c4500 Sup IV: Strange dot1X MAB malfunction after deleting VLAN

Rolf Fischer · ‎07-12-2013

Hi,

today we had a very strange incident on some dot1.x (MAB, host mode multi-auth) enabled switchports: After I deleted a not-used VLAN on the VTP server, dozens of users suddenly lost their LAN-connectivity.

As access-switches we have many different platforms at this site but affected were solely all our c4500 (Supervisor IV, 15.0(2)SG4 IPBASE, ROM: 12.2(31r)SGA4, 100Base-FX linecards), but no 2k/3k platfoms.

On the access-switches we saw:

"show auth session int <int>" showed authentication successful (as normal)
"show mac addr int <int>" showed the MAC-address entry in the expected VLAN (also as normal)

But on the Core-Switch

"show mac addr addr <mac>" showed no result
"show ip arp <mac>" showed a aging entry (>60 minutes), ping didn't work nor refresh the ARP entry

Not understanding what was going on, we finally did a "clear auth sess interface <int>" on the access-switches and this solved the problem.

I now think this dot1x malfunction was somehow associated to the previous VLAN deletion.

We've been adding VLANs with no problems so far, deleting in contrast doesn't happen very often.

Does anybody know if this is a kown issue/bug?

Thanks

Rolf

Rolf Fischer · ‎07-16-2013

I'd like to add an information which most probably is key to the problem:

The VLAN I deleted was configured as Voice-VLAN in the switchport-configs (for future use). I suppose the VLAN was originally created automatically on a VTP server when a port was configured like that.

Looking back it's of course not the best idea to delete the VVLAN, but we have this constellation at many sites without experiencing any problem like this so far (plus I think this shouldn't result in blocking traffic in the DVLAN).

I hope we can reproduce it in our lab to see if and under what circumstances/platform/IOS it happens.

Regards

Rolf