Switching

Good morning,

We are working on getting our EX3400 switches from 20.4R3-S3.4 to 22.4R3.25. Everything was a working except our Avaya phones are being in a held or connecting state after the upgrade. We noticed when we go to any version of 22 we have this issue. They were authenticating fine before the upgrade, we cannot figure out the problem we see the switch never sends any requests for authentication to the radius server on Wireshark. We run the command show dot1x interface ge-0/0/12 detail and see:  Operational state: Held | Held state Reason: VoIP-VLAN validation failed. Any ideas on why a firmware upgrade causes this? We looking all over the internet and we only found server-fail-voip being everyone's problem but unfortunately we do not use that command altogether. Any ideas will be greatly appreciated! 

What we use: ex3400 20.4R3-S3.4 to 22.4R3.25. |Phones: Avaya 9611G authenticating with MAB | RADIUS Server:  CISCO ISE

Good morning,

We are working on getting our EX3400 switches from 20.4R3-S3.4 to 22.4R3.25. Everything was a working except our Avaya phones are being in a held or connecting state after the upgrade. We noticed when we go to any version of 22 we have this issue. They were authenticating fine before the upgrade, we cannot figure out the problem we see the switch never sends any requests for authentication to the radius server on Wireshark. We run the command show dot1x interface ge-0/0/12 detail and see:  Operational state: Held | Held state Reason: VoIP-VLAN validation failed. Any ideas on why a firmware upgrade causes this? We looking all over the internet and we only found server-fail-voip being everyone's problem but unfortunately we do not use that command altogether. Any ideas will be greatly appreciated! 

What we use: ex3400 20.4R3-S3.4 to 22.4R3.25. |Phones: Avaya 9611G authenticating with MAB | RADIUS Server:  CISCO ISE

Ashton,

Try using the Juniper-VoIP-VLAN VSA in your RADIUS attributes in ISE. Here is an example on how to configure it. 

https://www.juniper.net/documentation/us/en/software/nce/nce-213_ex_and_cisco_ise/topics/topic-map/nce-213-ex-series-switch-cisco-ise.html

I believe there was a change between 21 and 22 that is forcing the use of the VSA. Unfortunately, this is not documented and I am putting in a doc PR to get the documentation updated. 

Hope this helps. 

Thanks,

Mark

Good morning,

We are working on getting our EX3400 switches from 20.4R3-S3.4 to 22.4R3.25. Everything was a working except our Avaya phones are being in a held or connecting state after the upgrade. We noticed when we go to any version of 22 we have this issue. They were authenticating fine before the upgrade, we cannot figure out the problem we see the switch never sends any requests for authentication to the radius server on Wireshark. We run the command show dot1x interface ge-0/0/12 detail and see:  Operational state: Held | Held state Reason: VoIP-VLAN validation failed. Any ideas on why a firmware upgrade causes this? We looking all over the internet and we only found server-fail-voip being everyone's problem but unfortunately we do not use that command altogether. Any ideas will be greatly appreciated! 

What we use: ex3400 20.4R3-S3.4 to 22.4R3.25. |Phones: Avaya 9611G authenticating with MAB | RADIUS Server:  CISCO ISE

Ashton,

Try using the Juniper-VoIP-VLAN VSA in your RADIUS attributes in ISE. Here is an example on how to configure it. 

https://www.juniper.net/documentation/us/en/software/nce/nce-213_ex_and_cisco_ise/topics/topic-map/nce-213-ex-series-switch-cisco-ise.html

I believe there was a change between 21 and 22 that is forcing the use of the VSA. Unfortunately, this is not documented and I am putting in a doc PR to get the documentation updated. 

Hope this helps. 

Thanks,

Mark

Good morning,

We are working on getting our EX3400 switches from 20.4R3-S3.4 to 22.4R3.25. Everything was a working except our Avaya phones are being in a held or connecting state after the upgrade. We noticed when we go to any version of 22 we have this issue. They were authenticating fine before the upgrade, we cannot figure out the problem we see the switch never sends any requests for authentication to the radius server on Wireshark. We run the command show dot1x interface ge-0/0/12 detail and see:  Operational state: Held | Held state Reason: VoIP-VLAN validation failed. Any ideas on why a firmware upgrade causes this? We looking all over the internet and we only found server-fail-voip being everyone's problem but unfortunately we do not use that command altogether. Any ideas will be greatly appreciated! 

What we use: ex3400 20.4R3-S3.4 to 22.4R3.25. |Phones: Avaya 9611G authenticating with MAB | RADIUS Server:  CISCO ISE

Good morning,

I went into different logs and watched the authentication process. It reports that it looses responses from the phone and deems is a failed authentication and puts it in "held". We are currently switching our RADIUS server from ISE to Forescout. Both Radius servers do not make a difference regarding the issue.  I also see in the logs our Radius server is responding and dynamically assigning our Voice vlan. Our voice vlan and data vlan are completely separated. This is using Mac-radius. Please see below regarding the logs i found and thank you for the response and help!

 Received VLAN ID/name Voice_Vlan from authentication server
May 30 19:34:54.772306 Vlan received from radius is configured as static voip-vlan
May 30 19:34:54.772340 Config retries adjusted to 3
May 30 19:34:54.772369 Error in parsing client attributes.
May 30 19:34:54.772417 Error response from authentication client. authd reply code 1 for mac 24:d9:21:4d:de:2e on port 558Message not processed further
May 30 19:34:54.772464 AuthSession node with Mac: 24d9214d-de2e in port session AIP DB found !!!

May 30 19:34:54.774358  BSM moved to state: FAIL !!

May 30 19:34:54.774408  BSM moved to state: IDLE !!

May 30 19:34:54.774475  ASM Called with Event: BKEND_AUTHFAIL in State: Authenticating for Port:558 MAC: 24:d9:21:4d:de:2e Id: 2

May 30 19:34:54.774534 PnacAuthAsmMakeHeld Session 24:d9:21:4d:de:2e Authentication mode: Mac-Radius

May 30 19:34:54.774582 Current authentication mode: Mac-Radius Next authentication mode: Mac-Radius
May 30 19:34:54.774622 Session: 24:d9:21:4d:de:2e previous authentication mode: Mac-Radius current authentication mode: Mac-Radius

May 30 19:34:54.774674  TMR: Quiet While Timer Started for port:558, Duration: 60 !!

May 30 19:34:54.774733 TMR: Timer 4 is started for port 558 duration 60

May 30 19:34:54.774788  ASM moved to state: HELD for Port:558 MAC:24:d9:21:4d:de:2e

------------------------------
ASHTON REYNOLDS

Original Message:
Sent: 05-31-2024 14:42
From: Mark Anthony Yeates
Subject: VoIP-VLAN Validation Failed

Ashton,

Try using the Juniper-VoIP-VLAN VSA in your RADIUS attributes in ISE. Here is an example on how to configure it. 

https://www.juniper.net/documentation/us/en/software/nce/nce-213_ex_and_cisco_ise/topics/topic-map/nce-213-ex-series-switch-cisco-ise.html

I believe there was a change between 21 and 22 that is forcing the use of the VSA. Unfortunately, this is not documented and I am putting in a doc PR to get the documentation updated. 

Hope this helps. 

Thanks,

Mark

Good morning,

We are working on getting our EX3400 switches from 20.4R3-S3.4 to 22.4R3.25. Everything was a working except our Avaya phones are being in a held or connecting state after the upgrade. We noticed when we go to any version of 22 we have this issue. They were authenticating fine before the upgrade, we cannot figure out the problem we see the switch never sends any requests for authentication to the radius server on Wireshark. We run the command show dot1x interface ge-0/0/12 detail and see:  Operational state: Held | Held state Reason: VoIP-VLAN validation failed. Any ideas on why a firmware upgrade causes this? We looking all over the internet and we only found server-fail-voip being everyone's problem but unfortunately we do not use that command altogether. Any ideas will be greatly appreciated! 

What we use: ex3400 20.4R3-S3.4 to 22.4R3.25. |Phones: Avaya 9611G authenticating with MAB | RADIUS Server:  CISCO ISE

Ashton,

Are you also statically configuring your VoIP VLAN using the "set switch-options voip interface" command? If so, can you temporarily deactivate and see if the phone will go in the proper VLAN?

If this doesn't help, can you post the VSAs you are pushing from your RADIUS server? 

Thanks,

Mark

Good morning,

I went into different logs and watched the authentication process. It reports that it looses responses from the phone and deems is a failed authentication and puts it in "held". We are currently switching our RADIUS server from ISE to Forescout. Both Radius servers do not make a difference regarding the issue.  I also see in the logs our Radius server is responding and dynamically assigning our Voice vlan. Our voice vlan and data vlan are completely separated. This is using Mac-radius. Please see below regarding the logs i found and thank you for the response and help!

 Received VLAN ID/name Voice_Vlan from authentication server
May 30 19:34:54.772306 Vlan received from radius is configured as static voip-vlan
May 30 19:34:54.772340 Config retries adjusted to 3
May 30 19:34:54.772369 Error in parsing client attributes.
May 30 19:34:54.772417 Error response from authentication client. authd reply code 1 for mac 24:d9:21:4d:de:2e on port 558Message not processed further
May 30 19:34:54.772464 AuthSession node with Mac: 24d9214d-de2e in port session AIP DB found !!!

May 30 19:34:54.774358  BSM moved to state: FAIL !!

May 30 19:34:54.774408  BSM moved to state: IDLE !!

May 30 19:34:54.774475  ASM Called with Event: BKEND_AUTHFAIL in State: Authenticating for Port:558 MAC: 24:d9:21:4d:de:2e Id: 2

May 30 19:34:54.774534 PnacAuthAsmMakeHeld Session 24:d9:21:4d:de:2e Authentication mode: Mac-Radius

May 30 19:34:54.774582 Current authentication mode: Mac-Radius Next authentication mode: Mac-Radius
May 30 19:34:54.774622 Session: 24:d9:21:4d:de:2e previous authentication mode: Mac-Radius current authentication mode: Mac-Radius

May 30 19:34:54.774674  TMR: Quiet While Timer Started for port:558, Duration: 60 !!

May 30 19:34:54.774733 TMR: Timer 4 is started for port 558 duration 60

May 30 19:34:54.774788  ASM moved to state: HELD for Port:558 MAC:24:d9:21:4d:de:2e

------------------------------
ASHTON REYNOLDS

Original Message:
Sent: 05-31-2024 14:42
From: Mark Anthony Yeates
Subject: VoIP-VLAN Validation Failed

Ashton,

Try using the Juniper-VoIP-VLAN VSA in your RADIUS attributes in ISE. Here is an example on how to configure it. 

https://www.juniper.net/documentation/us/en/software/nce/nce-213_ex_and_cisco_ise/topics/topic-map/nce-213-ex-series-switch-cisco-ise.html

I believe there was a change between 21 and 22 that is forcing the use of the VSA. Unfortunately, this is not documented and I am putting in a doc PR to get the documentation updated. 

Hope this helps. 

Thanks,

Mark

Good morning,

We are working on getting our EX3400 switches from 20.4R3-S3.4 to 22.4R3.25. Everything was a working except our Avaya phones are being in a held or connecting state after the upgrade. We noticed when we go to any version of 22 we have this issue. They were authenticating fine before the upgrade, we cannot figure out the problem we see the switch never sends any requests for authentication to the radius server on Wireshark. We run the command show dot1x interface ge-0/0/12 detail and see:  Operational state: Held | Held state Reason: VoIP-VLAN validation failed. Any ideas on why a firmware upgrade causes this? We looking all over the internet and we only found server-fail-voip being everyone's problem but unfortunately we do not use that command altogether. Any ideas will be greatly appreciated! 

What we use: ex3400 20.4R3-S3.4 to 22.4R3.25. |Phones: Avaya 9611G authenticating with MAB | RADIUS Server:  CISCO ISE