NAC can't receive SNMP mac notification

wendell_nuez · ‎09-25-2009

Hi,

Is SNMP mac notification for switch really works with NAC OOB deployment? We have been trying to test in a POC setup for NAC where the PC with NAC agent is connected behind a Cisco and Nortel IP phones. Once the PC is disconnected behind the IP phone the NAC manager can't received snmp mac notifcation from the switch hence, the user is not automatically removed on the online users or certified devices. Were using NAC version 4.6 and C3750 switch version 12.2(35)SE2 and 12.2(35)SE5. We know there is a bug related regarding mac notification on switch ios version 12.2(25)SEC2 or lower but on stack switches. But were using standalone switches only for the testing and higher IOS version. Hope someone could help me verify on this on what specifically ios version of switch is working properly with snmp mac notification?

Thanks!

Wendell

draper7 · ‎09-25-2009

I don't really have an answer to your question but this might help troubleshooting the problem.

SSH to the CAM and tail the following file (you'll need to be root):

[cam]# tail -f /perfigo/control/tomcat/logs/nac_manager.log

You should see LINK_UP / LINK_DOWN / VLAN switching events, etc from your managed switch. Also, you may want to see SNMP traffic.

[cam]# /usr/sbin/tcpdump -nn -i any port 162 or 161

Hope that helps.

-Dusty

pmccubbin · ‎10-02-2009

Hi Wendell,

We have been seeing this same bug for a week in a lab POC with a L3 VG OOB configuration with 4.6.1 code.

We have a 4506 running 12.2(46).

We changed to linkup linkdown in our configuration and that doesn't work any better than Mac-notification.

We are convinced we have a bug and will be looking for a scrubbed version of code.

Thank goodness we did a POC in a lab setting before doing a Pilot on the production network.

Hope this helps.

Paul

pmccubbin · ‎10-02-2009

Try version 12.2(52) as I know it works with NAC 4.6.1 on a 4506.

pmccubbin · ‎10-13-2009

Just had it confirmed by Cisco Tac. The 12.2(50) version of code is the oldest which they say will work.

This is from the Release Notes of NAC 4.7 and seems to explain it:

Open Caveats NAC

CSCsr95757

No

CAM intermittently stops processing SNMP MAC notification traps from the switch.

This issue can occur on different edge switches. Once the problem is present, no further SNMP MAC notification traps are processed from the CAM for the switch in question.

Note: There is no perfigo-log0.log.0 information, but a tcpdump from a CAM CLI session indicates that the CAM is receiving SNMP MAC notification traps.

Workaround: To re-establish correct SNMP trap handling on the CAM, open a CAM CLI session and enter the following commands:

service perfigo stop

service perfigo start

The CAM immediately starts processing the SNMP MAC notification traps from the problem switch(es).

Note: After a period of time, however, this problem may appear again.

FYI, the workaround didn't help in version 12.2(46) code on a 4506.

Here is the bug information from CCO:

CSCsr84693 Bug Details

Incomplete MAC notification SNMP trap on 4500s

Symptom:

Incomplete MAC notification trap is seen in 12.2(46)SG. The trap is missing some

fields

4: Mon 08/04/08 20:30:54

sysUpTimeInstance = 0d 0:04:10.83

snmpTrapOID.0 = CISCO-MAC-NOTIFICATION-MIB!cmnMacChangedNotification

cmnHistMacChangedMsg.3 = 02

cmnHistTimestamp.3 = 0d 0:04:10.83

A complete traps looks like the following:

sysUpTimeInstance = 0d 0:07:14.16

snmpTrapOID.0 = CISCO-MAC-NOTIFICATION-MIB!cmnMacChangedNotification

cmnHistMacChangedMsg.2 = 01:00:01:00:11:00:22:00:33:00:47:00

cmnHistTimestamp.2 = 0d 0:07:14.16

Thus, in cmnHistMacChangedMsg attribute, the following fields are missing:

MAC Address

Dot1dBasePort

Conditions:

This problem is seen whenever a Mac notification trap is sent.

Workaround:

Use CLI "sh mac-add not change" in 12.2(46)SG.

Use a different software release; eg., 12.2(44)SG

Hope this helps.