LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

November 2010

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS November 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OoB SNMP issues & inverted allowed VLANs
From:	Rob Chee <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Sun, 14 Nov 2010 17:18:38 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (70 lines)

I've seen this if the "configuration mode exclusive" command exists in the
configuration.  This means that only one session can be in "configuration
terminal" mode at a time.  This creates strange results like you are
seeing.  Do you have this set?

I wrote up a small blog explaining this a little bit.
http://www.netcraftsmen.net/component/content/article/67-network-security/8
40.html


------------------------------------------------------
Rob Chee, CCIE #8188 (R&S and Security)
Senior Network Consultant
Chesapeake NetCraftsmen, LLC.
Company Website:  http://www.netcraftsmen.net
My Blog:  http://www.netcraftsmen.net/resources/blogs/blogger/Rob%20Chee/
Mobile:  571-437-2829
------------------------------------------------------




On 11/12/10 3:25 PM, "James Spitznagel" <[log in to unmask]> wrote:

>We have had Clean Access installed for 4+ years.  Recently (and over
>several
>version upgrades) we have been seeing SNMP write issues with small numbers
>of switches.  The switches are mostly Cat 3560s, with a few 2950s and
>3550s.
> We are currently running 4.7.1
>
>Our most common issue is that SNMP writes (V3) to a switch will fail after
>working seemingly flawlessly for days, weeks, or even months.  We probably
>lose about 2 of about 60 switches per month.  Removing and adding the
>switch
>in CCA does not work, nor does stripping out and replacing the SNMP
>commands
>within the failed switch.
>
>The only work-around we have found is modifying any part of the device
>profile for the appropriate group, then modifying it back to the correct
>parameters.  This results in a functional switch and a log message that
>says
>"switch [xxx.yyy.zzz.166] is recovered from SNMP failure!"
>
>Eventually, the SNMP write errors come back, but the larger issue is that
>other switches in the same tweaked profile seem to be inverting their
>allowed VLANs and the uplink ports revert back to CCA controlled ports.
>As
>an example of the inverted VLANs, a working switch with primary VLAN 20
>(clean) and VLAN 120 (dirty) ports will have the uplink interfaces
>configured with "switchport trunk native vlan 20" (or sometimes 120) and
>"switchport trunk allowed vlan 2-19,21-4094"  It should be noted that we
>do
>no pruning on these switches, but we do prune out VLAN 1 upstream.
>
>A coworker did open a TAC call last year, and they focused on the switch
>configs, confirmed that our configs were OK, and never resolved the issue.
>
>Has anybody run into this?  Any thoughts?
>
>Thanks in advance.
>
>-Jamie
>--
> James Spitznagel
> Senior Network Engineer
> John Carroll University
> [log in to unmask]

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU