NAC can't receive SNMP mac notification

Unanswered Question
Sep 25th, 2009
User Badges:

Hi,


Is SNMP mac notification for switch really works with NAC OOB deployment? We have been trying to test in a POC setup for NAC where the PC with NAC agent is connected behind a Cisco and Nortel IP phones. Once the PC is disconnected behind the IP phone the NAC manager can't received snmp mac notifcation from the switch hence, the user is not automatically removed on the online users or certified devices. Were using NAC version 4.6 and C3750 switch version 12.2(35)SE2 and 12.2(35)SE5. We know there is a bug related regarding mac notification on switch ios version 12.2(25)SEC2 or lower but on stack switches. But were using standalone switches only for the testing and higher IOS version. Hope someone could help me verify on this on what specifically ios version of switch is working properly with snmp mac notification?


Thanks!


Wendell

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (3 ratings)
Loading.
draper7 Fri, 09/25/2009 - 06:48
User Badges:

I don't really have an answer to your question but this might help troubleshooting the problem.


SSH to the CAM and tail the following file (you'll need to be root):


[cam]# tail -f /perfigo/control/tomcat/logs/nac_manager.log


You should see LINK_UP / LINK_DOWN / VLAN switching events, etc from your managed switch. Also, you may want to see SNMP traffic.


[cam]# /usr/sbin/tcpdump -nn -i any port 162 or 161


Hope that helps.



-Dusty

pmccubbin Fri, 10/02/2009 - 08:54
User Badges:
  • Silver, 250 points or more

Hi Wendell,

We have been seeing this same bug for a week in a lab POC with a L3 VG OOB configuration with 4.6.1 code.


We have a 4506 running 12.2(46).


We changed to linkup linkdown in our configuration and that doesn't work any better than Mac-notification.


We are convinced we have a bug and will be looking for a scrubbed version of code.


Thank goodness we did a POC in a lab setting before doing a Pilot on the production network.


Hope this helps.


Paul



pmccubbin Fri, 10/02/2009 - 09:34
User Badges:
  • Silver, 250 points or more

Try version 12.2(52) as I know it works with NAC 4.6.1 on a 4506.

pmccubbin Tue, 10/13/2009 - 09:17
User Badges:
  • Silver, 250 points or more

Just had it confirmed by Cisco Tac. The 12.2(50) version of code is the oldest which they say will work.


This is from the Release Notes of NAC 4.7 and seems to explain it:


Open Caveats NAC



CSCsr95757


No




CAM intermittently stops processing SNMP MAC notification traps from the switch.


This issue can occur on different edge switches. Once the problem is present, no further SNMP MAC notification traps are processed from the CAM for the switch in question.


Note: There is no perfigo-log0.log.0 information, but a tcpdump from a CAM CLI session indicates that the CAM is receiving SNMP MAC notification traps.


Workaround: To re-establish correct SNMP trap handling on the CAM, open a CAM CLI session and enter the following commands:


service perfigo stop

service perfigo start


The CAM immediately starts processing the SNMP MAC notification traps from the problem switch(es).



Note: After a period of time, however, this problem may appear again.



FYI, the workaround didn't help in version 12.2(46) code on a 4506.


Here is the bug information from CCO:

CSCsr84693 Bug Details

Incomplete MAC notification SNMP trap on 4500s


Symptom:



Incomplete MAC notification trap is seen in 12.2(46)SG. The trap is missing some

fields


4: Mon 08/04/08 20:30:54

sysUpTimeInstance = 0d 0:04:10.83

snmpTrapOID.0 = CISCO-MAC-NOTIFICATION-MIB!cmnMacChangedNotification

cmnHistMacChangedMsg.3 = 02

cmnHistTimestamp.3 = 0d 0:04:10.83


A complete traps looks like the following:

sysUpTimeInstance = 0d 0:07:14.16

snmpTrapOID.0 = CISCO-MAC-NOTIFICATION-MIB!cmnMacChangedNotification

cmnHistMacChangedMsg.2 = 01:00:01:00:11:00:22:00:33:00:47:00

cmnHistTimestamp.2 = 0d 0:07:14.16


Thus, in cmnHistMacChangedMsg attribute, the following fields are missing:

MAC Address

Dot1dBasePort


Conditions:


This problem is seen whenever a Mac notification trap is sent.


Workaround:



Use CLI "sh mac-add not change" in 12.2(46)SG.

Use a different software release; eg., 12.2(44)SG



Hope this helps.

Actions

This Discussion