Strange NAC Lost Contact alarms

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered

Hello All,

 

we have a strange behavior with NAC and Extreme switches.

 

On the switch there are different vlans with different ip addresses.

All vlans are in the same VR (vr-default).

The connection for management between NAC and the switches is located in a management vlan (vr-default, too).

NAC has only a direct route to the management ip address (Management vlan) on the switch.

Only the management ip of the switch is configured on the NAC.

All ip addresses on the switch are reachable from NAC (managmenet vlan and the other vlans).

 

But now what we see:

 

The link between the NAC and the switch are working and NetSight and NAC shows green for the connection.

All works fine.

 

BUT we receive alarm messages in the NetSight as below:

 

Critical NAC Lost Contact with Switch          1.1.1.1 / 2.2.2.2          Full Loss of Contact to Switch detected: 2.2.2.2due to: Unable to make SNMP contact                                                                              

 

The 1.1.1.1 (as example) is the ip address from the nac, 2.2.2.2 is the ip address from the Switch ( but NOT the management ip address).

 

Now the questions:

Why detects the NAC a contact lost in a network not used for management and authentication? How can I avoid these alarms?

 

One further hint: The NAC receives DHCP-Messages on the vlans not used for management. Maybe this is the cause why the NAC knows the vlans and ips on the switch (not used for management).

 

Best regards

Steve

Photo of Steve

Steve

  • 80 Points 75 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,536 Points 3k badge 2x thumb
Hi Steve,

Please correct me if I am wrong.

You have NAC server which has default route to switch mgmt interface and netsight receives alarms from other vlans .

1) What is the switch hardware model and current status ?

2) Do you see any link flaps from 2.2.2.2 vlan.

3) Please check the show log and show management from switch.

4) What is the expected behavior from switch as per your Trap/alarm configuration,
was it working earlier ?

Thanks,
Suresh.B
Photo of Steve

Steve

  • 80 Points 75 badge 2x thumb
Hello Suresh,

there is only a layer 3 connection between NAC and switches. Switches and NAC are in different networks and the connection is routed.  Therefore the NAC default gw is not the same as the default gw of the switches.

1)The behavior is for all used switches the same. We use X450G2.

2)No we have no link flaps in the vlan.

3)As you mentioned I checked the the show log on a switch and I can see this message:

"03/01/2016 07:28:50.93 Slot-1: Login failed through SNMPv1/v2c - bad community name (1.1.1.1)"

We have two NAC-GW. Both are configured in the same way (we think so) and in our opinion we haven't configure SNMPv1/v2c only SNMPv3.  The message are only received for one NAC (1.1.1.1) not for the second NAC.

Maybe this is the hint, but we don't know why NAC tries to open a connection via SNMPv1/v2c.

4) We are using only the standard alarms form NAC "NAC Lost Contact with Switch" in the alarm manager and we expect only a alarm message if the connection configured in the “NAC-Manager” on the “switch tab” is broken.  Please be aware the alarm message is generated on the NAC and not on the switch. The NAC detects the "Lost Contact".

Is there a place in the NAC config where we can configure SNMP (not for the connection between NAC and NetSight but rather for the connection between NAC and Switch)?
(Edited)
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
Is the issue resolved if you uncheck router discovery as explained in this article ?
https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Manager-is-polling-devices-not-in-th...