Network drops after NAC

hemen.goradia · ‎08-12-2008

After implementation of NAC OOB VG, users are complaining random network loss. Any guess?

hadbou · ‎08-19-2008

Are you getting any error messages?

hemen.goradia · ‎08-19-2008

No errors "Destination Host Unreachable"

Hemen

dgold · ‎09-15-2008

If you are using Clean Access Agent v 4.1.3.0 upgrade to 4.1.3.1 and the problem will be resolved.

hemen.goradia · ‎09-15-2008

After upgrade also it does not work...

Hemen

felixjai · ‎09-17-2008

Did you get the chance to see the problem on a PC while it's occurring? Does the CCA agent keep refreshing its IP? Check to see if the PC has the IP from the user or auth vlan. If CCA Agent keeps on re-authenticating and goes in loop. You might want to block UDP 8905 and 8906 from the user vlan.

Please give us more info in order to determine what is wrong. Find out what exactly happens on the user level is critical.

hemen.goradia · ‎09-17-2008

Yes i checked PC is not refreshing IP and it stays in user vlan always. I kept ping log for a day and it shows "destination host unreachable in between"

Hemen

felixjai · ‎09-17-2008

If the PC holds the user vlan IP address but gets the "destination host unreachable" ping error, the CAM server might have put the port for the PC back to auth vlan due to some reason.

In this case, you can do a dhcp release and renew on the PC. Or simply restart the PC. It should get an IP from the auth vlan and go through the CCA authentication and posture asessment. Then you will be good.

One thing you can check to see why the port for the PC went back to auth vlan.

Go to Device Management -> Clean Access -> Certified Devices -> Timer

If you have a scheduled cleanup rule to clear your certified devices. Your PCs might be put back to auth vlan. Just edit the rule, and check the box for "Keep Online Users".

If the above is not the cause, find out if there is any unexpected reboot on your access switch assuming your PC is connected to the port behind an IP phone. Because your PC didn't lose network connection, but the access layer switch detects a new MAC notification and triggers to switch to auth vlan.

hemen.goradia · ‎09-17-2008

I tried all above excercises. And this issue over the network and very frequest so to restart systems fessible solution.

There is not timer set on certified devices in CAM.

we don't have IP phone in network.

Hemen

felixjai · ‎09-17-2008

One more thing you can check-

Go to CAM, check Monitoring -> Event Logs -> Log Viewer

Add filter for text and set "contains" and put the IP address or the username of one of the PCs that has problem. See what kind of events have been happening to the PC. This should give you some ideas of what's going on.