Wired Intelligent Edge

 View Only
last person joined: 13 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Printers going offline

This thread has been viewed 55 times
  • 1.  Printers going offline

    Posted Oct 21, 2022 10:48 AM
    Hi All, 

    We are seeing a weird issue where printers are going offline and the only way to get them back online is to bounce the switch port or reboot the printer. 

    They are connected to 6300 switches which are acting as edge and distribution. The ports have aaa enabled on them and authenticate against CPPM. The port config is: 

    no shutdown
    no routing
    vlan access 1
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 2
    aaa authentication port-access dot1x authenticator
    aaa authentication port-access mac-auth

    When the printers authenticates against CPPm they get this role with re-authentication configured on it:

    port-access role WIRED_PRINTERS
    reauth-period 900
    vlan access 2082

    I have checked and MAC-pinning is not available on these switches and we are running version 10.09.1000. 

    These are RICOH printers, I am wondering if anyone else has experienced the same issue and has any recommendations?

  • 2.  RE: Printers going offline

    Posted Oct 22, 2022 02:11 AM
    Hi @danger ,

    Try to add 'client-inactivity timeout <seconds>' to the role WIRED_PRINTERS. You can even set it to 'none'.

    Ivan Bondar

  • 3.  RE: Printers going offline

    Posted Oct 24, 2022 07:04 AM

    Please be advised that I have added the above to the role config and it does not stop the printers from going offline.

    I had this issue with another client, and the solution at that site was to remove aaa from the port but this client does not want to do this.

    Do you have any other ideas?​

  • 4.  RE: Printers going offline

    Posted Oct 25, 2022 06:56 AM
    when a device authenticates on a aaa port in the logs on the switch it shows the port is blocked by port-access. 
    CPPM is only returning a role and the role on the switch does not have anything in there that would down the port. Is there anyway to stop the port being downed after authenticating with CPPM.

  • 5.  RE: Printers going offline

    Posted Oct 26, 2022 07:58 AM
    The switch in general blocks access if it receives invalid configuration, like a user-role name that is not configured on the switch.

    You may see something in the logging or the 'show port-access clients interface 1/1/1 detail' may provide a reason why the port access is blocked.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 6.  RE: Printers going offline

    Posted Oct 26, 2022 09:38 AM


    Maybe you should contact RICHOH as well.
    We do also have trouble with RICOH MFDs (using Aruba 6200F, but similar problems with Konica too, no problem on ProCurve Switches).

    Every 9 minutes the authentification got lost for a minute.
    We can see in the packet capture, that the printers sends a eap tls packet without the actual session id, resulting in no successful tls session.
    Later the printer send a complete new authentification request, which is now successful.
    Aruba Support says --> Problem on Ricoh side

    2022-10-25T06:36:15.955872+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/38 is unblocked by port-access
    2022-10-25T06:36:15.940967+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 2480 is mapped to client 58:38:79:4b:6f:2c on port 1/1/38
    2022-10-25T06:34:48.993913+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for 58:38:79:4b:6f:2c with VLAN 2480 on port 1/1/38
    2022-10-25T06:34:48.970868+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10502|LOG_INFO|CDTR|1|Port 1/1/38 is blocked by port-access
    2022-10-25T06:21:54.698640+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/38 is unblocked by port-access
    2022-10-25T06:21:54.679318+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 2480 is mapped to client 58:38:79:4b:6f:2c on port 1/1/38

    I really don't know why it is every 9 minutes, but we could solve this 9 minute issue with the mentioned command "client-inactivity timeout none".

    But the problem with the reauth still exist, so now the issue occurs every x hours (as defines in the reauth interval)...
    The answer from RICOH support was even not very helpful, if reauth does not work properly, please disable reauth...
    Ricoh says probem is on switch or radius side.

    Well I dont know why you have mac-auth enabled too, and why it is prior to dot1x, but okay. Here is our switch config, perhaps it can help you:

    radius-server host "CPPM-IP" timeout 10 key ciphertext *** retries 2 tracking enable
    radius dyn-authorization enable
    radius dyn-authorization client "CPPM-IP" secret-key ciphertext ***
    aaa authentication allow-fail-through
    aaa group server radius EWR
        server "CPPM-IP"
    aaa radius-attribute group EWR
        tunnel-private-group-id value static
        tunnel-private-group-id request-type authentication
    aaa authentication port-access dot1x authenticator
        radius server-group EWR
        eap-tls-fragment towards-server 1400
    vsf-vw-2og-01# sh run int 1/1/38
    interface 1/1/38
        no shutdown
        speed auto 100m
        description Drucker
        no routing
        vlan access 2480
        spanning-tree bpdu-guard
        spanning-tree root-guard
        spanning-tree tcn-guard
        spanning-tree port-type admin-edge
        aaa authentication port-access client-limit 2
        aaa authentication port-access auth-role DRUCKER
        aaa authentication port-access radius-override enable
        port-access allow-flood-traffic enable
        aaa authentication port-access dot1x authenticator
            eapol-timeout 10
            initial-auth-response-timeout 10
            max-eapol-requests 1
            max-retries 3
            quiet-period 5
            discovery-period 10
        client track ip update-interval 300
    vsf-vw-2og-01# sh run port-access role
    port-access role DRUCKER
        auth-mode client-mode
        client-inactivity timeout none
        session-timeout 86400
        mtu 1400
        trust-mode none
        reauth-period 28800
        cached-reauth-period 360
        vlan access 2480

  • 7.  RE: Printers going offline

    Posted Nov 07, 2022 06:39 AM
    Hi All, 

    Please be advised that this was a RICOH printer problem, the RICOH engineer noticed the setting called: "screen device always connection setting." was disabled on the printer. 

    We removed aaa from the port as a troubleshooting step and the problem was still happening. 

    We have the same problem with Dell iDRAC which connect to Aruba switches. This is management platform for Dell Servers. We are confirming with Dell if there is a similar wake on LAN feature. Has anyone else experienced this as well?


  • 8.  RE: Printers going offline

    Posted Nov 07, 2022 07:19 AM


    I'm not sure about the problem...

    Assuming about Port down by lack of activity I would suggest to try this:

    - For dot1x "port-access allow-flood-traffic enable" in the interface config context.

    - Generally enable "client track ip" globally and in the desired vlan context client track ip, and perhaps tuning the update interval in the interface config context by " client track ip update-interval 60-28000 (default 1800)"

    I'm not sure about how the client track ip update probe is working. If it is done by the the switch with a Broadcast, it maybe help.