As far as I know, this is all normal, especially before lunch time and before 5pm as users leave their desks.
However, we recently noticed logs showing "Kicked OOB user" messages without a "Logout request" messages (several every day). Additionally, for a couple of times in the past several month, we experienced an issue where over a period of a minute or two minutes, hundreds of users got kicked by the CAM - event logs should pages of Kicks messages without "logout request" messages.
Some users would be re-authenticated automatically, however, some would need to restart their computers. Also, some would be stuck in the In Band mode - this should never happen as all users should be Out of Band once authenticated and successfully posture assessed. We would then need to manually kick those users stuck in the In Band mode forcing them to re-authenticate.
Any ideas on what is causing KICKs without the logout request and why users would be stuck in the In Band mode?
If the users are getting kicked without the the logout messages could be the session timer expires for the user role they are associated to, also if they are manually kicked, meaning if you have a new administrator on the NAC appliance and they are trying to choose a specific user but then they end up kicking the entire users on the table.
As far as users being stuck in the 'in band' role, are they coming up stuck in the temporary role? If so, are you using SSO from a wireless controller or users coming through the ASA? Also, what version are you on, if you are on 4.7.2 and you are using wildcard filters, there is a patch that Cisco can provide that will help fix this.
I looked for messages that would indicate admin kicking all users. However, I found non leading up to the time this issue occured. Specifically there were no "admin logon" or "manual kick" messages. As for session timer expired, is this timer based on user logon time (different for each user)? The reason I am asking is all users got kick within a matter of 2 minutes.
We are using version 4.8. Users are not coming through the ASAs.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...