No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Service outage for IP Phone because 802.1x authentication on S5700

Publication Date:  2014-08-28 Views:  115 Downloads:  0
Issue Description
Customer bought our S5700 switch as access switch for IP phone. IP Phone users report voice outage issue during one call.
If ping 1000 packets to IP Phone, there is icmp packet dropped.
    1000 packet(s) transmitted
    994 packet(s) received
    0.60% packet loss
    round-trip min/avg/max = 1/1/10 ms
Alarm Information
None
Handling Process
1.There are ping packets dropped.Make the traffic statistics for ping test.And confirm IP Phone does not reply the packets.
G0/0/31 connects to IP Phone directly.
<huawei>dis traffic policy statistics interface GigabitEthernet 0/0/31 outbound
Interface: GigabitEthernet0/0/31
Traffic policy outbound: test
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched          |      Packets:                         1,000
                  |      Bytes:                               -
                  |      Rate(pps):                           0
                  |      Rate(bps):                           -
---------------------------------------------------------------------
   Passed         |      Packets:                         1,000
                  |      Bytes:                               -
                  |      Rate(pps):                           0
                  |      Rate(bps):                           -
---------------------------------------------------------------------
<huawei>dis traffic policy statistics interface GigabitEthernet 0/0/31 inbound
Interface: GigabitEthernet0/0/31
Traffic policy inbound: test
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched          |      Packets:                           991
                  |      Bytes:                               -
                  |      Rate(pps):                           0
                  |      Rate(bps):                           -
---------------------------------------------------------------------
   Passed         |      Packets:                           991
                  |      Bytes:                               -
                  |      Rate(pps):                           0
                  |      Rate(bps):                           -
---------------------------------------------------------------------

2.Customer confirmed the configuration of IP Phone is ok and they made a test with another vendor switch and no this kind of issue.
3.Check the configuration on access switch.And customer use 802.1X authentication.
interface GigabitEthernet0/0/31
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
authentication guest-vlan 851
dot1x authentication-method eap
3.Check the access user information and find the user is using MAC authentication
AAA:
  User authentication type        : MAC    authentication
  Current authentication method   : RADIUS
  Current authorization method    : -
  Current accounting method       : RADIUS
Check the 802.1x authentication statistics and find the authentication success counter is increasing.
  Authentication Success: 246        Failure: 46   
  EAPOL Packets: TX     : 319        RX     : 287    
  Sent      EAPOL Request/Identity Packets  : 58 
            EAPOL Request/Challenge Packets : 216

  Authentication Success: 247        Failure: 46   
  EAPOL Packets: TX     : 319        RX     : 287    
  Sent      EAPOL Request/Identity Packets  : 58 
            EAPOL Request/Challenge Packets : 216

4.From the authentication success counter, we think the IP Phone is doing reauthentication and makes ping packet dropped during reauthentication process.
Check the documentation and find there is detection mechanism for MAC authentication.
To confirm that a user using MAC address authentication is online, the device sends ARP offline detection packets to the user.
If the user does not respond within the detection interval, the device considers that the user is offline.
On access switch, there is no vlanif interface. MAC authentication cannot be passed.
To ensure that the device can send offline detection packets to the user normally, customer needs to set a source IP address for offline detection packets.
Add below commands on access switch and confirm the problem is solved.
[huawei]access-user arp-detect vlan 4002 ip-address X.X.X.X mac-address 200b-c721-c65e
///X.X.X.X is one used IP for voice vlan. The MAC address should be the acess switch's
Root Cause
1.Network issue
2.IP Phone issue
3.Switch forwarding issue
Suggestions
None

END