Hi,
I am facing some strange thing.
using MAC authentication on a ERS4900 switch for a Canon printer, the printer is losing connections after a while and the state description in XMC Control is “The session is no longer active due to: User-Request.”
what can cause this and how to avoid it?
kind regards
Mark van Strien
Best answer by Miguel-Angel RODRIGUEZ-GARCIA
Mark
With such symptoms, I would check the EAP timeouts and double check if STP admin-edge is enabled on the ports.
Mig
+1
Hello Mark,
Is it possible that the printer goes into stand by? Or just the network interface of the printer?
If you want to test you can try to do permanent ping to the printer and check if the behaviour is different.
Hello Stephan,
Thanks for the answer!
Stand-by of the printer is a possibility but even with a permanent ping the printer it is losing connection.
And the printers without port authentication don’t lose the ping or connection if they are in stand-by mode.
So it looks like the switch is reacting to the printer or having a timeoute. Is there a way to stop that from happening?
Kind regards
Mark
+1
I am not sure if that command is still available.
Can you try “show eapol multihost non-eap-mac status <portid>” if the client is running and if the clients is deauthenticated on the ERS.
Is there a MAC on the port in case of the failure?
Hello Stephan,
Thanks for helping with this.
If I toggle the port and the authentication is done output of the command shows mac
Port Client MAC Address State Vid Pri
---- ------------------ ----------------------------------------- ---- ---
1 00:BB:C1:74:8A:3B Authenticated By RADIUS 102 0
After the connection is lost there are no items in the table.
Regards
Mark van Strien
+1
Ok, check if there is a mac on the port in case you see the connection loss.
You will see the mac in the mac address table on the switch
Stephan,
after connection is lost there is no mac in the eap table and no mac in the mac-addres-table of the switch. also the vlan removed from the port by the switch.
regards Mark
i made an export of the end-system events for the test printer.
ID,"State","Time Stamp","MAC Address","Device Family","Device Type","IP Address","Host Name","User Name","Auth Type","Reason","Profile","Switch IP","Switch Nickname","Switch Port","Switch Location","Authorization","Access Control Engine/Source IP","Event Source","RADIUS Server IP","Extended State","State Description","Last Scan Time","Switch Port Index","Port Info Raw","ELIN","Zone","Registration Type"
23830,"Disconnected","12/21/2020 04:49:07 PM","00:BB:C1:74:8A:3B","","","172.21.103.194","c1056.domain.lan","","MAC (PAP)","Rule: ""ERS PRN CANON""","ADRZ PRN CANON","192.168.150.55","192.168.150.55","0/1","","FA-VLAN-Create='1', FA-VLAN-ISID='102:102', FA-VLAN-PVID='102', FA-Client-Trust='1', Egress-VLANID='0x32000066'","172.21.0.37","Access Control Engine","","","The session is no longer active due to: User-Request.","--","1","IFNAME=0/1 IFDESC=Extreme Networks Ethernet Routing Switch 4950GTS-PWR+ Module - Port 1","","",""
23823,"Accept","12/21/2020 03:14:24 PM","00:BB:C1:74:8A:3B","","","172.21.103.194","c1056.domain.lan","","MAC (PAP)","Rule: ""ERS PRN CANON""","ADRZ PRN CANON","192.168.150.55","192.168.150.55","0/1","","FA-VLAN-Create='1', FA-VLAN-ISID='102:102', FA-VLAN-PVID='102', FA-Client-Trust='1', Egress-VLANID='0x32000066'","172.21.0.37","Access Control Engine","","","","--","1","IFNAME=0/1 IFDESC=Extreme Networks Ethernet Routing Switch 4950GTS-PWR+ Module - Port 1","","",""
23820,"Accept","12/21/2020 03:14:14 PM","00:BB:C1:74:8A:3B","","","","c1056.domain.lan","","MAC (PAP)","Rule: ""ERS PRN CANON""","ADRZ PRN CANON","192.168.150.55","192.168.150.55","0/1","","FA-VLAN-Create='1', FA-VLAN-ISID='102:102', FA-VLAN-PVID='102', FA-Client-Trust='1', Egress-VLANID='0x32000066'","172.21.0.37","Access Control Engine","","Resolving IP Address","","--","1","IFNAME=0/1 IFDESC=Extreme Networks Ethernet Routing Switch 4950GTS-PWR+ Module - Port 1","","",""
23821,"Accept","12/21/2020 03:14:14 PM","00:BB:C1:74:8A:3B","","","","c1056.domain.lan","","MAC (PAP)","Rule: ""ERS PRN CANON""","ADRZ PRN CANON","192.168.150.55","192.168.150.55","0/1","","FA-VLAN-Create='1', FA-VLAN-ISID='102:102', FA-VLAN-PVID='102', FA-Client-Trust='1', Egress-VLANID='0x32000066'","172.21.0.37","Access Control Engine","","","Authenticated MAC locally. Rule 5 [AUTH_MAC, ""*"", Any] , Auth Method: LOCAL_AUTH","--","1","IFNAME=0/1 IFDESC=Extreme Networks Ethernet Routing Switch 4950GTS-PWR+ Module - Port 1","","",""
can't add a file so is the csv file in text.
regards Mark
On the EXOS side of things, ran into similar issue and had to adjust the iparp timeout to 5 minutes. A constant ping should have worked to bypass arp timeout, so this may be a totally different issue.
+1
Hello Mark,
if there is no mac on the port no authentication can happen.
It seems that the printer does take the port down, i.e. it falls to any power safe state. Please check the printer settings again.
Hello Stephan and Brian,
thanks for helping !!!!
there was a mac and a permanent ping was running on the printer ip. So the switch was using the mac to forward the ping packet. So why dropping the authentication or connection?
If I see the ping stop and I look direct in Extreme Control the state is The session is no longer active due to: User-Request.
I will search the settings of the Canon printer, but other Canon printers without port authentication don’t lose ping or connection when going into standby.
Regard Mark van Strien
Hi Mark,
One trick I used for your use case (printers with MAC auth) is to adapt the eapol port settings sending the following radius attribute in the answer:
FA-Service-Request=WOL
This keeps the broadcast and multicast go through even when the port is not authenticated.
That helped on several cases.
You can also do it manually with the following setting in the EDM:
I would suggest also to keep the firmware of the printers up to date and if possible configured for 802.1X
Regards
Mig
Hi all,
So after a day of testing, the problem seems a bit different …..
The printer port of the switch is losing connection not after a timeout or the printer going to standby but when a other port is doing a eap authentication.
Example 1
Printer is on port 1 of the switch, authenticated and replying to ping. On the switch I toggle port 2 where a mitel phone with mac authentication is booting. The second port 2 receives the vlan assignment port 1 loses the vlan and doesn’t recover.
Example 2
Mitel phone is on port 2 authenticated and replying to ping. Port 1 with the printer is toggled, port 2 loses the vlan for a short time and recovers, ping reply is lost short time but recovers.
It looks like after that after a port toggle and a Eap authentication of a port some ports losing authentication……..
First I look in gtac knowledgebase and found https://extremeportal.force.com/ExtrArticleDetail?an=000072473&q=ers%20eap%20problem
So I upgraded the switch to firmware version v7.8.2.027 but no differed output L
Attributes send by XMC control are:
For the printer on port 1
FA-VLAN-Create=1
Egress-VLANID=0x32000066
FA-VLAN-ISID=102:102
FA-VLAN-PVID=102
FA-Client-Trust=1
FA-Service-Request=WOL
For the Mitel Phone on port 2
FA-VLAN-Create=1
FA-VLAN-ISID=152:152
FA-VLAN-PVID=152
FA-Client-Trust=1
Egress-VLANID=0x31000098
Completely confused ….
Kind regards
Mark van Strien
Mark,
First comment is that Egress-VLANID=0x31 means tagged VLAN while you assign it as PVID.
One ting not clear is if you are doing Fabric-Connect up to the edge or Fabric Attach on the ERS.
Could you clarify?
Here my radius attributes template for BOSS with FC up to the edge:
FA-VLAN-Create=1
FA-VLAN-ISID=%VLAN_ID%:%CUSTOM1%
Egress-VLANID=0x%CUSTOM2%
FA-Service-Request=BPDU
FA-Service-Request=SLPPGUARD
FA-Service-Request=DHCPSNOOP:%VLAN_ID%
Service-Type=%MGMT_SERV_TYPE%
You should check on “show logg sort” to see what kind of event is happening if any.
Mig
Miguel-Angel,
Thank for Helping !
I am using Fabric Attach on the ERS switch.
In the logging of the switch there is no info on ports that are losing there vlan. the only info in log is the info about the toggled port doing a eap authentication and requesting the assigned vlan on the uplink port.
kind regards
Mark van Strien
Mark
With such symptoms, I would check the EAP timeouts and double check if STP admin-edge is enabled on the ports.
Mig
Hi all,
An update today as Miguel-Angel suggested check the STP setting of the port changed it to admin-edge. Toggled the phone port and the printer port keeps working ! Ran an ping all-day and the printer keeps working ! So the STP admin-edge setting did the trick.
Thanks all for helping with the issue !!! special thanks to Miguel-Angel for the pointer to STP setting!
Kind regards Mark.
Hi all,
An update today as Miguel-Angel suggested check the STP setting of the port changed it to admin-edge. Toggled the phone port and the printer port keeps working ! Ran an ping all-day and the printer keeps working ! So the STP admin-edge setting did the trick.
Thanks all for helping with the issue !!! special thanks to Miguel-Angel for the pointer to STP setting!
Kind regards Mark.
No issue, I’m glad you solved this painful point
Mig
I’ve updated the best answer here, please let me know if I’ve selected the wrong one and I’ll update it again. Thanks for keeping the thread updated everyone!!
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
