X440 and Netsight Nac The session is no longer active due to: Admin-Reset.

  • 0
  • 2
  • Question
  • Updated 1 year ago
  • Answered
Hello all

i have the following Problem with one Device in our Network
It is an CAB Label Printer connected on an X440 with Netsight
After 10 Minutes the following message is in the Netsight Nac manager

The session is no longer active due to: Admin-Reset.

If the message appear in the NAC the Device is no longer reachable
only Force Reauth and Power off the Device brings it back

Is anbody here that have an idea was it is

regards
Oliver
Photo of Fischer Oliver

Fischer Oliver

  • 100 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 2
Photo of OscarK

OscarK, ESE

  • 7,792 Points 5k badge 2x thumb
Maybe the switch clears its fdb entry and this causes the admin reset ? You should see that in the switch log.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,528 Points 20k badge 2x thumb
What kind of authentication is used ?
Photo of Fischer Oliver

Fischer Oliver

  • 100 Points 100 badge 2x thumb
Hello Oscar and Ronald
there is no entry in the switch log

Mac authentication is used

Our X450 switches show the same message in the NAC but the CAB Label Printers on these switches are reachable after the message
The Status switch from disconnected to accept if we print or ping the DeviceĀ 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,528 Points 20k badge 2x thumb
Might be a problem with the printers powersave option - try to change it to a higher value and see whether that increases the time till it doesn't work.

Do you poll the printer via Netsight - could be a "workaround" - if you poll it all the time it might also solves the problem.
Photo of Fischer Oliver

Fischer Oliver

  • 100 Points 100 badge 2x thumb
The following messages in the switch log
<Info:nl.ClientAuthenticated> Network Login MAC user xxxx logged in MAC xxxx port 12 VLAN(s) "<unknown>", authentication Radius
<Info:nl.ClientReset> The authentication state of Network Login user xxxx was cleared by policy, Mac xxxx port 12 VLAN(s) "" Protocol(s) "MAC"
Photo of Darin Seiler

Darin Seiler

  • 402 Points 250 badge 2x thumb
Curious if you are a resolution to this. I see the same thing with an Epson printer doing MAC auth and this same output is show in the NAC Manager and switch log on an X450-G2...
Photo of OscarK

OscarK, ESE

  • 7,792 Points 5k badge 2x thumb
Does the same policy work with normal PC's ? I thnk there might be a problem with the policy when it is applied to that mac ?
Photo of Alagesan Jeyaraman

Alagesan Jeyaraman

  • 160 Points 100 badge 2x thumb
Hi Guys,

I am facing the same issue here in same scenario. X440-G2 Switches and Netsight/NAC. But my clients are dot1x authenticated. After some time the sesision disconnects with reason "The session is no longer active due to: Admin-Reset". Kindly help.
Photo of M.Nees

M.Nees, Embassador

  • 9,264 Points 5k badge 2x thumb
Fighting with the same problem:

Windows 7 / 802.1x / X440-G2 EXOS V21.1.3.7-Patch1-4 with Extreme Control V7.1.1.9

05/05/2017 08:24:17.07 <Info:nl.ClientReset> Slot-1: The authentication state of Network Login user host/YLQP019998.XXX.xx was cleared by policy due to Admin Reset, Mac 90:1B:0E:2E:35:5C port 2:26 VLAN(s) "" Protocol(s) "802.1x"

What is reason "Admin Reset" - either Re-Auth Button in NAC was pressed nor clear netlogin session per CLI was used. It happens randomly!


How is it possible to get EAPoL Counters regarding this port to verify if EAPoL Logoff Messages was sent from Client ?

Regards
Photo of M.Nees

M.Nees, Embassador

  • 9,264 Points 5k badge 2x thumb
EAPoL Statistics searched like this on Brocade Switches:
(Statistics can be cleared/reseted)

device# show dot1x statistics ethernet 10/2/1

Port 10/2/1 Statistics: 
RX EAPOL Start : 2
RX EAPOL Logoff : 2
RX EAPOL Invalid : 0
RX EAPOL Total : 12
RX EAP Resp/Id : 4
RX EAP Resp other than Resp/Id : 4
RX EAP Length Error : 0
Last EAPOL Version : 1
Last EAPOL Source : 0022.0002.0002
TX EAPOL Total : 0
TX EAP Req/Id : 10417
TX EAP Req other than Req/Id : 2
Photo of M.Nees

M.Nees, Embassador

  • 9,264 Points 5k badge 2x thumb
Current state of the issue is:

It occurs if RADIUS Accouting AND dynamic Session-ReAuth (provide by RADIUS Session-Timout Value) run simultaniously. Disable one of both, the problem disappears.

I hope we can find the root cause because both feature needed.

Regards