ADCampus 6.0 Leaf devices are always in the fail-permit state after a power loss

ADCampus VXLAN network

The client is always in the fail-permit state when the Leaf device after rebooted.

Use the command dis mac-authentication mac-address critical-vsi on the rebooted switch to check the macs that are currently at fail-permit state.

Use the command dis mac-authentication connection to check the presence of MAC authentication users that are already online on this device.

The Radius server is in Acitve state and there should be no users that remain fail-permit state.

RADIUS scheme name: bjyy

  Index: 1

  Primary authentication server:

    Host name: Not Configured

    IP   : 172.x.x.254                             Port: 1812 

    VPN  : Not configured                         

    State: Active

    Test profile: Not configured

    Weight: 0

  Primary accounting server:

    Host name: Not Configured

    IP   : 172.x.x.254                             Port: 1813 

    VPN  : Not configured                         

    State: Active

    Weight: 0

After the site modifies the lease to 1 minute, the fail-permit address is still not switched. At this time, the problem is that the switch table entries are abnormal, and after the radius server is normally active, the escaped terminals will be re-authenticated for business address switching. The abnormal device on the site are always in the fail-permit state.

R&D team's result:

After restarting all the devices at the same time after the power failure, some users did not receive the answer due to the RADIUS authentication timeout, and joined the critical vlan. after joining the critical-vsi for MAC authentication, a new mac will be constructed to initiate the authentication once every 30 seconds, and the dhcp triggering flag is not set in the new mac due to the problem of the version. If the interface is set with a carry user-ip, it will check the ip and dhcp trigger flag bit in the new mac, and if the dhcp trigger flag is not set, it will not be able to trigger the next authentication, and it will remain in the critical-vsi. The interface carry user-ip is temporarily shut down and restored, and the mac information in critical-vsi is cleared normally within 30 seconds and all issues were resolved.

Workaround:

Undo the carry user-ip function on the interface.

Solution:

Upgrade the firmware version of the leaf, please contact H3C TS to get the specify version.