how can publish

  Teja,
  buyer by mistakely rejected the bid instead of publsih it ,how can publish the same against Po
  pavan

  Hi Pavan,
  I didn't get what exactly you meant by rejecting the bid.
  As per my understanding you want to say that the buyer has deleted the bid inviation instead of publishing the bid invitation.
  Only the bid invitations are published.In such a case you can create the new bid invitation by copying the deleted bid invitation.
  In case what you mean by rejecting all the bids by the buyer instead of accepting the best bid, the only way is to call another set of bids from all the bidders by clicking on "Inform bidder and send back bids" button under the Bidder / bids tab of the header data.
  The bidders can send their corrected / changed bids once again for comparison the you can compare the bids and accept the best bid.
  Later you can create either contract / P.O based on your requirement.
  Hope this makes you clear. Clarifications are welcome.
  Please don't mention any specific names while addressing queries in the open forums as others may want to answer.
  In case of some specific queries you can also send those queries to my mail i.d [email protected]
  Rgds,
  Teja

• Odd "dropped packet" messages in router logs

   I get the following msgs, the happen repeatedly, every 8 seconds or so. 
  [INFO] Thu Jul 09 23:12:41 2009 Dropped packet from 169.254.1.150 to 169.254.1.255 (IP protocol 17) as unable to create new session
  [INFO] Thu Jul 09 23:12:37 2009 Dropped packet from 169.254.1.167 to 169.254.1.255 (IP protocol 17) as unable to create new session
  [INFO] Thu Jul 09 23:12:34 2009 Dropped packet from 169.254.1.41 to 169.254.1.255 (IP protocol 17) as unable to create new session
   I do not understand what this is refering too. Does anyone have ANY idea what the heck this could be -- and how to fix it?
   Thanks

  try running the Verizon optimizer.  Most optimizers improve settings for your download speeds, but, as far as I know, Verizon's is the only one that improves your settings for upload.      The optimizer may also fix the issue of the dropped packets.
  cjacobs001

• Cisco ISE 1.3 MAB authentication.. switch drop packet

  Hello All,
  I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
  and ISE 1.3 versoin..
  MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
  while some ports are working perfectly..
  Same switch configuration is working perfectly on another switch without any issue..
  Switch configuration for your suggestion..!!
  aaa new-model
  aaa authentication fail-message ^C
  **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
  ^C
  aaa authentication login CONSOLE local
  aaa authentication login ACS group tacacs+ group radius local
  aaa authentication dot1x default group radius
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+ group radius
  aaa server radius dynamic-author
   client 172.16.95.x server-key 7 02050D480809
   client 172.16.95.x server-key 7 14141B180F0B
  aaa session-id common
  clock timezone IST 5 30
  system mtu routing 1500
  ip routing
  no ip domain-lookup
  ip domain-name EVS.com
  ip device tracking
  epm logging
  dot1x system-auth-control
  interface FastEthernet0/1
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   --More--         authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip tacacs source-interface Vlan10
  ip radius source-interface Vlan10 vrf default
  logging trap critical
  logging origin-id ip
  logging 172.16.5.95
  logging host 172.16.95.x transport udp port 20514
  logging host 172.16.95.x transport udp port 20514
  snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
  snmp-server view EVS-view internet included
  snmp-server community S1n2M3p4$ RO
  snmp-server community cisco RO
  snmp-server trap-source Vlan10
  snmp-server source-interface informs Vlan10
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
   --More--         snmp-server enable traps tty
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps envmon fan shutdown supply temperature status
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps bridge newroot topologychange
  snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification change move threshold
  snmp-server enable traps vlan-membership
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.5.x version 3 auth evsnetadmin
  tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
  tacacs-server directed-request
   --More--         tacacs-server key 7 107D580E573E411F58277F2360
  tacacs-server administration
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 25 access-request include
  radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
  radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
  radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
  radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
  radius-server timeout 2
  radius-server key 7 060506324F41
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
   exec-timeout 5 0
   privilege level 15
   logging synchronous
   login authentication CONSOLE
  line vty 0 4
   access-class telnet_access in
   exec-timeout 0 0
   logging synchronous
   --More--         login authentication ACS
   transport input ssh

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Dynamic Maping to ACS groups using OU instead of NT group

  Is there a way to us the Microsoft AD OU groups instead of using the old NT groups to dynamically mapping users to the ACS groups? We are using ACS server at vers 3.2 as well as some test server on 3.3.

  Cisco Secure ACS for Windows Servers 3.2 only supports two versions of the Windows 2000 operating system
  1)Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
  2)Windows 2000 Advanced Server, with the following conditions:
  with Service Pack 3 or Service Pack 4 installed
  without Microsoft clustering service installed
  without other features specific to Windows 2000 Advanced Server enabled