Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Printers going offline

This thread has been viewed 58 times

  • 1.  Printers going offline

    Posted Oct 21, 2022 10:48 AM
    Hi All, 

    We are seeing a weird issue where printers are going offline and the only way to get them back online is to bounce the switch port or reboot the printer. 

    They are connected to 6300 switches which are acting as edge and distribution. The ports have aaa enabled on them and authenticate against CPPM. The port config is: 

    no shutdown
    no routing
    vlan access 1
    loop-protect
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 2
    aaa authentication port-access dot1x authenticator
    enable
    aaa authentication port-access mac-auth
    enable

    When the printers authenticates against CPPm they get this role with re-authentication configured on it:

    port-access role WIRED_PRINTERS
    stp-admin-edge-port
    reauth-period 900
    vlan access 2082


    I have checked and MAC-pinning is not available on these switches and we are running version 10.09.1000. 

    These are RICOH printers, I am wondering if anyone else has experienced the same issue and has any recommendations?


  • 2.  RE: Printers going offline

    EMPLOYEE
    Posted Oct 22, 2022 02:11 AM
    Hi @danger ,

    Try to add 'client-inactivity timeout <seconds>' to the role WIRED_PRINTERS. You can even set it to 'none'.


    ------------------------------
    Ivan Bondar
    ------------------------------

    Original Message


  • 3.  RE: Printers going offline

    Posted Oct 24, 2022 07:04 AM
    Hi,

    Please be advised that I have added the above to the role config and it does not stop the printers from going offline.

    I had this issue with another client, and the solution at that site was to remove aaa from the port but this client does not want to do this.

    Do you have any other ideas?​
    Original Message


  • 4.  RE: Printers going offline

    Posted Oct 25, 2022 06:56 AM
    when a device authenticates on a aaa port in the logs on the switch it shows the port is blocked by port-access. 
    CPPM is only returning a role and the role on the switch does not have anything in there that would down the port. Is there anyway to stop the port being downed after authenticating with CPPM.
    Original Message


  • 5.  RE: Printers going offline

    EMPLOYEE
    Posted Oct 26, 2022 07:58 AM
    The switch in general blocks access if it receives invalid configuration, like a user-role name that is not configured on the switch.

    You may see something in the logging or the 'show port-access clients interface 1/1/1 detail' may provide a reason why the port access is blocked.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: Printers going offline

    Posted Oct 26, 2022 09:38 AM

    Hi,

    Maybe you should contact RICHOH as well.
    We do also have trouble with RICOH MFDs (using Aruba 6200F, but similar problems with Konica too, no problem on ProCurve Switches).

    Every 9 minutes the authentification got lost for a minute.
    We can see in the packet capture, that the printers sends a eap tls packet without the actual session id, resulting in no successful tls session.
    Later the printer send a complete new authentification request, which is now successful.
    Aruba Support says --> Problem on Ricoh side

    2022-10-25T06:36:15.955872+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/38 is unblocked by port-access
2022-10-25T06:36:15.940967+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 2480 is mapped to client 58:38:79:4b:6f:2c on port 1/1/38
2022-10-25T06:34:48.993913+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for 58:38:79:4b:6f:2c with VLAN 2480 on port 1/1/38
2022-10-25T06:34:48.970868+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10502|LOG_INFO|CDTR|1|Port 1/1/38 is blocked by port-access

2022-10-25T06:21:54.698640+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/38 is unblocked by port-access
2022-10-25T06:21:54.679318+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 2480 is mapped to client 58:38:79:4b:6f:2c on port 1/1/38

    I really don't know why it is every 9 minutes, but we could solve this 9 minute issue with the mentioned command "client-inactivity timeout none".

    But the problem with the reauth still exist, so now the issue occurs every x hours (as defines in the reauth interval)...
    The answer from RICOH support was even not very helpful, if reauth does not work properly, please disable reauth...
    Ricoh says probem is on switch or radius side.

    Well I dont know why you have mac-auth enabled too, and why it is prior to dot1x, but okay. Here is our switch config, perhaps it can help you:

    radius-server host "CPPM-IP" timeout 10 key ciphertext *** retries 2 tracking enable
radius dyn-authorization enable
radius dyn-authorization client "CPPM-IP" secret-key ciphertext ***

aaa authentication allow-fail-through

aaa group server radius EWR
    server "CPPM-IP"

aaa radius-attribute group EWR
    tunnel-private-group-id value static
    tunnel-private-group-id request-type authentication

aaa authentication port-access dot1x authenticator
    radius server-group EWR
    eap-tls-fragment towards-server 1400
    enable


vsf-vw-2og-01# sh run int 1/1/38
interface 1/1/38
    no shutdown
    speed auto 100m
    description Drucker
    no routing
    vlan access 2480
    spanning-tree bpdu-guard
    spanning-tree root-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access client-limit 2
    aaa authentication port-access auth-role DRUCKER
    aaa authentication port-access radius-override enable
    port-access allow-flood-traffic enable
    aaa authentication port-access dot1x authenticator
        cached-reauth
        canned-eap-success
        eapol-timeout 10
        initial-auth-response-timeout 10
        max-eapol-requests 1
        max-retries 3
        quiet-period 5
        discovery-period 10
        enable
    client track ip update-interval 300
    loop-protect
    exit

vsf-vw-2og-01# sh run port-access role
port-access role DRUCKER
    auth-mode client-mode
    client-inactivity timeout none
    session-timeout 86400
    mtu 1400
    trust-mode none
    stp-admin-edge-port
    reauth-period 28800
    cached-reauth-period 360
    vlan access 2480
    exit

    Original Message


  • 7.  RE: Printers going offline

    Posted Nov 07, 2022 06:39 AM
    Hi All, 

    Please be advised that this was a RICOH printer problem, the RICOH engineer noticed the setting called: "screen device always connection setting." was disabled on the printer. 

    We removed aaa from the port as a troubleshooting step and the problem was still happening. 

    We have the same problem with Dell iDRAC which connect to Aruba switches. This is management platform for Dell Servers. We are confirming with Dell if there is a similar wake on LAN feature. Has anyone else experienced this as well?

    Thanks, 
    Original Message


  • 8.  RE: Printers going offline

    Posted Nov 07, 2022 07:19 AM

    Hi,

    I'm not sure about the problem...

    Assuming about Port down by lack of activity I would suggest to try this:

    - For dot1x "port-access allow-flood-traffic enable" in the interface config context.

    - Generally enable "client track ip" globally and in the desired vlan context client track ip, and perhaps tuning the update interval in the interface config context by " client track ip update-interval 60-28000 (default 1800)"

    I'm not sure about how the client track ip update probe is working. If it is done by the the switch with a Broadcast, it maybe help.

    Regards

    Robert


    Original Message