[cisco-voip] dot1x err-disabling ports with phones

george.hendrix at l-3com.com george.hendrix at l-3com.com
Wed Jun 19 15:48:54 EDT 2013


Hey guys,

  We have an issue what seems to be mostly on 3560/3750 and older 4500 switches.  We have not had the issue at all on any phone connected to our 4510s with Sup-7 engines.  At random when the phone/client is already connected to the switch, the port goes into err-disable.  The ports are in single host mode.

interface FastEthernet1/0/5
switchport access vlan 2
switchport mode access
switchport voice vlan 3
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
mls qos trust cos
no snmp trap link-status
dot1x pae authenticator
dot1x timeout server-timeout 30
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard loop

The error I see in the log before the port goes err-disable is below:

Security violation on the interface GigabitEthernet0/23, new MAC address (0021.70c8.58cb) is seen.AuditSessionID Unassigned
security-violation error detected on Gi0/23, putting Gi0/23 in err-disable state

The switch seems to be treating the phone like a new DATA client.

TAC seems to think possibly the phone is not transmitting CDP long enough that the switch puts the phone mac address into the DATA group and when it does, it err-disables the port.

Has anyone else seen this happen with firmware version SCCP 9.3.1.1 on 7962 model phones?

Thanks,
Bill

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130619/7fd802a5/attachment.html>


More information about the cisco-voip mailing list