Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Error disable ports with cisco phone and computer daisy chained together

I have a WS-C2960S-48FPS-L stack running software version  15.0(2)SE2  , I keep getting intermittent error disable on some

ports after configuring 802.1x on the ports

Port config

interface GigabitEthernet3/0/37
 switchport access vlan 101
 switchport mode access
 switchport voice vlan 11
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event server dead action authorize vlan 101
 authentication event no-response action authorize vlan 963
 authentication event server alive action reinitialize
 authentication port-control auto
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

syslog server output .

Apr 15 07:38:45 10.42.245.5 5057: .Apr 15 12:38:32.441: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 
GigabitEthernet3/0/37, changed state to down
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
153 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5056: Apr 15 12:38:31.418: %PM-4-ERR_DISABLE: security-violation error detected on Gi3/0/37,
 
putting Gi3/0/37 in err-disable state (CPAHP-CR-STK1-3)
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
154 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5055: .Apr 15 12:38:31.419: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface
 
GigabitEthernet3/0/37, new MAC address (d4be.d92d.2363) is seen.AuditSessionID  Unassigned
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options ( mac address from phone on data)
155 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5054: .Apr 15 12:38:31.377: %AUTHMGR-5-START: Starting 'dot1x' for client (d4d7.48ff.e809) on
 
Interface Gi3/0/37 AuditSessionID 0A2AF505000008E5648AEE19
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
156 » 4/15/14
7:38:44.000 AM
Apr 15 07:38:44 10.42.245.5 5053: .Apr 15 12:38:31.361: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on
 
port Gi3/0/37, port's configured trust state is now operational.
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
157 » 4/15/14
7:38:31.000 AM
Apr 15 07:38:31 10.42.245.5 5052: .Apr 15 12:38:20.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 
GigabitEthernet3/0/37, changed state to up
host=10.42.245.5   Options|  sourcetype=cisco_router   Options|  
 
source=/opt/splunk/spool/cisco_router/10.42.245.5/syslog.log   Options
158 » 4/15/14
7:38:31.000 AM
Apr 15 07:38:31 10.42.245.5 5051: .Apr 15 12:38:19.030: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/37, changed state to
 
up
 
I am using Cisco 4945 IP phones at this site, at another site running the same phones the same IOS and the same mod switch

with the configs I am not experiencing any issues.
 
At both site computers are daisy chained through the phone. I see the phone is trusted first so it would be sending tagged

packets the switch trying to authenticate the computer picks up both mac address and going into error disable. if I shut

and no shut the port it clears and only show the 2 mac addresses phone and compute .
Any input would be greatly appreciated.
 

 

10 REPLIES

HelloIs it possible that your

Hello
Is it possible that your users are unpatching PC's from the phones and moving them to other phones?

If so, the "Cisco Discovery Protocol Enhancement for Second Port Disconnect" should inform the upstream switch. This enhancement is supported in certain phone firmwares and switch ios - see below link

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389517

hth
Andy

New Member

No they all employees have 

No they all employees have  assigned seating. This problem actually appeared when I first  NAC ed the switchports.

It came up error disabled. I did a mac address look-up on the port and  notice that the mac address of the phone was appearing in both the voice and data vlans , 3 mac address on the port which is most likely causing the issue. I checked Cisco and I found there was a firmware issue with an different phone module , not this mod. 7945. I checked the other site were there isn't any issues and all the phone parameters match exactly.

Thank you

New Member

Hi anthonny225, I have

Hi anthonny225,

 

I have experienced an issue like yours.

The interface was entering into err-disabled status as i connected the phone at this interface.

I have tried a lot to solve this issue but i didnt have success.

You can try to change the IOS version, that was the way i solve my problem. I was having problems using IOS 15.2(2)E1. Changing to the 15.0(2)SE7, wich is a MD version, my problem was solved.

I hope it can help you.

 

New Member

Hi,you need to configure

Hi,

you need to configure:

authentication host-mode multi-domain (1 PC + 1 IP-PHONE)

OR

authentication host-mode multi-domain (many PCs + 1 IP-Phone )

AND

authentication order mab dot1x

 

Regard Horst

New Member

Thank you so much I will try

Thank you so much I will try it, I really do appreciate the help.


 

New Member

.don´t forget to send the

.don´t forget to send the cisco-av-pair  "device-traffic-class=voice" from Radius to the switch.

If you´re using ACS...

 
Policy Elements >Authorization and Permissions >Network Access >Authorization Profiles >
Voice VLAN
Permission to Join:
Yes (device-traffic-class=voice)
New Member

ACS is good we have hundred

ACS is good we have hundred of switches with the same policy no issues. I tried adding the commands to the switch port .Also  if I make changes to the ACS policy it will effect the enterprise.

added to switch port :

authentication host-mode multi-domain

authentication order mab dot1x

port went into error disable - I could not clear it

 11    203a.xxxx.xxxx   DYNAMIC     Gi2/0/31    cisco  phone
 101    1803.xxxx.xxxx    DYNAMIC     Gi2/0/31 computer
 101    203a.xxxx.xxxx   DYNAMIC     Gi2/0/31  cisco phone

Very Respectfully

John

 

New Member

What happens when you1. only

What happens when you

1. only connect the IP-Phone. Is the Phone in the voice vlan?

Verify with "Show authentication session "

2. Disconnect the Phone and connect the PC

Is the PC in the Data VLAN

How do you authenticate the IP-Phone (MAC-ADDRESS or USER/PASSWORD) ?

 

Horst

 

New Member

phone is authenticated

phone is authenticated through mac address  and is in the voice Vlan  11


Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  11    20bb.xxxx.xxxx    STATIC      Gi2/0/35 Cisco phone 7945


Total Mac Addresses for this criterion: 1
CPAHP-CR-STK2#sh run int Gi2/0/35
Building configuration...

Current configuration : 661 bytes
!
interface GigabitEthernet2/0/35
 switchport access vlan 101
 switchport mode access
 switchport voice vlan 11
 power inline auto max 15400
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event server dead action authorize vlan 101
 authentication event no-response action authorize vlan 963
 authentication event server alive action reinitialize
 authentication port-control auto
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

====================================

computer authenticates in data Vlan 101 which is correct

New Member

is this output a "Show vlan" 

is this output a "Show vlan"  or the result of "Show authentication session" ?

Very helpful is a "debug radius" . Can you post both Outputs?

1519
Views
0
Helpful
10
Replies
CreatePlease login to create content