Preview Tool

Cisco Bug: CSCvt30243 - connectivity issue after moving client from dot1x enable port to non dot1x port

Last Modified

Oct 05, 2020

Products (1)

  • Cisco IOS

Known Affected Releases

16.12.1 16.6.8

Description (partial)

Reachability to the Gateway is affected for the connected clients when they are moved from a secure port (Dot1x + MacSec) to a non secured port (L2 access port or L2 access port with CTS manual enabled) 

At broken state you will see switch generating packet destined for that client (if control-plane generated) but that packet won't make it to egress port because it gets black-holed due to mismatch in rewrite-index between Station-index Handler and Rewrite-index handler. Note, pass-through traffic to that affected PC is also impacted due to this

Having port authentication on the port for the client device then moving the client to non-authenticated port we observe the issue

Secure Port :
interface GigabitEthernet x/x/x
 description cisco1
 switchport access vlan xxx
 switchport mode access
 ip flow monitor cts_sw_flow_monitor input
 ip flow monitor cts_flow_monitor output
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication timer restart 4
 dot1x pae authenticator
 dot1x timeout tx-period 4
 dot1x max-req 10
 dot1x max-reauth-req 1
 dot1x timeout start-period 2
 dot1x timeout held-period 2
 dot1x max-start 10
 mka policy replay-policy
 spanning-tree portfast

Unsecure Port: 
interface GigabitEthernetx/x/x
description ** AcessTerminal **
switchport access vlan xxx
switchport mode access
cts manual  --> (Optional)
  policy static sgt xxx
  no propagate sgt
spanning-tree portfast

Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.