Meraki

Community

MS250 14.32 access policy

Solved
bmarms
Getting noticed
‎Nov 5 2021 7:52 AM
‎Nov 5 2021 7:52 AM

MS250 14.32 access policy

Anyone have any issues with access policies on release 14?  I upgraded an MS250 stack from 12.28.1 to 14.32 at the request of meraki support.  Since the upgrade, we've had a number of user's ethernet nics showing as "unauthenticated" and the switch port not passing any traffic.  switch/radius server/and computer Wired-AutoConfig logs all show successful .1x authentication yet the switchport does not pass traffic. 

the only way I've been able to solve is to remove my nic and re-add it to my machine.  once i reboot though, it returns to an unauthenticated state.  I've had to remove the access policy from the switch ports altogether or move user's over to WiFi.  

 

I'm rolling back to 12.28.1 to see if the issue is resolved.

0 Kudos
1 Accepted Solution
bmarms
Getting noticed
‎Dec 1 2021 8:28 AM
‎Dec 1 2021 8:28 AM

Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its not an expected behavior

View solution in original post

0 Kudos
23 Replies 23
JacekJ
Building a reputation
‎Nov 25 2021 7:48 AM
‎Nov 25 2021 7:48 AM

I have seen this issue recently, and directly after upgrading from the 12.28.1 to 14.32 version, but with a small twist.

We are using Yealink VoIP phones and at some places a PC is connected via the phone to the MS225 switch.

Now only in these setups the VoIP phone seems to loose connectivity with the SIP server on the Voice VLAN.

The PC connection seems to remain in tact, I started looking into this issue.

Also - no issues found when an PC is connected directly to the switch, or the VoIP phone is connected "solo" to the port.

Did the rollback fix the issue for you?

0 Kudos
In response to JacekJ
bmarms
Getting noticed
‎Dec 1 2021 8:27 AM
‎Dec 1 2021 8:27 AM

the rollback fixed it.  Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its no an expected behavior

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Nov 26 2021 5:48 AM
‎Nov 26 2021 5:48 AM

In the 15.4 release notes there is this note that I think relates to your issue:

 

Known issues

  • If the voice VLAN authenticates before the data VLAN, the voice VLAN will stop working after the data VLAN authenticates (present since MS 14.28)
If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
JacekJ
Building a reputation
‎Nov 26 2021 5:53 AM
‎Nov 26 2021 5:53 AM

Exactly, I'm just in a call with support and I found that.

Now I don't understand why this note isn't present in ALL versions between 14.28 and 15.4 - this is madness... 😕

At least the Engineer is very helpful and trying to find an workaround not requiring rollback to 12.28.1.

0 Kudos
In response to cmr
JacekJ
Building a reputation
‎Nov 28 2021 11:39 PM
‎Nov 28 2021 11:39 PM

Yup, at this point there is no other option than an rollback to 12.28.1.

There is also no workarounds.

0 Kudos
bmarms
Getting noticed
‎Dec 1 2021 8:28 AM
‎Dec 1 2021 8:28 AM

Meraki was able to identify that STP being disabled on ports was causing the 802.1x issue as the switch was not able to maintain an accurate mac table.  I enabled STP on all ports where it was disabled and upgraded switches to 14.32 and am having no issues.  Dev is reviewing the access policy not working on STP disabled ports in 14.32 as its not an expected behavior

0 Kudos
In response to bmarms
mcvosi
Getting noticed
‎Dec 2 2021 7:57 AM
‎Dec 2 2021 7:57 AM

I am running into a similar issue after upgrading to 14.32. I do have BPDU guard enabled on the ports, so shouldn't that address the issue?

 

0 Kudos
In response to mcvosi
bmarms
Getting noticed
‎Dec 2 2021 10:28 AM
‎Dec 2 2021 10:28 AM

does your port config look like this?

 

bmarms_0-1638469709889.png

 

0 Kudos
In response to bmarms
mcvosi
Getting noticed
‎Dec 2 2021 10:47 AM
‎Dec 2 2021 10:47 AM

Yep

 

0 Kudos
In response to bmarms
ZeeBoussaid
Getting noticed
‎Feb 2 2022 8:41 AM
‎Feb 2 2022 8:41 AM

i dont think the STP is the issue. we have STP enabled on all MS225 ports and after the 14.32 upgrade we started  having issues on IP-Phones and laptops not authenticating. the "fix" for now is to roll back to 12.28

0 Kudos
bmarms
Getting noticed
‎Dec 2 2021 10:27 AM
‎Dec 2 2021 10:27 AM

does your port config look like this?

 

bmarms_0-1638469654102.png

 

0 Kudos
mcvosi
Getting noticed
‎Dec 2 2021 10:47 AM
‎Dec 2 2021 10:47 AM

Is only solution at this time to downgrade? I would be moving back to 12.28.

 

0 Kudos
In response to mcvosi
bmarms
Getting noticed
‎Dec 2 2021 10:52 AM
‎Dec 2 2021 10:52 AM

yes, you would have to roll back

In response to bmarms
sbishop
Here to help
‎Dec 2 2021 12:00 PM
‎Dec 2 2021 12:00 PM

So how do you perform a rollback?

0 Kudos
In response to sbishop
bmarms
Getting noticed
‎Dec 3 2021 6:13 AM
‎Dec 3 2021 6:13 AM

go to "organization-firmware upgrades" and you should see the upgrade event. there's an icon to rollback that looks like this:

bmarms_0-1638540754455.png

click that and you can then schedule your rollback as long as its been 14 days or less since your upgrade

mcvosi
Getting noticed
‎Dec 5 2021 7:02 PM
‎Dec 5 2021 7:02 PM

I rolled back, but unfortunately I'm back on a 11.x release. I'm sure there are fixed security vulnerabilities in later versions, and would at least like to upgrade to a 12.x release that has no issues with voice VLANs, but that doesn't appear to be an option. At least my voice VLANs are working now though.

 

0 Kudos
mcvosi
Getting noticed
‎Jan 4 2022 10:58 AM
‎Jan 4 2022 10:58 AM

With the help of support, I was able to rollback to 14.27, which does not have this issue.

 

I will stay on this version until there's a fix.

 

0 Kudos
ZeeBoussaid
Getting noticed
‎Feb 2 2022 8:37 AM
‎Feb 2 2022 8:37 AM

we are experiencing the exact issue with the ip-Phone trying to authenticate on VOice Vlan before the Data Vlan. the phones stop working after the laptop authenticate. i believe we have to roll back to 12.28 until Meraki fix this issue.

0 Kudos
In response to ZeeBoussaid
mcvosi
Getting noticed
‎Feb 2 2022 8:43 AM
‎Feb 2 2022 8:43 AM

Support can get you to 14.27 which does not have this issue. I also see it's resolved in a 15.x beta release per the release notes.

 

0 Kudos
In response to mcvosi
ZeeBoussaid
Getting noticed
‎Feb 2 2022 9:07 AM
‎Feb 2 2022 9:07 AM

i dont think it is resolved, im looking at the latest MS15.9 and it still showing the Voice VLAN issue in the Known Issues:

ZeeBoussaid_0-1643821608136.png

 

0 Kudos
In response to ZeeBoussaid
mcvosi
Getting noticed
‎Feb 2 2022 9:09 AM
‎Feb 2 2022 9:09 AM

OK, yeah I guess I missed that. Anyway, go to 14.27 and you should be good.

 

Support will have to assist with that.

 

0 Kudos
In response to mcvosi
JacekJ
Building a reputation
‎Feb 15 2022 12:02 AM
‎Feb 15 2022 12:02 AM

14.33 release candidate seems to have that one fixed:

 

JacekJ_0-1644912111140.png

 

CML_Todd
Getting noticed
‎Feb 14 2022 12:42 PM
‎Feb 14 2022 12:42 PM

Is there an issue if 802.1x isn't running on the voice vlan?  Is this voice vlan issue strictly 802.1x related?  

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.