We have had Clean Access installed for 4+ years.  Recently (and over several
version upgrades) we have been seeing SNMP write issues with small numbers
of switches.  The switches are mostly Cat 3560s, with a few 2950s and 3550s.
 We are currently running 4.7.1

Our most common issue is that SNMP writes (V3) to a switch will fail after
working seemingly flawlessly for days, weeks, or even months.  We probably
lose about 2 of about 60 switches per month.  Removing and adding the switch
in CCA does not work, nor does stripping out and replacing the SNMP commands
within the failed switch.

The only work-around we have found is modifying any part of the device
profile for the appropriate group, then modifying it back to the correct
parameters.  This results in a functional switch and a log message that says
"switch [xxx.yyy.zzz.166] is recovered from SNMP failure!"

Eventually, the SNMP write errors come back, but the larger issue is that
other switches in the same tweaked profile seem to be inverting their
allowed VLANs and the uplink ports revert back to CCA controlled ports.  As
an example of the inverted VLANs, a working switch with primary VLAN 20
(clean) and VLAN 120 (dirty) ports will have the uplink interfaces
configured with "switchport trunk native vlan 20" (or sometimes 120) and
"switchport trunk allowed vlan 2-19,21-4094"  It should be noted that we do
no pruning on these switches, but we do prune out VLAN 1 upstream.

A coworker did open a TAC call last year, and they focused on the switch
configs, confirmed that our configs were OK, and never resolved the issue.

Has anybody run into this?  Any thoughts?

Thanks in advance.

-Jamie
--
 James Spitznagel
 Senior Network Engineer 
 John Carroll University
 [log in to unmask]