I've seen this if the "configuration mode exclusive" command exists in the configuration. This means that only one session can be in "configuration terminal" mode at a time. This creates strange results like you are seeing. Do you have this set?
I wrote up a small blog explaining this a little bit. http://www.netcraftsmen.net/component/content/article/67-network-security/8 40.html ------------------------------------------------------ Rob Chee, CCIE #8188 (R&S and Security) Senior Network Consultant Chesapeake NetCraftsmen, LLC. Company Website: http://www.netcraftsmen.net My Blog: http://www.netcraftsmen.net/resources/blogs/blogger/Rob%20Chee/ Mobile: 571-437-2829 ------------------------------------------------------ On 11/12/10 3:25 PM, "James Spitznagel" <[email protected]> wrote: >We have had Clean Access installed for 4+ years. Recently (and over >several >version upgrades) we have been seeing SNMP write issues with small numbers >of switches. The switches are mostly Cat 3560s, with a few 2950s and >3550s. > We are currently running 4.7.1 > >Our most common issue is that SNMP writes (V3) to a switch will fail after >working seemingly flawlessly for days, weeks, or even months. We probably >lose about 2 of about 60 switches per month. Removing and adding the >switch >in CCA does not work, nor does stripping out and replacing the SNMP >commands >within the failed switch. > >The only work-around we have found is modifying any part of the device >profile for the appropriate group, then modifying it back to the correct >parameters. This results in a functional switch and a log message that >says >"switch [xxx.yyy.zzz.166] is recovered from SNMP failure!" > >Eventually, the SNMP write errors come back, but the larger issue is that >other switches in the same tweaked profile seem to be inverting their >allowed VLANs and the uplink ports revert back to CCA controlled ports. >As >an example of the inverted VLANs, a working switch with primary VLAN 20 >(clean) and VLAN 120 (dirty) ports will have the uplink interfaces >configured with "switchport trunk native vlan 20" (or sometimes 120) and >"switchport trunk allowed vlan 2-19,21-4094" It should be noted that we >do >no pruning on these switches, but we do prune out VLAN 1 upstream. > >A coworker did open a TAC call last year, and they focused on the switch >configs, confirmed that our configs were OK, and never resolved the issue. > >Has anybody run into this? Any thoughts? > >Thanks in advance. > >-Jamie >-- > James Spitznagel > Senior Network Engineer > John Carroll University > [email protected]
