Mac-auth-bypass fails MAC: 0000.0000.0000
I have an old JetDirect that doesn't support 802.1x. I have enabled MAB on the port where it connects, but for some reason MAB fails. I enabled dot1x debug and will paste the output in a few here. I know my dot1x config is good.. i have clients authenticating via RADIUS to my ACS server. I also have another port using MAB, not a JetDirect though, both ports are configured identically. From the debugs, it seems that the switch can't glean the mac of the JetDirect. Any ideas? This is a 3750 with 12.2(44)SE2. I've tried to shut/no shut the interface, reset the JetDirect, nothing seems to work. I see no requests on my ACS server for this device's MAC address.
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 192.168.x.x auth-port 1645 acct-port 1646
interface FastEthernet2/0/31
description A002 White
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode restrict
dot1x timeout tx-period 2
dot1x timeout supp-timeout 10
spanning-tree portfast
spanning-tree bpduguard enable
012729: May 5 14:51:31.672: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012730: May 5 14:51:32.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/31, changed state to up
012731: May 5 14:51:33.727: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
012732: May 5 14:51:33.727: dot1x-sm:Posting EAP_REQ on Client=4219220
012733: May 5 14:51:33.727: dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 7(eapReq)
012734: May 5 14:51:33.727: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_request
012735: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ request_action called
012736: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: May 5 14:51:33.727: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
012738: May 5 14:51:33.727: dot1x-ev:FastEthernet2/0/31:Sending EAPOL packet to group PAE address
012739: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet2/0/31.
012740: May 5 14:51:33.727: dot1x-registry:registry:dot1x_ether_macaddr called
012741: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet2/0/31
012742: May 5 14:51:33.727: EAPOL pak dump Tx
012743: May 5 14:51:33.727: EAPOL Version: 0x2 type: 0x0 length: 0x0005
012744: May 5 14:51:33.727: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
012745: May 5 14:51:33.727: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012746: May 5 14:51:35.791: dot1x-ev:Received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: May 5 14:51:35.791: dot1x-sm:Posting EAP_TIMEOUT on Client=4219220
012748: May 5 14:51:35.791: dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 12(eapTimeout)
012749: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_timeout
012750: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter called
012751: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action called
012752: May 5 14:51:35.791: dot1x_auth_bend Fa2/0/31: idle during state auth_bend_timeout
012753: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_timeout ->auth_bend_idle
012754: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: May 5 14:51:35.791: dot1x-sm:Posting AUTH_TIMEOUT on Client=4219220
012756: May 5 14:51:35.791: dot1x_auth Fa2/0/31: during state auth_authenticating, got event 15(authTimeout)
012757: May 5 14:51:35.791: @@@ dot1x_auth Fa2/0/31: auth_authenticating -> auth_fallback
012758: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit called
012759: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente r called
012760: May 5 14:51:35.791: dot1x_auth_mab : initial state mab_initialize has enter
012761: May 5 14:51:35.791: dot1x_auth_mab : during state mab_initialize, got event 2(mabStart)
012762: May 5 14:51:35.791: @@@ dot1x_auth_mab : mab_initialize -> mab_acquiring
012763: May 5 14:53:08.831: dot1x_auth_mab : during state mab_acquiring, got event 3(mabResult) (ignored)
HQ_1stFlr_3750#sh dot1x int fa2/0/31 det
Dot1x Info for FastEthernet2/0/31
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
Violation Mode = RESTRICT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 10
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled (EAP)
Inactivity Timeout = None
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.
Similar Messages
-
Hello,
we want to use standalone mac authentication bypass (with freeradius).
Yesterday we tested it with a catalyst 3750 IOS 12.2(35) and it was working fine! The config on an interface looked like that:
(config-if)switchport mode access
(config-if)authentication port-control auto
(config-if)mab
(config-if)spanning-tree portfast
Today we tried to do the same with a catalyst 2960 IOS 12.2(44). I want to configure the interface like on the 3750, but I can't.
Everytime I write the command "dot1x mac-auth-bypass" (I think this is the correspondent command to "mab") the switch automatically configures "dot1x pae authenticator" and "dot1x violation-mode protect" on the interface. So it looks like that:
interface GigabitEthernet0/1
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode restrict
spanning-tree portfast
If I configure "no dot1x violation-mode protect" the switch accepts the command, but it don't removes the entry from the interface.
If I configure "no dot1x pae authenticator" the switch removes the whole config from the interface except "switchport mode access" and "spanning-tree...".
I don't understand what the problem is?! Is it not possible to use mac authentication bypass without dot1x (-> pae command) and violation-mode in this IOS version???
The violation-mode avoids the contact to the radius server. :-(
Thank you for your help.
Greetings LydiaHey,
1. Does somebody know if you can use standalone MAB with dot1x guest vlan?
I tried it and the guest vlan was not set. Is it required to configure dot1x with the shortest timeout, so that MAB is starting fast and if it fails, there is the guest vlan.
2. In the config guide there is a sample configuration for standalone MAB. I'm wondering why they configure "switchport access vlan 40"??? In what situation does this takes affect? Is it like the guest vlan? So, if mab fails, the port is configured with vlan 40???
interface FastEthernet2/48
switchport access vlan 40
switchport mode access
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
Greetings Lydia -
Bypass failed PAV (power analog video) to use external monitor?
"Patient" is a 7+ year old iMac DV 400 (CRT; slot-loading). It fails to start up. The LED in the power button lights briefly, it sounds as if the hard drive starts to spin up, and small patches of light appear in the upper and lower corners of the right side of the screen. Prior to this status, the display had been reduced in brightness for a couple of months. The day before it died, the image on the screen started pulsing at the sides and horizontal streaks flashed across the upper third of the image. I shut the machine down for half an hour then restarted and it was back to normal. The next day, the pulsing and lines returned; shut down and tried to restart in 1.5 hours, but no go (symptoms above).
I replaced the 3.6V lithium battery and reset the PMU/CUDA. No change. I am told that the symptoms are characteristic of a failed PAV board. I read in another thread here ( http://discussions.apple.com/thread.jspa?messageID=3110595� ) that it may be possible to bypass the failed PAV and connect an internal cable (via an adapter) display (i.e., not using the existing extrnal VGA port). Here is a quote from the above thread (12th reply; "However, for those of us with tray-loaders iMacs that have failed video boards, you can simply disconnect the internal video connector. This connector is essentially a "VGA" cable inside the iMac case, but it uses the old-style Apple video connector. It is a simple matter to buy an Apple-to-VGA adapter and connect it to the internal video output and connect that to a VGA cable leading to an external monitor".
Is this possible with a slot-loading iMac? If so can someone please point me to instructions for doing so (ideally with photos/illustrations), or explain how to do it.
I will be very greatful for any help getting this iMac running again.thanks for responses
@BurntSushi
here is what scrot gave me: http://dl.dropbox.com/u/292474/arch/output.jpg
but what i see is more like: http://dl.dropbox.com/u/292474/arch/output_view.jpg
@ewaller
interface is VGA. i have tried changing the H. Position on the monitor to "slide it back" but even when it's completely at 100% on one side i gain back half of the black area. i don't know what else i can change on the monitor that would help me out. -
Dot1x (Switch) Question with MAC bypass & Web Auth
Is it possible to configure dot1x with MAC Auth bypass along with web authentication?
The goal is to first try dot1x
If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
Help is much appreciated.
Thanks,
JasonIs it possible to configure dot1x with MAC Auth bypass along with web authentication?
The goal is to first try dot1x
If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
Help is much appreciated.
Thanks,
Jason -
MAC authentication failed for Wired Users
Hi,
I tried to configure MAC authentication for registed users by ACS. But failed. Need help.ok ok..i got ur point....please correct me the config steps:
1. Added switch as aaa client into acs
2. entered machine mac address into acs user-setup as both usename & password.
3. in 64,65 & 81 (in bother group & user setup) choosed 64=vlan; 65=802; 81=authenticated_vlan_id
4. in switch
aaa new-model
aaa authentication dot1x default group radius
radius-server host acs_ip auth-port 1645 acct-port 1646 key ****
dot1x system-auth-control
int fa0/1
switchport mode access
dot1x mac-auth-bypass
dot1x port-control auto
dot1x reauthentication
dot1x pae authenticator
dot1x guest-vlan 900
Note: Whenever i issue the command "port-control auto" the line protocol of the port goes down.
5. in end machine disable ieee 802.1x authentication.
I will try this setting tomorrow & update you accordingly. -
Dot1x mac-auth-byass not supported on 2950 switches
Hi all
I have 2950-24 and 2950SX-24 switches. I upgraded them to the Latest IOS version availlable on cisco site(12.1(22)EA11).
We deployed the mac authentication bypass technology in our organization. The problem is the commands (dot1x mac-auth-bypass) and (dot1x critical) are not supported in this version.
How can we solve this issue. I have many switches having this problem
I appreciate your quick response and thanks on advance.
ThanksDear Sir
Are you sure. why it is not supported on 2950 and it is supported on 2940 platforms?
check the below link please. I want to know why cisco doesn't support these important features on this 2950 platform.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11/release/notes/OL14991.html#wp1000099
Thanks in advance, -
DLSw Token Ring to Ethernet - Remote Peer MAC
Hi,
Refer to following link, http://www.cisco.com/en/US/partner/tech/tk331/tk336/technologies_configuration_example09186a0080093ecd.shtml
If there is host attached Ring 500 with MAC 0000.1111.0000 (non-canonical) ,another host attached to router B E0, MAC 0000.2222.0000 (canonical)
1) If I configure dlsw mac-address command at router A , should the MAC address configure should change non-canonical ?
2) If I want to configure dlsw mac-address command at router B , is the configure MAC address remain as non-canonical ?
May be you can explain more about the scenerio about when or where to bit swap the MAC address of configuration.
Best Regards.Hi,
I get confusing. To make it simple I include the config and example.
Assume Token ring host is non-canonical and ethernet host is canonical. Please refer R1 & R2 config at the end.
Regards.
Scenario 1
Token Ring Host ---- R1 ===DLSW=== R2 ----Ethernet Host
(Answer)
XXXX.XXXX.XXXX - should convert to non-canonical
YYYY.YYYY.YYYY - remain non-canonical
Scenario 2
Ethernet Host ---- R1 ====DLSW==== R2 --------Ethernet Host
(Answer)
XXXX.XXXX.XXXX - should convert to non-canonical
YYYY.YYYY.YYYY - should convert to non-canonical
OR ?
XXXX.XXXX.XXXX - remain canonical
YYYY.YYYY.YYYY - remain canonical
which one ??
Best Regards.
R1
dlsw local-peer peer-id 1.1.1.2
dlsw remote-peer 0 tcp 1.1.1.1
dlsw mac-addr XXXX.XXXX.XXXXX remote-peer ip-address 1.1.1.1
R2
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw mac-addr YYYY.YYYY.YYYY remote-peer ip-address 1.1.1.2 -
Mac based security managed centrally (Acs or whatever)
I have a project My customer
want to use Mac Address based Security on their whole network.They want only specific mac addressed pc/notebooks can be connected to their network.But they dont want configuration per switch basis.They wan centralized management.
We first looked for ACS.But we realized that ACS supports only Wireless access point for this kind of purpose.I also found that there is a ACS feature called NAR(Network Access Restriction) Can i use this feature?
They dont want additional integratio n(Active directory or etc.) and dont install any software to their pc/notebooks.Because of this i cant use EAP solution.
They have app 300 pcs and they will enter whole mac address list to ACS and only this PCs will be connect to network.Is it possible ?
Best RegardsI wouldnt recommend this as a strong security solution, but it could be done - in theory.
Customers devices need to be configured to initiate a PAP authentication using pre-configured credentials (a'la NAC auth bypass).
ACS will have this username+password configured plus a network access restriction that lists the allowed set of macaddrs.
While this may work for 300 users, NARs are not that easily scalable. -
802.1x authentication with mac address
Hi guys,
there is a strange requirement from one of our customer,
they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
for username, password and domain.
is it possible??
can i avoid popping up the username password with 802.1x and that too with mac address???
Any help would be greatly appreciated
Thanks
JvalinHi,
The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
Regards,
Kush -
Outlook 2011 doesn't recognize .mac account
Since I upgraded to Lion, Outlook 2011 will not get my e-mails from my .mac account. I always get the message :
"The server for account .Mac / XXX returned the error (AUTH) Authentication failed. "Your username/password or security settings may be incorrect. Would you like to try re-entering your password?
I didn't change anything to my account since SL, and checked everything I could check, and it seems ok. Mail application works well and receives .mac messages, the problem is that I mainly use Outlook.
Should I change my incoming or outgoing server ? I am 10.7.2 and iCloud.
Thank youCheck the settings match those listed here: http://support.apple.com/kb/HT4864
-
We have a 2100 Wlan controller set up with multiple wlans.
We are having problems on the Guest VLAN in that everytime a user tries to authenticate via Web Auth, they fail and are redirected to the username/password page.
Local accounts have been added and the WLAN has been set up to use web auth but each time a user tries to authenticate the following message is in the log:-
NOV 21 09:47:21.852 pem_api.c:4513 PEM-1-WEBAUTHFAIL : Web Authentication Failure for station aa:bb:cc:dd:ee:ff
If the box is rebooted it works for around an hour, then begins to fail again.
Any ideas?Here is the configuration guide for the Webauthentication for WLC with example it may help you to troubleshoot and configuration
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
ISSU to NX-OS 6.2(2) fails. OTV error
Just tried upgrading 2 of the 4 chassis' I have and it went horribly wrong. Well not really, it just failed with almost no packet drops.
This is a OTV setup across two sites. I did a ISSU upgrade on 2 chassis simultanuously (1 in each site) and got exactly the same error on both.
2013 Aug 23 20:45:28 glsdswn7k001 %$ VDC-1 %$ %PLATFORM-2-MOD_REMOVE: Module 6 removed (Serial number JAFXXXX)
2013 Aug 23 20:45:28 glsdswcore001 %$ VDC-2 %$ last message repeated 1 time
2013 Aug 23 20:45:28 glsdswotv001 %$ VDC-3 %$ last message repeated 1 time
2013 Aug 23 20:49:23 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
2013 Aug 23 20:49:54 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
2013 Aug 23 20:50:25 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
2013 Aug 23 20:50:56 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
2013 Aug 23 20:51:27 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
2013 Aug 23 20:51:58 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
2013 Aug 23 20:52:29 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
2013 Aug 23 20:53:00 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
Resetting boot variables. Please wait.
2013 Aug 23 20:53:32 glsdswn7k001 %$ VDC-1 %$ %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id 0xFFFFFFFF).
[####################] 100%
2013 Aug 23 20:53:47 glsdswn7k001 %$ VDC-1 %$ %PLATFORM-2-MOD_REMOVE: Module 6 removed (Serial number JAFXXXX)
2013 Aug 23 20:53:47 glsdswcore001 %$ VDC-2 %$ last message repeated 1 time
2013 Aug 23 20:53:47 glsdswotv001 %$ VDC-3 %$ last message repeated 1 time
Failure recovery action::
"Standby will be rebooted to force netboot and image download".
Install has failed. Return code 0x4093001E (Standby failed to come online).
Please identify the cause of the failure, and try 'install all' again.
The logs show the following:
2013 Aug 23 20:47:10 glpdswn7k002 %PLATFORM-2-MOD_REMOVE: Module 6 removed (Serial number JAFXXXX)
2013 Aug 23 20:49:21 glpdswn7k002 %BOOTVAR-5-NEIGHBOR_UPDATE_AUTOCOPY: auto-copy supported by neighbor supervisor, starting...
2013 Aug 23 20:50:56 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:50:56 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 8979) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:51:27 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:51:27 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 9132) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:51:58 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:51:58 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 9349) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:52:29 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:52:29 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 9384) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:53:00 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:53:00 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 9402) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:53:31 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:53:31 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 9435) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:54:02 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:54:02 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 9623) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:54:33 glpdswn7k002 %SYSMGR-STANDBY-2-CONVERT_FUNC_FAILED: Conversion function failed for service "otv" (error-id
0xFFFFFFFF).
2013 Aug 23 20:54:33 glpdswn7k002 %SYSMGR-STANDBY-3-SERVICE_TERMINATED: Service "otv" (PID 9769) has finished with error code SY
SMGR_EXITCODE_SYSERR (1).
2013 Aug 23 20:55:00 glpdswn7k002 %SYSMGR-3-SERVICE_TERMINATED: Service "installer" (PID 26230) has finished with error code SYS
MGR_EXITCODE_FAILURE_NOCALLHOME (20).
2013 Aug 23 20:55:02 glpdswn7k002 %PLATFORM-2-MOD_REMOVE: Module 6 removed (Serial number JAFXXXX)
2013 Aug 23 20:57:21 glpdswn7k002 %BOOTVAR-5-NEIGHBOR_UPDATE_AUTOCOPY: auto-copy supported by neighbor supervisor, starting...
2013 Aug 23 20:59:03 glpdswn7k002 %MODULE-5-STANDBY_SUP_OK: Supervisor 6 is standby
Any idea anyone?Thought I'd dump the config of the OTV VDC here as well...
version 6.1(4)
hostname lpdswotv002
feature tacacs+
cfs eth distribute
feature ospf
feature otv
feature udld
feature interface-vlan
feature hsrp
feature lacp
feature dhcp
feature bfd
username admin password 5 kk role vdc-admin
ip domain-lookup
ip access-list ALL_IPs
10 permit ip any any
mac access-list ALL_MACs
10 permit any any
ip access-list HSRP_IP
10 permit udp any 224.0.0.2/32 eq 1985
20 permit udp any 224.0.0.102/32 eq 1985
mac access-list HSRP_VMAC
10 permit 0000.0c07.ac00 0000.0000.00ff any
20 permit 0000.0c9f.f000 0000.0000.0fff any
arp access-list HSRP_VMAC_ARP
10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00
20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000
30 permit ip any mac any
vlan access-map HSRP_Localization 10
match mac address HSRP_VMAC
match ip address HSRP_IP
action drop
vlan access-map HSRP_Localization 20
match mac address ALL_MACs
match ip address ALL_IPs
action forward
vlan filter HSRP_Localization vlan-list 1500-1509,1600-1620
snmp-server user admin vdc-admin auth md5 0x4789e0334323ad58a117a4a94b priv 0x478934334338a117a4a94b localizedkey
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
ip routing event-history general size medium
ip route 0.0.0.0/0 10.236.0.13
vrf context management
ip route 0.0.0.0/0 10.236.16.1
vlan 1,14,1500-1509,1600-1620
vlan 14
name DC1_OTV_Site_VLAN
otv site-vlan 14
service dhcp
ip dhcp relay
interface Vlan1
interface port-channel6
description OTV Internal Interface
switchport
switchport mode trunk
switchport trunk allowed vlan 14,1500-1699
interface Overlay1
otv join-interface Ethernet7/1
otv extend-vlan 1500-1699
otv use-adjacency-server 10.236.0.1 10.237.0.10 unicast-only
no shutdown
interface Ethernet7/1
description OTV Join Interface
rate-mode dedicated force
mtu 9216
no ip redirects
ip address 10.236.0.14/30
no ipv6 redirects
ip ospf network point-to-point
no ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
ip ospf bfd
no shutdown
interface Ethernet7/2
rate-mode dedicated force
switchport
switchport mode trunk
switchport trunk allowed vlan 14,1500-1699
channel-group 6 mode active
no shutdown
interface Ethernet7/3
interface Ethernet7/4
interface Ethernet7/5
interface Ethernet7/6
interface Ethernet7/7
interface Ethernet7/8
interface Ethernet7/9
rate-mode dedicated force
switchport
switchport mode trunk
switchport trunk allowed vlan 14,1500-1699
channel-group 6 mode active
no shutdown
interface Ethernet7/10
interface Ethernet7/11
interface Ethernet7/12
interface Ethernet7/13
interface Ethernet7/14
interface Ethernet7/15
interface Ethernet7/16
interface Ethernet7/17
interface Ethernet7/18
interface Ethernet7/19
interface Ethernet7/20
interface Ethernet7/21
interface Ethernet7/22
interface Ethernet7/23
interface Ethernet7/24
interface Ethernet7/25
interface Ethernet7/26
interface Ethernet7/27
interface Ethernet7/28
interface Ethernet7/29
interface Ethernet7/30
interface Ethernet7/31
interface Ethernet7/32
interface mgmt0
ip address 10.236.16.23/24
cli alias name wr copy run start
line console
terminal width 128
line vty
router ospf 1
router-id 10.236.16.23
log-adjacency-changes
passive-interface default
otv site-identifier 0x10
ip arp inspection filter HSRP_VMAC_ARP vlan 1500-1699 -
CTM ERROR: ASA hardware accelerator init failed
Hi Guys, I have bought a refurbished firewall and upon reloading I see the following error from console. Is something that I can rectify?
Loading disk0:/asa904-k8.bin... Booting...
Platform ASA5510
Loading...
IO memory blocks requested from bigphys 32bit: 13264
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 104 files, 12459/63613 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 864026624, Reserved memory: 62914560
Total SSMs found: 0
Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: d0d0.fd1d.5d57
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
i82546GB rev03 Ethernet @ irq09 dev 2 index 03 MAC: d0d0.fd1d.5d5b
i82546GB rev03 Ethernet @ irq09 dev 2 index 02 MAC: d0d0.fd1d.5d5a
i82546GB rev03 Ethernet @ irq09 dev 3 index 01 MAC: d0d0.fd1d.5d59
i82546GB rev03 Ethernet @ irq09 dev 3 index 00 MAC: d0d0.fd1d.5d58
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x6122cb5d 0xc06c1a74 0xec92a120 0xbd44e8e8 0x8e372a8a
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
CTM ERROR: ASA hardware accelerator init failed, cause: boot_init completion timeout, ctm_nlite_boot_init:2284
CTM ERROR: ASA hardware accelerator init failed, cause: boot initialization failure, ctm_nlite_download:3342
CRYPTO ERROR: Microcode download failure, boot instance 0
Cisco Adaptive Security Appliance Software Version 9.0(4)
Thanks in advanceHi Mike,
Thanks for your reply. Considering it was at an early stage I had asked the supplier to replace it.
Regards
Stefan -
ISE and WLC for CWA (Central Web Auth)
Hello All,
As we know that WLC (i.e. 5508) does not support MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.
CWA is a result of successfull MAB. So how CWA work for wireless? So it means WLC support MAB?I've been playing around with this and have it working on 7.3.101 on the WLC 5508, however, I don't seem to be receiving the web redirect correctly. When I look under the client connections on the WLC I see that the URL is received on the WLC from ISE, but it appears to be truncated, unless that's just a limitation of the display. I see hits on the ACL-WEBAUTH-REDIRECT ACL on the controller, but it doesn't seem to be redirecting. I have this similar configuration on the wired side of the house and it works fine. ISE just shows pending webauth, as it should.
Security Policy Completed No
Policy Type N/A
Encryption Cipher None
EAP Type N/A
SNMP NAC State Access
Radius NAC State CENTRAL_WEB_AUTH
CTS Security Group Tag Not Applicable
AAA Override ACL Name ACL-WEBAUTH-REDIRECT
AAA Override ACL Applied Status Yes
AAA Override Flex ACL none
AAA Override Flex ACL Applied Status Unavailable
Redirect URL
https://.com:8443/guestportal/gateway
IPV4 ACL Name none
IPv4 ACL Applied Status Unavailable
IPv6 ACL Name none
IPv6 ACL Applied Status Unavailable
Maybe you are looking for
-
Hi there! My N96 doesn't show mobile tv anymore! Since a couple of days before christmas it won't connect to the provider. I've got a valid subscription for it (24 months for free at KPN, Netherlands). I called the technical support of the provider b
-
Using 05 inspection type, all the materials moves to inspection lot
Dear SAP Gurus, Using the 05-inspection type in material master for by product material, all the material goes to inspection lot. how to control the inpection lot movement, i have set a plan that the inspection will be carried through a workcenter,b
-
Could someone explain this to me.
I have a panel that I add transparent textpanes with shapes drawn over the top, the shapes and textpanes originat from a class named round button. I add the shapes in a loop: for( int i = 0; i < answer.length; i++ ){ if( answer[i] != null ){
-
Unable to mount flash drive w/ OS 9.2.2 and Powerbook G3
I've upgraded my G3 Pismo up to OS 9.2.2. However, the system won't mount a USB flash drive. Here's a breakdown of the problem(s): 1) Insert flash drive, but flash drive won't appear on desktop. 2) Check System Profiler, and system freezes. 3) Remove
-
Find Conflicts between start and end time
I have a table appointment (appointment_id, start, end , Location) will hundreds of records like below appointment_id start end Location 1