I am now starting some POC work and was progressing well until I came to adding some 4510 switches to the CAM to control OOB devices.
I have full IP connectivity between the switch management VLAN interface (the switch is running in layer 2 only) and the CAM eth0 interface over the network with no firewalls in the way.
I have tried configuring both SNMP versions on the CAM and I have captured the SNMP communication between the switch and the CAM which is being received by the switch and is being responded to. So I have proved that SNMP packets are reaching the various devices. There is no routing or switching issues.
Would someone please mind giving me a hand and tell me why the CAM cannot control the switch. When you try to add the switch it comes up with a message like "unable to control 10.108.2.15" This is the management VLAN2 on the test switch. I have used test communities public and private respectively on the CAM to match the switch.
SNMP switch config snippet below. The CAM is at 10.108.100.10.
snmp-server engineID local 800000090300001D4572F86E
snmp-server community public RO 10
snmp-server community private RW 10
snmp-server trap-source Vlan2
snmp-server enable traps snmp linkdown
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.108.100.10 version 2c private
snmp-server host 10.108.100.10 version 2c public
access-list 10 permit 10.108.100.10 (This is the CAM referenced in ACL 10 so the poll will work)
CCA is very picky when it comes to working right in OOB configs with the switch versions. If you haven't can you please verify that the 4510's have the supported codes?
Hi again Faisal,
The switch is a 4510R-R with 2 x SUP6-E's running code 12.2.53SG so the code is very recent. As the SUP6-E's are based on 4900 code I think that may be clue as to why things are not working however the SUP6-E should have full NAC support according to all documentation.
I would just like to add that our 5508 WLC's cannot be added to the CAM either and they are running version 6.0 WLC code. Again very recent code.
I can add 3750 switches fine so I know the configs are correct.
Doing this testing is most frustrating indeed as the NAC products just do not work as they should. I have asked for this to escalated to our SE so we should get a TAC case raised.
Faisal if you could be of any additional assistance this would be most appreciated.
I'm sorry for the frustration you're going through. Raising a TAC case is the right approach since it lets us involve the dev groups too, if need be.
To start off, can you share with me your sh tech from the switch, the packet capture you've done, and the version of checks and rules (Clean Access -> Updates) ?
Hi I have raised a TAC case. I will drop you an email from my work address shortly with the service requestno. if you are interested in following the issue.
Documenting the solution for this problem: Customer had to update the Checks and Rules to get the proper OIDs, after which adding the switch became possible.
I had the same problem. But exactly on this moment i noticed that choosed the wrong deployment mode. I want to deploy an OOB mode but choosed Virtual Gateway only. Another thing is that since the last time i worked in this project this problem didn´t appear. So, i believe and i WANT that the reason of this problem is mine.
Did you find some solution?
I am deploying a virtual gateway OOB solution. Remember you can still do OOB with a virtual gateway design. As Faisal from TAC has mentioned I couldn't control the switches via SNMP because even though I was using supported IOS I had a fresh NAC install and needed to run an update via HTTP under "Device Management, Clean access, Updates, Update" to download the necessary SNMP OID's.
I´m trying this solution now. But i have another curious item. In this network, i have some 2960 e some 2960G. Do you believe that i can only add the 2960G.
I attached a message that appears on Event Log. Could you help me? I saw tha you talked with a person from TAC. My work is stopped because it.
Thanks a lot!!!!
Your version looks good. Raise a TAC case and get Cisco to help you.
Can you add the 2960 to the CAM and manage the ports?
It´s exactly what i can´t do. :-)
I can add only 2960G. I can´t add 2960 (normal - 24 ports fast and giga uplink).
I´d like to try anothers solutions before open a case. I don´t want to spend more time.
I don't have heavy exposure with the 2960's but I have never heard of a 2960G. Looking at the platforms online I see 2960 and 2960-S. Is this an old EOL platform or something?
The output you sent me before with the show ver was that from a device that didnt work?
I am surprised you do not have a service contract if you are running NAC in your enterprise!
Please post the screenshots from your CAM for the following screens:
Clean Access -> Updates
Profiles -> SNMP Receiver
Profiles -> Device
Profiles -> Device -> Edit (on the switch model that you're trying to add)
Also please post a show running-config from the switch that isn't working