%CDP-4-NATIVE_VLAN_MISMATCH
Hello,
I have a Cisco 2950 connected to a 3550 through a cross-cable on FastEthernet0/1 and FastEthernet0/4, respectively.
On the 2950, I get the following error message:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (0), with switch FastEthernet0/4 (1).
I cannot really figure out how to get rid of this error message, both interfaces are in VLAN1. Also, would this mismatch have any impact on the connectivity between these two devices ?
Thanks for your input in advance.
Regards,
Georg
Georg,
I agree with Fredrik. If both ports are set to switchport mode access and the access VLAN on each port is VLAN 1, then native VLAN mismatch really should have no impact on connectivity.
You may have an unnecessary "switchport trunk native vlan x" command in the configuration of one or both ports, left over from when it may have been configured as a switchport mode trunk. Double-check your config for this. It is not uncommon to have several switchport trunk-related commands remain in the config when the port mode is changed from trunk to access.
Even though the ports are set up for access mode, CDP will communicate any relevant information about the port configurations to other Cisco devices which may be attached to them. If this message is really annoying, you can turn off CDP on just those ports, as Fredrik suggests; but then you would lose the benefit of having CDP exchange other important information between the two switches.
Hope this helps.
Similar Messages
-
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface fa1.
I am getting the following message in my logs on SF300-8
"%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface fa1."
What is causing the error, see VLAN setup below:Hi,
Yes, in this case you can change the native vlan on the that switch with the command (config-if)#switchport trunk native vlan #, there is no need to reboot the switch in order for the change to take effect.
Regards, -
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.
Hell everyone,
I have a sonicwall firewall with 6 vlan and 3 cisco sg28 switches connected to it, everything is working fine, but I se I have these waring the the log files of all three switches.
I just need to know the best way to resolve this..
the firsrt switch is the "core" switch and the other two are connect to it in a star pattern.
Sonicwall--switch1.101.1----switch 101.10
|
|
switch 101.20
So core switch 101.1 has default vlan set to 100 which is the default lan on the sonicwall that it is connected to. There are no devices in .100
switch 101.10 has devault vlan set to 1
switch 101.20 has default vlan set to 1
switch 101.1 is seeing these warnings..
2147483643
2014-Apr-01 19:33:08
Warning
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.
2147483644
2014-Apr-01 19:30:52
Warning
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.
switch 101.10 is seeing these warnings;
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi52.
port gi52 is connecting to switch 101.1
switch 101.20 is seeing these warings;
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.
portgi27 is connected to switch 101.1
Thanks!Hi,
Yes, in this case you can change the native vlan on the that switch with the command (config-if)#switchport trunk native vlan #, there is no need to reboot the switch in order for the change to take effect.
Regards, -
Strange behaviors from SG300-10MP
Hi, everyone. Was hoping to get some advice and assistance regarding two issues with a brand new SG300-10MP our company recently bought.
1. I've been having difficulty getting a proper trunk port to work on this, as compared to the Cisco Catalyst 2960's. My office has temporarily been relocated to another space in our building. The core switch in this side of the building is a 2960 series. This room has a single network jack in it. That jack is plugged into the 2960 directly on a trunk port with no explicit vlans as native, allowed or disallowed. Pretty much the config of the port is "Switchport mode trunk" and that's it. I'm sharing this space with another person on the IT team and we both have multiple computers and VoIP phones, so we've placed a NetGear FS726TP switch in here that has 12 PoE ports (for the VoIP phones) and 12 non-PoE for everything else. Port 25 on this switch appears to be configured as a trunk port with all VLANs being tagged. The VLANs on this switch are (1, 3, 6, 10, 11, 1001 and 2). VLAN 6 is for PC's, 11 is for VoIP phones, 1001 is for management, and 1 is the default VLAN and also is the PVID for port 25. Everything plugged into the NetGear is working as expected. The SG300-10MP's port 9 is plugged into the NetGear's port 26. I've configured port 26 identically to port 25, so as far as the NetGear is concerned, that should be a trunk port. I've attempted to configure the SG300-10MP's port 9 as a trunk, but I've found that first I need to manually create all my VLANs on it that I want to use on the switch (in this case, 1, 6, 10, 11 and 1001), and then for the trunk to actually work as expected, I have to explicitly allow the VLAN's on port 9 ("switchport trunk allowed vlan add all"). I've configured GE1-8 to be access ports on VLAN 6. The strange thing is, every 5 minutes I get this message on the console: "%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi9." This only occurs if I have a computer plugged into GE1 on the SG300. The computer also has a second connection into the NetGear, so I suspect it might be an issue with spanning tree, although how the switch is communicating through my PC is unknown. When I first unboxed the SG300 and plugged my computer into a port, it was grabbing a valid DHCP address for VLAN 6 somehow through my PC. Does anyone have any idea why I keep getting this? I'd done a "sh cdp n detail" and this is what it gives me:
Device-ID: 2960-06-TrunkSw5590.XXXX.XXXXX.local
Advertisement version: 2
Platform: cisco WS-C2960S-24TS-S
Capabilities: Switch IGMP
Interface: gi9, Port ID (outgoing port): GigabitEthernet0/15
Holdtime: 151
Version: Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Co
Duplex: full
Native VLAN: 1
SysObjectID: 0.0
VTP Management Domain: XXX
Primary Management Address: IP 10.100.100.125,
Addresses:
IP 10.100.100.125
Device-ID: SEP08000F77571D
Advertisement version: 2
Platform: Mitel 5330e,DN 2890
Capabilities: Host Phone
Interface: gi9, Port ID (outgoing port): Port 1
Holdtime: 125
Version: M6020006
Duplex: full
Power drawn: 6100 milliwatts
SysObjectID: 0.0
Addresses:
IP 10.2.2.60
Device-ID: SEP08000F8E7773
Advertisement version: 2
Platform: Mitel 5330e,DN 2643
Capabilities: Host Phone
Interface: gi9, Port ID (outgoing port): Port 1
Holdtime: 125
Version: M6020006
Duplex: full
Power drawn: 6100 milliwatts
SysObjectID: 0.0
Addresses:
IP 10.2.2.25
Device-ID: 5067ae3ccc29
Advertisement version: 2
Platform: Cisco SG300-10MP (PID:SRW2008MP-K9)-VSD
Capabilities: Switch IGMP
Interface: gi9, Port ID (outgoing port): gi1
Holdtime: 121
Version: 1.3.5.58
Duplex: full
Native VLAN: 6
SysName: switch3ccc29
SysObjectID: 0.0
Addresses:
IP 10.200.1.55 (this is the IP for Management of the SG300 on VLAN1001)
So, CDP appears to be working, seeing itself, the two VoIP phones and the core switch, but getting nothing from the NetGear (obviously). The Native VLAN on the core switch is 1 and the PVIDs on both trunk ports on the NetGear are also 1, the default VLAN on the NetGear is 1, all packets are tagged on ports 25 and 26, and I've even set GE9 on the SG300 as native vlan 1, but still getting these errors. Is this just a warning that's being caused by having that NetGear between the two Cisco switches or something else?
2. Whenever I make any changes to the VLANs on the switch from the command line, it always gives me this message: "Please ensure that the port through which the device is managed has the proper settings and is a member of the new management interface. Would you like to apply this new configuration? (Y/N)[N]" As mentioned above, VLAN 1001 is our management VLAN and I've assigned IP address 10.200.1.55, subnet mask 255.255.255.0 to interface VLAN1001. After I set that, if I make any changes to the VLANs, whether it be adding a new VLAN interface, or changing the IP address or removing an IP address, I'll get that message, choose "YES", and then I'll lose all IP connectivity to the rest of the VLAN1001 subnet. I look at the config and even if I was working with a VLAN other than 1001, the IP address I assigned to interface VLAN1001 will be gone. Also, the default gateway will be removed. So, every time I make any change to the VLANs, I have to go and re-do these things. Is this normal behavior for the configuration to blow itself up like this?
Help!Looks like Cisco small business products dont support the cisco network assistant. I have tried the web console with both Internet Explorer and Firefox.
-
All,
I have investigated and made sure the speed/duplex have been changed between both devices attached to int-faces.
here is my error.
02-ext-liv FastEthernet0/20 (40).
Feb 20 16:22:18.711 PST: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/xx
2900 series switch.
What other approach shall I take to pin point the issue since this is only informational on the error log.
-fz
Thanks in advance!Hi,
The 'error' message is simply because you have used different VLAN IDs on the access ports at either end. CDP discovers this and logs a warning. The message is pretty harmless in itself.
There are a couple of options to get rid of it:
- configure the access port to be the same VLAN on the two switches at either end of the link
--- OR ----
- enable CDP version 1 on your switches. YOu can do this using: 'no cdp advertise-v2'.
The latter option is simpler and you don't really lose much...
Hope that helps - pls rate the post if it does.
Paresh -
I have two SG200-26 linked by GBIC, at both ends I get the error
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi25.
Via the GUI how do I solve this
ThanksHi Bruce, this is an error message generated by CDP to tell you the interconnecting devices use a different untag vlan on each side. Although it is not service affecting, it will generate the log message.
To correct this, you need to ensure the untag VLAN on the trunk connecting the switches both match.
-Tom
Please mark answered for helpful posts -
Why the ACS block my Console Login?
I have aaa to my SWs an ROuters, but wen my Server goes down I cant get access ont the console port.
My config is attached and the debug aaa authorization.
this are the debugs for each acces: Telnet tacacs user, consoler tacacs user and the try whit the local user.
telnet access
Oct 15 01:03:09: AAA: parse name=tty2 idb type=-1 tty=-1
Oct 15 01:03:09: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='10.10.10.23' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Oct 15 01:03:10: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/37 (102), with tst1-s2 GigabitEthernet0/1 (1).
Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user='ACS-USER' ruser='NULL' port='tty2' rem_addr='10.10.10.23' authen_type=ASCII service=ENABLE priv=15
Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user='ACS-USER' ruser='NULL' port='tty2' rem_addr='10.10.10.23' authen_type=ASCII service=LOGIN priv=1
COnsole access (Working whit the ACS user)
Oct 15 01:08:57: AAA: parse name=tty0 idb type=-1 tty=-1
Oct 15 01:08:57: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) user='ACS-USER' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) user='ACS-USER' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
console access (Not working whit the local user)
Oct 15 01:05:24: AAA: parse name=tty0 idb type=-1 tty=-1
Oct 15 01:05:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) user='LOCAL_USER' ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
Oct 15 01:05:36: AAA: parse name=tty0 idb type=-1 tty=-1
Oct 15 01:05:36: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
Oct 15 01:06:09: AAA: parse name=tty0 idb type=-1 tty=-1
Oct 15 01:06:09: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Oct 15 01:06:09: AAA/MEMORY: create_user (0x2773004) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Oct 15 01:06:41: AAA/MEMORY: free_user (0x2773004) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
Thanks for your help.Change your commands from,
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+
To,
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
Regards,
Prem
Please if it helps! -
I have following logs on my core switch
Log Buffer (8192 bytes):
NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet9/5 (503), with TEC-DC-COR-N6.tec.local GigabitEthernet9/4 (502).
3372049: Nov 11 12:13:53.064 UAE: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet9/2 (506), with TEC-DC-COR-N6.tec.local GigabitEthernet9/3 (500).
3372050: Nov 11 12:13:58.916 UAE: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet9/3 (500), with TEC-DC-COR-N6.tec.local GigabitEthernet9/2 (506).
3372051: Nov 11 12:14:00.508 UAE: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet9/4 (502), with TEC-DC-COR-N6.tec.local GigabitEthernet9/5 (503).
3372052: Nov 11 12:14:12.268 UAE: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet9/5 (503), with TEC-DC-COR-N6.tec.local GigabitEthernet9/4 (502).
Port 9/2---5 connected to CISCO ips 4270 sernsor.I have 2 questions
1 Why there is native vlan mismatch error while the port connected as access port below is port configuration
interface GigabitEthernet9/2
description ++++ 4270-1 Inline-WAN Port A RTR 01 ++++
switchport
switchport access vlan 506
switchport mode access
rmon collection stats 6002 owner monitor
interface GigabitEthernet9/3
description ++++ 4270-1 Inline WAN Port B RTR 01 ++++
switchport
switchport access vlan 500
switchport mode access
rmon collection stats 6003 owner monitor
interface GigabitEthernet9/4
description ++++ 4270-1 inline Dist. Port C SW 01 ++++
switchport
switchport access vlan 502
switchport mode access
rmon collection stats 6004 owner monitor
interface GigabitEthernet9/5
description ++++ 4270-1 Inline Dist. Port D SW 01 ++++
switchport
switchport access vlan 503
switchport mode access
rmon collection stats 6005 owner monitor
2 If i do show cdp nei i am seeing local switch name as remotes device name
Device ID Local Intrfce Holdtme Capability Platform Port ID
TEC-DC-COR-N6.tec.local
Gig 9/5 170 R S I WS-C6509- Gig 9/4
TEC-DC-COR-N6.tec.local
Gig 9/2 168 R S I WS-C6509- Gig 9/3
TEC-DC-COR-N6.tec.local
Gig 9/3 174 R S I WS-C6509- Gig 9/2
TEC-DC-COR-N6.tec.local
Gig 9/4 146 R S I WS-C6509- Gig 9/5
Any advice on thisIn that setup the IPS is inline configured. To force the traffic to flow through the sensor, we need two vlans for one IP subnet. I.E. traffic enters on a vlan 500 from a PC/Server and should go to the DG which is the router. If the router would be attached on vlan 500 the the sensor wouldn't be inline. But one port of the sensor is also in vlan 500 and the packet flows to the sensor. The second interface of the sensor is connected to a vlan 506-port where also the router is connected.
In the end, when the switch sends a cdp-packet on the vlan 500-port it comes back to the switch on a port configured for vlan 506. For these setup, the forwarding of CDP-packets should be disabled on the sensor:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_interfaces.html#wp1105614
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
SG500 LACP trunk mismatch native vlan on individual ports
Hi All,
I have just configured up a sg500 with a lacp trunk to an upstream switch.
I am getting native vlan mismatch on the individual ports of the lacp team.
24-Jan-2013 12:54:48 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/24.
24-Jan-2013 12:57:35 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/48.
The following is showing the correct native vlan
BH-WS-AC-2#show int switchport port 1
Port : Po1
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 2000
Port is member in:
Vlan Name Egress rule Port Membership Type
1200 1200 Tagged Static
1210 Management Tagged Static
1212 1212 Tagged Static
2000 Native Vlan Untagged Static
But the following shows that the individual ports think they are the default vlan 1.
BH-WS-AC-2#show int switchport gi1/1/48
Port : gi1/1/48
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
Port is member in:
Vlan Name Egress rule Port Membership Type
The following shows the LACP as up:
BH-WS-AC-2#show int Port-Channel 1
Load balancing: src-dst-mac-ip.
Gathering information...
Channel Ports
Po1 Active: gi1/1/24,gi1/1/48
Is this normal behaviour? as i cannot set the native vlan directly on the gi interface due to it being in the trunk.
SimonHi Simon, native vlan mismatch is a cosmetic error from CDP. It won't affect services provided the vlans are a member of the ports in question.
You can set the native vlan while it is within the lag. On the SX500 it would be
config t
int po1
switchport trunk native vlan xxxx
The port channel is the same as any other individual port so it's not a problem. 802.1q specifies the native vlan is the untagged member, if you want to get rid of the error, make sure the untagged vlans match up on both sides.
-Tom
Please mark answered for helpful posts -
I have created at LAG across a stack of two SG-500-28P devices which go to a 3750-E switch stack:
However when you unplug one of the Etherchannel members the SG500-28P appears to trigger off a STP convergence and the link goes down. To be clear here there is still one active link in the bundle.
The Ether-channel is UP on Both Sides:
3750:
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Gi1/0/1(P) Gi2/0/1(P)
SG-500-28P:
Channel Ports
Po1 Active: gi1/1/27,gi2/1/27
======================================
When a link (gi1/1/27) is pulled from the EtherChannel on the SG-500-28P side we see the following in the logs.
02-May-2013 18:44:58 %TRUNK-W-PORTDOWN: Port gi1/1/27 removed from Po1: port is down/notPresent
02-May-2013 18:44:58 %LINK-W-Down: gi1/1/27
02-May-2013 18:45:00 %TRUNK-W-PORTDOWN: Port gi2/1/27 removed from Po1: port is down/notPresent
02-May-2013 18:45:00 %LINK-W-Down: gi2/1/27
02-May-2013 18:45:00 %LINK-W-Down: Po1
02-May-2013 18:45:00 %TRUNK-I-PORTADDED: Port gi2/1/27 added to Po1
02-May-2013 18:45:00 %LINK-I-Up: gi2/1/27
02-May-2013 18:45:00 %LINK-I-Up: Po1
02-May-2013 18:45:00 %STP-W-PORTSTATUS: Po1: STP status Forwarding
02-May-2013 18:45:02 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi2/1/27.
As you can see from the logs the remaining port (gi2/1/27) is also pulled from the Etherchannel - Why? The port-channel goes down for 50 seconds so I suspect and STP invovlement.
FYI - We are running Rapid-PVST on the 3750 and RSTP on the SG-500.Hi all, I was wondering the exact same thing, I'm considering a similar design but doing an etherchannel between two cross-stacked SG500X and 3 UCS servers (C240 M3). Something like this:
| | | |
| UCS |----------------------------------| SG500X |
| C240 | |__________|
| M3 | __________
| | | |
| |----------------------------------| SG500X |
|________| |__________|
I don't know if these switches could support this kine of cross stacked etherchannels, if it does then I'm guessing it's the same whether it's a server o a switch connected to it. Thanks in advance
Edit: Sorry for the ugly ascii drawing I just did on a whim...
El mensaje fue editado por: Eric A. Hernandez Gonzalez -
AUTOSMARTPORT-F-DEV_CALC_FAILED: XDP device type calculation failed: interface
Hello,
The company I work for has some Cisco hardware in the plant and, as our team has no expertise on configuring Cisco switches I hope you can help me and my team to get this problem solved. I will make a brief comment on what is going wrong here:
I own two SG300-28 and they are connected using LAG over 2 interfaces (GI27 and GI28) but this is not the problem, I think, just the scenario. So I have two sides:
CSC <--- LAG ---> TOO
At CSC I have no problem and the switch is running fine for 38 days (we had a hard reboot back there).
On the other hand, at TOO, we are facing a soft reboot problem and we are not able to fix it. The only message we got, just before the reboot is:
2147476226 2013-Dec-09 06:20:05 Emergency %AUTOSMARTPORT-F-DEV_CALC_FAILED: XDP device type calculation failed: interface gi21 - capability 2 ***** FATAL ERROR ***** Reporting Task: NCDP. Software Version: 1.3.5.58 (date 10-Oct-2013 time 17:15:41) 0x16adbc 0x166f28 0x6df2b0 0x48fad8 0x4903e8 0x490608 0x6e8490 0x6e8528 0x6e8d90 0x82eb24 0x831 7b8 0x837a88 0x1223f0 ***** END OF FATAL ERROR *****
After reboot:
2147483510 2013-Dec-09 06:26:29 Warning %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi21.
And the switch reboots. This is causing us a lot of problems. As an emergency exit (and it's not fully working) we disabled AutoSmartPort (which is a functionality we will never use in the network layout so we don't need it).
Is there anything you can tell me to do? I am attaching running config for TOO. Befero someone ask we already tried to change the hardware (we own a spare SG300) and the same problem is there.It's on another post, sorry for this duplicate post:
https://supportforums.cisco.com/message/4112232#4112232 -
AUTOSMARTPORT-F-DEV_CALC_FAILED
Hello,
The company I work for has some Cisco hardware in the plant and, as our team has no expertise on configuring Cisco switches I hope you can help me and my team to get this problem solved. I will make a brief comment on what is going wrong here:
I own two SG300-28 and they are connected using LAG over 2 interfaces (GI27 and GI28) but this is not the problem, I think, just the scenario. So I have two sides:
CSC <--- LAG ---> TOO
At CSC I have no problem and the switch is running fine for 38 days (we had a hard reboot back there).
On the other hand, at TOO, we are facing a soft reboot problem and we are not able to fix it. The only message we got, just before the reboot is:
2147476226 2013-Dec-09 06:20:05 Emergency %AUTOSMARTPORT-F-DEV_CALC_FAILED: XDP device type calculation failed: interface gi21 - capability 2 ***** FATAL ERROR ***** Reporting Task: NCDP. Software Version: 1.3.5.58 (date 10-Oct-2013 time 17:15:41) 0x16adbc 0x166f28 0x6df2b0 0x48fad8 0x4903e8 0x490608 0x6e8490 0x6e8528 0x6e8d90 0x82eb24 0x831 7b8 0x837a88 0x1223f0 ***** END OF FATAL ERROR *****
After reboot:
2147483510 2013-Dec-09 06:26:29 Warning %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi21.
And the switch reboots. This is causing us a lot of problems. As an emergency exit (and it's not fully working) we disabled AutoSmartPort (which is a functionality we will never use in the network layout so we don't need it).
Is there anything you can tell me to do? I am attaching running config for TOO. Befero someone ask we already tried to change the hardware (we own a spare SG300) and the same problem is there.
Best regards,
Nataniel KlugIt's on another post, sorry for this duplicate post:
https://supportforums.cisco.com/message/4112232#4112232 -
Question about the sentence in bold. What is the meaning behind this comment?
How would you separate the role of the AIA and CDP from a CA subordinate server? I can see where I add a CES and CEP server which has those as well, but I don't completely understand his comment. Because in this second step, (http://technet.microsoft.com/en-us/library/tlg-key-based-renewal.aspx)
he shows how to implement CES and CEP.
This is from the guide located at: http://technet.microsoft.com/library/hh831348.aspx
Step 3: Configure APP1 to distribute certificates and CRLs
In the extensions of the root CA, it was stated that the CRL from the root CA would be available via http://www.contoso.com/pki. Currently, there is not a PKI virtual directory on APP1, so one must be created.
In a production environment, you would typically separate the issuing CA role from the role of hosting the AIA and CDP.
However, this lab combines both in order to reduce the number of resources needed to complete the lab.
Thanks,
JamesMy concern is, they have a 2-3k base of xp systems, over this year they are migrating them to Windows 7. During this time they will also be upgrading hardware for the existing windows 7 machines. The turnover of certificates are going to be high, which
from what I've read here, it worries me.
http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx
The application then can go to those locations to download the CRL. There are, however, some potential issues with this scenario. CRLs over time can get rather large
depending on the number of certificates issued and revoked. If CRLs grow to a large size, and many clients have to download CRLs, this can have a negative impact on network performance. More importantly, by
default Windows clients will timeout after 15 seconds while trying to download a CRL. Additionally,
CRLs have information about every currently valid certificate that has been revoked, which is an excessive amount of data given the fact that an application may only need the revocation status for a few certificates. So,
aside from downloading the CRL, the application or the OS has to parse the CRL and find a match for the serial number of the certificate that has been revoked.
With the above limitations, which mostly revolve around scalability, it is clear that there are some drawbacks to using CRLs. Hence, the introduction of Online Certificate
Status Protocol (OCSP). OCSP reduces the overhead associated with CRLs. There are server/client components to OCSP: The OCSP responder, which is the server component, and the OCSP Client. The OCSP Responder accepts status
requests from OCSP Clients. When the OCSP Responder receives the request from the client it then needs to determine the status of the certificate using the serial number presented by the client. First the OCSP Responder determines if it has any cached responses
for the same request. If it does, it can then send that response to the client. If there is no cached response, the OCSP Responder then checks to see if it has the CRL issued by the CA cached locally on the OCSP. If it does, it can check the revocation status
locally, and send a response to the client stating whether the certificate is valid or revoked. The response is signed by the OCSP Signing Certificate that is selected during installation. If the OCSP does not have the CRL cached locally, the OCSP Responder
can retrieve the CRL from the CDP locations listed in the certificate. The OCSP Responder then can parse the CRL to determine the revocation status, and send the appropriate response to the client. -
"Unable to check revocation" error while checking CDP from non-domain user account
Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian -
Ap 3700 PoE with PSE that does not support CDP/LLDP power Negotiation
We run into a problem when AP 3700 is connected to an 802.3at PSE
that only supports physical event classification as compliant to 802.3at standard for PSE,
but does not support CDP/LLDP power negotiation.
AP 3700 (I believe the firmware version does not matter much) cannot get enough power after not receiving any CDP/LLDP power negotiation packet. (get no more than 15W power although PSE supports 30W.)Hi Leo,
Thanks for the information, and do you know if Phihong power injector supports 802.3at LLDP power negotiation or not?
And is there any special configuration on AP3700 side like disabling CDP/LLDP power negotiation to make it to work with such power injector, and what is the command if there is any?
Thanks again, Leo.
Maybe you are looking for
-
Hi there, Just looking for some insight on the ADSL stats on my line. Recently connected, still in DLM period but have noticed noise, output and attentuation settings have not changed +/- 0.5 dB at any point since connection. Broadband performance fe
-
How do I set a Unicode tool tip on an AVToolButton?
We're finally porting our Acrobat (8/9/X/XI) plug-in to be fully Unicode-compliant, so that we can show our UI in Japanese and other languages which require double-byte characters. I've figured out how to rework most of our 8-bit calls, such as repla
-
What is the use of t-code MD74 - Reorganising independant requirements
what is the use of t-code MD74 - Reorganising independant requirements
-
External hard drive works, but not with a docking station
hello, I'm finding it difficult to use my docking station with my WD Cavier Green 2TB hard drive. I know that the hard drive is in perfect working order as it still works with my many different leads and cables i have. But when i plug it in to my doc
-
HT201269 How do I get the apps i had on my Iphone 4 onto my Iphone 5s?
How do I get the apps I had on my Iphone 4s onto my Iphone 5S. Traded the 4s in so I no longer have it.