Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  VoIP-VLAN Validation Failed

    Posted 05-28-2024 08:09

    Good morning,

    We are working on getting our EX3400 switches from 20.4R3-S3.4 to 22.4R3.25. Everything was a working except our Avaya phones are being in a held or connecting state after the upgrade. We noticed when we go to any version of 22 we have this issue. They were authenticating fine before the upgrade, we cannot figure out the problem we see the switch never sends any requests for authentication to the radius server on Wireshark. We run the command show dot1x interface ge-0/0/12 detail and see:  Operational state: Held | Held state Reason: VoIP-VLAN validation failed. Any ideas on why a firmware upgrade causes this? We looking all over the internet and we only found server-fail-voip being everyone's problem but unfortunately we do not use that command altogether. Any ideas will be greatly appreciated! 

    What we use: ex3400 20.4R3-S3.4 to 22.4R3.25. |Phones: Avaya 9611G authenticating with MAB | RADIUS Server:  CISCO ISE



    ------------------------------
    ASHTON REYNOLDS
    ------------------------------


  • 2.  RE: VoIP-VLAN Validation Failed

    Posted 05-30-2024 15:15

    Hi, not sure this is at all related, as our 3400s are just at version 21.4R3-S6.5 . However, we have sometimes had issues with phones booting on dot1x ports. 

    In particular, I have seen devices in the Held state when the VLAN name returned by Clearpass (our RADIUS server) is not in fact present on the access switch. (This probably would not have changed with the firmware update, though!)

    Also,  you don't mention any particular voip config, but we use lldp-med, to get the VLAN info to the phones, and also, we have the voice vlan tagged on all access ports. Not sure if these settings affect the  "VoIP-VLAN validation," whatever it is.  (voice-vlan is the name of our phone VLAN):

    set protocols lldp interface all power-negotiation
    set protocols lldp-med interface all
    set switch-options voip interface access-ports vlan voice-vlan
    


    ------------------------------
    Steve Bohrer
    ------------------------------



  • 3.  RE: VoIP-VLAN Validation Failed

    Posted 05-31-2024 14:53

    Ashton,

    Try using the Juniper-VoIP-VLAN VSA in your RADIUS attributes in ISE. Here is an example on how to configure it. 

    https://www.juniper.net/documentation/us/en/software/nce/nce-213_ex_and_cisco_ise/topics/topic-map/nce-213-ex-series-switch-cisco-ise.html

    I believe there was a change between 21 and 22 that is forcing the use of the VSA. Unfortunately, this is not documented and I am putting in a doc PR to get the documentation updated. 

    Hope this helps. 

    Thanks,

    Mark



    ------------------------------
    Mark Anthony Yeates
    ------------------------------



  • 4.  RE: VoIP-VLAN Validation Failed

    Posted 05-31-2024 16:44
    Also note:

    You must not configure both data and voice on the same VLAN. If you configure data and voice on the same VLAN, the configuration will not be accepted.

    If you have enabled 802.1X authentication on your switch and:

    • The voice VLAN you have configured is the same as the data VLAN that the authentication server sends,

    • The data VLAN you have configured is the same as the voice VLAN that the authentication server sends, or

    • The data VLAN and the voice VLAN that the authentication server sends are the same

    The client would move to HELD state.

    https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/802-1x-and-voip-on-switches.html#d152e203__d23010e1667

    Hope this helps. 

    Thanks,

    Mark



    ------------------------------
    Mark Anthony Yeates
    ------------------------------



  • 5.  RE: VoIP-VLAN Validation Failed

    Posted 06-03-2024 10:38

    Good morning,

    I went into different logs and watched the authentication process. It reports that it looses responses from the phone and deems is a failed authentication and puts it in "held". We are currently switching our RADIUS server from ISE to Forescout. Both Radius servers do not make a difference regarding the issue.  I also see in the logs our Radius server is responding and dynamically assigning our Voice vlan. Our voice vlan and data vlan are completely separated. This is using Mac-radius. Please see below regarding the logs i found and thank you for the response and help!


     Received VLAN ID/name Voice_Vlan from authentication server
    May 30 19:34:54.772306 Vlan received from radius is configured as static voip-vlan
    May 30 19:34:54.772340 Config retries adjusted to 3
    May 30 19:34:54.772369 Error in parsing client attributes.
    May 30 19:34:54.772417 Error response from authentication client. authd reply code 1 for mac 24:d9:21:4d:de:2e on port 558Message not processed further
    May 30 19:34:54.772464 AuthSession node with Mac: 24d9214d-de2e in port session AIP DB found !!!

    May 30 19:34:54.774358  BSM moved to state: FAIL !!

    May 30 19:34:54.774408  BSM moved to state: IDLE !!

    May 30 19:34:54.774475  ASM Called with Event: BKEND_AUTHFAIL in State: Authenticating for Port:558 MAC: 24:d9:21:4d:de:2e Id: 2

    May 30 19:34:54.774534 PnacAuthAsmMakeHeld Session 24:d9:21:4d:de:2e Authentication mode: Mac-Radius

    May 30 19:34:54.774582 Current authentication mode: Mac-Radius Next authentication mode: Mac-Radius
    May 30 19:34:54.774622 Session: 24:d9:21:4d:de:2e previous authentication mode: Mac-Radius current authentication mode: Mac-Radius

    May 30 19:34:54.774674  TMR: Quiet While Timer Started for port:558, Duration: 60 !!

    May 30 19:34:54.774733 TMR: Timer 4 is started for port 558 duration 60

    May 30 19:34:54.774788  ASM moved to state: HELD for Port:558 MAC:24:d9:21:4d:de:2e



    ------------------------------
    ASHTON REYNOLDS
    ------------------------------



  • 6.  RE: VoIP-VLAN Validation Failed
    Best Answer

    Posted 06-03-2024 14:38

    Ashton,

    Are you also statically configuring your VoIP VLAN using the "set switch-options voip interface" command? If so, can you temporarily deactivate and see if the phone will go in the proper VLAN?

    If this doesn't help, can you post the VSAs you are pushing from your RADIUS server? 

    Thanks,

    Mark



    ------------------------------
    Mark Anthony Yeates
    ------------------------------



  • 7.  RE: VoIP-VLAN Validation Failed

    Posted 06-04-2024 07:48

    Good morning,

    We are using "set switch-options voip interface" when i removed the switch options it worked! Our phones authenticate again. Super weird as i removed this option before and had no luck. Thank you for all the help!



    ------------------------------
    ASHTON REYNOLDS
    ------------------------------