NAC 4.7.2 OOB SNMP issues

Hello,
I am setting up a NAC CAM and CAS 4.7.2 OOB setup in a test environment (NAC failover for CAM and CAS), and I am seeing some strange SNMP issues.  I am testing with a 3750 switch (12.2(53)SE1) using SNMP v2 and v3 since v3 and accessing the switch port configuration in the NAC manager is extremely slow.  I click OOB Management -> devices -> switch XXX and it takes several minutes for the port listing to display.  Then sometimes it comes up quickly but a 'show debug snmp' on the switch shows that it isn't polling the switch so it apparently starts pulling the ports page from cache, but I can see now logic in how it does this.
Q1) When and why does the ports page pull cached info?
Q2) Why is SNMP queries operating so slowly with NAC 4.7.2 OOB?
Here is my test switch/NAC SNMP config (with pseudo names and fake passwords):
snmp-server community switch_read ro   (matches OOB Management -> Profiles -> Device -> SNMP Read v2 settings)
snmp-server view v1default iso included
snmp-server user switch_write switch_group v3 auth md5 <my-password>  (matches OOB Management -> Profiles -> Device -> SNMP Write v3 settings)
snmp-server group switch_group v3 auth read v1default write v1default
snmp-server user cam_notify cam_group v3 auth md5 <my-password>
snmp-server host 10.200.11.100 traps version 3 auth cam_notify mac-notification snmp  (matches OOB Management ->  Profiles -> SNMP Receiver v3 settings)
snmp-server group cam_group v3 auth read v1default write v1default notify v1default
What is wrong with my setup?  Any help is appreciated.

Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

Similar Messages

  • NAC OOB config issue

    Dear fellows,
    I have installed CAM and CAS version 4.0.3 in OOB mode and having this problem of clean access agent repeatedly popping up even after successfuly logging on to the server.
    Also the clients are always requested to download and install the clean access agent even when it is already installed in the system.
    After the succesfull log on I can see the respective client as sucessfully logged on to the system. Also the VLANs are correctly switched from Authentication to User VLANs, but still I'm repeatedly asked to log on to the system.
    These symptoms familar to anybody and appreciate any idea to help me come out of this.
    Thanks.

    Insert the distribution CD-ROM that contains the CAM or CAS .iso file into the CD drive of the installation server machine.
    Connect to the machine directly with a keyboard and monitor, or by terminal emulation console over a serial connection.
    Reboot the machine. The installation script starts automatically after the machine restarts.
    At the "boot:" prompt, type custom and press Enter.
    The program will prompt you for the driver diskette, then the update diskette. The installation then proceeds normally.

  • NAC migration from L2 OOB to L3

    Hello,
    I have a question about a migration NAC Appliance 7.0 version in L2 OOB deployment to L3 Real-IP Gateway.
    Do I need any other issue to this or I only must change settings on CAM in "Clean Access Server Type"?
    I don't have a lab to test it.
    Kamil,

    Kamil,
    That would require a major design change in your network -  something I guarantee you is not possible to handle in a forum setting :-)
    If you have a Cisco account team, engage them, so they can help you get a workable design for L3 RIP.
    HTH,
    Faisal

  • NAC 4.7.2 OOB ADSSO win7

    Hi,
    I updated CAM and CAS servers to ver 4.7.2, in OOB mode on windows 7 don't work autorization whith ADSSO.
    ktpass make by win 2008 r2
    ver nacagent 4.7.2

    If you configured KTPASS to use DES-only encryption, you will need to re-run it, as Windows 7 does not support DES encryption.  Here's the instructions for that: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_adsso.html#wp1257882
    Also, if your domain is operating at a 2003 functionality level, you may run into problems (CSCtg46056).

  • Process to upgrade Certs in NAC 4.7.2 OOB VG HA environment

    I am in the process of replacing the CCA manager certificate which is about to expire. My environment is HA and as such consists of two CAM servers and two pairs of HA-CAS servers.
    First - I have submitted and generated the CAM server certificate (Easy enough as the CAM SSL is accessible via the GUI.) I think, although I'm not sure that I need to generate a new cert for the CAS(S).
    If I do I need to access at least one CAS in an HA pair via the GUI. Does it matter which one? When I attempt to GUI to the "secondary" CAS in a pair I am of course being treated like a device that need to be "NAC'd".
    To access the CAS I think I need to stop perfigo services which should drop me out of the HA pair. True?
    Will I need to take each server out of "service" to update the cert.
    If there is a document sequence of events I would love to see it.
    Thanks!
    Bob

    Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

  • SNMP issue in shared printer

    Hi,
    We have a print server with Windows server 2k8 64bit, it has around 30 printers configured in it. recently we removed the legacy printer and installed new printers with same ip and name and updated the drivers.
    After we updated the drivers, the newly added printers show offline status in the print server, however we are able to ping the printer and also able to access the web interface of the printer.
    The printers come to ready status when i disable the SNMP in the port configuration option. as SNMP is a need for us to monitor the printers, Kindly assist me in fixing this issue as many printers are affected now ...
    Printers are canon branded.

    Ping nor the web page on the device require SNMP.
    Are the Standard TCP/IP Ports configured with the same SNMP community name that is set on the device?
    Also verify that you have enabled SNMP on the devices.
    You should be able to use snmputil.exe to walk the device mib.
    Here are the instructions.  But I was unable to find the file in the list of Win2k Resource kit.  If the first two items check out, go searching for the tool and confirm the SNMP information gets returned from the device when queried.
    http://support.microsoft.com/kb/232663/en-us
    Alan Morris formerly with Windows Printing Team

  • Windows 2008 R2 - Printer "Offline" SNMP issue.

    The issue:
    Not unique from what I have read in these forums and elsewhere around the globe.  But essentially, I have printers that go "offline" and only come back into life if I disable SNMP per printer port and therefore lose any "real" status messages.
    Some Environmental Information:
    - The printers and the print server are on the same logical subnet
    - There is no filtering/Firewall between the printers and the print server and not relevant given they are on the same logical subnet.
    - The firewall is disabled on the Print Server
    - The SNMP community string(s) configured on the printer matches that of the print server port
    - The manufacturing model of the printer varies.  Various print vendor makes and models, of the 5-6 affected devices, all of them are different.
    The following information relates to the newest printer a Ricoh Aficio MP C4501, manufactured and released in 2011 which is one of the models that has the issue
    - The Printer's NIC firmware is up to date (applied myself as I work for this particular print vendor) and is fully compliant with SNMP V1, V2 and V3 and supports all relevant MIBs
    - When the issue occurs, I can access the printer's web configuration page
    - When the issue occurs, I can ping the printer device showing "offline" on the print server
    - When the issue occurs, I can interrogate the printer device using an SNMP browser (many different types) on SNMP V1, V2 and V3 without issue
    - When the issue occurs, I can monitor the device and get detailed status updates using SNMP V1, V2 and V3 in the print vendors own device management application as well as Spiceworks without issue
    Note:
    I am quite confident that there is not a communication issue with SNMP to/from the device.
    I am quite confident that there is not an issue with the printers NIC in terms of firmware
    I can get around this by disabling SNMP per port, but this is _NOT_ a fix because "actual" status' other than "online" are never reported.
    Summary:
    I'm going out on a limb here and suspecting that the root cause is not the device, firmware or print driver, but in fact something within Windows Server Print Subsystem.  To that end and given there has been a huge amount of discussion on this issue,
    is there any progress or even acknowledgement that this _MIGHT_ be a problem that Microsoft need to address?
    --------------------------- ASE, CNE, CCNP, CLP, MCSE --------------------------

    Hi Alan,
    Lately I experienced this "printer-offline-problem" on my
    Windows Server 2008 R2 Standard, Service Pack 1 . I found this thread on the internet and probably tried out everthing mentioned here. But nothing helped in my case. When I deleted and recreated this printer, it was in status Ready and was working as
    long there was no restart of the print spooler service. Then it switched to offline and stopped working.
    So I did open a support case at Microsoft as recommended by you.
    It didn't help to install the latest hot fixes or to delete third party language monitors from the registry. What did help, I found out two weeks ago and I want to share it here for other people having the same problem.
    1. Delete the "Offline"-printer and its port.
    2. Search the Registry for the printer name. You might find these keys:
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Control\Print\Printers\***problemprinter***]
    "PrinterOnLine"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Control\Print\Printers\***problemprinter***]"PrinterOnLine"=dword:00000000
    3. Recreate this printer - done!
    4. Test it by restarting the print spooler service - if you like.
    If you cannot delete the printer, because you don't want to lose the print jobs in the queue, try to find the above mentioned registry keys and delete them. Then restart the print spooler service. The printer will
    switch to Ready and start printing.
    Microsoft then confirmed they have comparable cases like this in their database, but no information why there are these registry keys and why they arouse this problem.

  • SharePoint 2013 OOB workflow issue

    Hi,
    We are having issue with OOB workflow as below. Any help?
    Thanks
    srabon

    if you click on the "show error details", what details you getting?
    check this link for same kind of information....check the last
    comment at the end
    Also check this blog, how to fix this error.
    http://blogs.microsoft.co.il/lior/2012/03/29/sharepoint-workflows-the-specified-form-template-could-not-be-found/
    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

  • NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

    Hello,
    I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
    Core Switch:
    VLAN DB:
    vlan 10
    name VLAN_DEPT1
    vlan 11
    name VLAN_DEPT2
    vlan 20
    name VLAN_DEPT3
    vlan 26
    name VLAN_DEPT4
    vlan 27
    name VLAN_DEPT5
    vlan 28
    name VLAN_DEPT6
    vlan 29
    name VLAN_DEPT7
    vlan 30
    name VLAN_DEPT8
    vlan 32
    name VLAN_DEPT9
    vlan 50
    name VLAN_NetMGT
    vlan 51
    name VLAN_CAS_MGT
    vlan 52
    name VLAN_CAM_MGT
    vlan 210
    name VLAN_DEPT1_Auth
    vlan 211
    name VLAN_DEPT2_Auth
    vlan 220
    name VLAN_DEPT3_Auth
    vlan 226
    name VLAN_DEPT4_Auth
    vlan 227
    name VLAN_DEPT5_Auth
    vlan 228
    name VLAN_DEPT6_Auth
    vlan 229
    name VLAN_DEPT7_Auth
    vlan 230
    name VLAN_DEPT8_Auth
    vlan 232
    name VLAN_DEPT9_Auth
    Interface Configs
    interface GigabitEthernet3/41
    description "Link to Cisco CAM-PRI eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/42
    description "Link to Cisco CAM-FO eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/43
    description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/44
    description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/46
    description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet3/48
    description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet1/1
    description "Trunk link to DEPT1 Access SW"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    !------- Example of VLAN Interface --------
    interface Vlan10
    description "DEPT1 VLAN"
    ip address x.x.10.1 255.255.255.0
    ip helper-address x.x.50.5
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    !------- No VLAN Interface for AUTH VLAN 210 --------
    Access Switch Configuration
    interface GigabitEthernet0/1
    description "Trunk Link to Core Switch"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    no ip address
    interface GigabitEthernet0/6
    switchport access vlan 30
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    =========================================
    Is the above config correct?
    Thanks

    Hi,
    By bogus I assume you mean something like;
    interface Vlan700
    description "BIT BUCKET for unused ports"
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    shutdown

  • 6500 VSS SNMP issues

    We recently converted 2 6506-E chassis to use VSS w/ Quad-Sup and noticed that several SNMP OIDs we used for monitoring have stopped working.
    OID 1.3.6.1.4.1.9.9.217.1.3 only provides module statistics for the active chassis, rather than both.
    OID 1.3.6.1.4.1.9.5 no longer exists as an object.  We monitored numerous items under 1.3.6.1.4.1.9.5.1.3.1.1 which are no longer available.
    Has anyone encountered these issues after converting to VSS and/or do you have any suggestions with how to deal with them?
    Thanks,
    -Kevin

    I am having similar issue on 4500-X VSS, ENTITY-MIB only available on active chassis.

  • NAC 3310 and Teledex Iphone LD4205S issue

    Hello,
    Needing your help on this particular issue with Cisco NAC and Teledex Iphone LD4205S (SIP voip phone).
    The setup is this, the Iphone is connected to a port on a Cisco 3750 switch. And a laptop is connected to this Iphone.
    I can see that Cisco NAC correctly changed the vlan for the switch port but the laptop is not getting an IP address.
    The strange thing is that when the port is not managed by the NAC, the laptop can get an IP address.
    Also, when the port is manged by NAC and the laptop is directly connected to the port, the laptop can get an IP address.
    It's only when the laptop is connected to the Iphone and the port is managed by the NAC...when the laptop can't get an IP address.
    Any thoughts?
    Thanks so much in advance...

    If tried techniques to get the battery to act right, such as rebooting by holding both the power and home buttons until the apple logo appears and it restarts, and those things haven't helped, take the iPhone and iPad to the Apple store genius bar and have the technicians test them to see if there is a hardware fault.  Do that before the warranty runs out so you are covered.

  • SNMP issues after upgrading Guard

    We recently upgraded one of our Cisco Guards from 6.0(10) to the latest version (6.1(2)) and now the following OID's do not appear to work/exist any longer:
    rhNEAcceleratorCPUUtilization.1
    rhNEAcceleratorMemoryUtilization.1
    The ability to graph these are critical due to the following bug:
    CSCsc05116 - The Guard may stop functioning or start logging errors after reaching 100 percent anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Guard. Reducing the number of active zones may free up memory.
    I thought that maybe they changed the way it is queried but was unsuccessful with anything else I tried (using the latest MIB).
    I apologize if I have posted this in the wrong place.
    Any help is greatly appreciated.
    Thank you.

    There is a bug filed for this issue you have mentioned and the work around for this issue is that the Anomaly Detection memory should be freed by deactivating one or more zones, or alternatively by disabling several number of policies/services.
    You can delete a specific service relating to a policy template.
    To delete a service from a policy, enter the following at the policy template prompt:
    remove-service service-num

  • NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

    We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.
    When a user enters their userid and password  they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.
    I did a packet capture of a machine that was experiencing the problem.
    The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)
    If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.
    Has anybody else experienced this? Any ideas?

    Faisal,
    I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.
    I decided to span a port a MAC was connected to and performed another capture.
    Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.
    I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.
    The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"
    When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.
    I changed the filter to just "ends with verisign.com" and it worked 95% of the time.
    Why only 95%?
    One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.
    No problems now.
    Later!
    Bob

  • Snmp issue on ASA5510, empty reply on oid .1.3.6.1.2.1.31.1.1.1.18

    Hey all,
    I currently have 3 ASA5510's (versions 7.2(3), 8.0(4) and 8.2(1)) which fail to reply with the description value I added on the interface.
    I noticed the problem through our Cacti graphs and then checked with snmp-walk.
    I've tried both v1 and v2c, no difference.
    All other values are returned properly, just not the IfAlias values I'm looking for.
    Does anybody have similar experience and a solution in hand?
    Many thanks in advance.

    Yes, you have the snmpEngineTime / .1.3.6.1.6.3.10.2.1.3 option on IOS 12.0(3)T or later, as explained in this post:
    https://supportforums.cisco.com/message/573246#573246

  • SNMP issues with RV082

    Does anyone else poll this router with SNMP?
    We are using firmware version: 2.0.0.19-tz
    We are having problems with the traffic counters, some of them appear to be implemented as 16 bit counter instead of 32 bit counters. The reason this is causing problems is that they roll over (at 65,000) to 0 in less than our minute polling cycle, really skewing our metrics.
    The counter for the Lan (interface 2) seems to be functioning properly, however interfaces 3 and 4 (WAN and DMZ / WAN2) rollover at 65000.
    Tue May 11 08:38:31 EDT 2010
    IF-MIB::ifInOctets.1 = Counter32: 137634
    IF-MIB::ifInOctets.2 = Counter32: 1865677943
    IF-MIB::ifInOctets.3 = Counter32: 12450
    IF-MIB::ifInOctets.4 = Counter32: 49354
    Look at counter IF-MIB::ifInOctets.4 5 seconds later:
    Tue May 11 08:38:36 EDT 2010
    IF-MIB::ifInOctets.1 = Counter32: 137634
    IF-MIB::ifInOctets.2 = Counter32: 1865836207
    IF-MIB::ifInOctets.3 = Counter32: 13167
    IF-MIB::ifInOctets.4 = Counter32: 12900
    Any suggestions?
    Thanks!

    Looks like a bug.
    I'm using the same firmware, and the bug can be seen with one reading:
    $ snmpwalk -v 2c -c public 192.168.20.253
    IF-MIB::ifDescr.2 = STRING: ixp0
    IF-MIB::ifDescr.3 = STRING: ixp1
    IF-MIB::ifDescr.4 = STRING: ixp2
    IF-MIB::ifInOctets.2 = Counter32: 2882720251
    IF-MIB::ifInOctets.3 = Counter32: 59554
    IF-MIB::ifInOctets.4 = Counter32: 31339
    IF-MIB::ifInUcastPkts.2 = Counter32: 114769131
    IF-MIB::ifInUcastPkts.3 = Counter32: 4291658323
    IF-MIB::ifInUcastPkts.4 = Counter32: 4292343584
    The unicast packet counters seem correct, the LAN counters (both byte and packet) seem correct, but the WAN (both WAN1 & WAN2) byte counts are flawed, i.e. no relation to the packet counters.

Maybe you are looking for