Symptom
CDP/LLDP packets not being sent to fully authenticated phones causing phones to not know the voice VLAN. CDP/LLDP packets are generated by the CPU but not sent out of the interfaces.
Conditions
ISE with dynamic VLAN assignment is configured.
MACsec is configured on the same ASIC
Only observed on the CAT 9400 platform running 17.3.5
Workaround
Supervisor failover or reload will temporarily resolve issue.
Further Problem Description
MACsec is configured, though not necessarily on the interface in question. ISE with dynamic VLAN assignment is configured using a voice VLAN facing a phone/PC. At a seemingly random interval (observed as short as 3 days) the switch will stop sending the CDP/LLDP packets which will eventually cause the phones to fail to get data. PC will still pass data fine since it does not depend on CDP. Phone may show sending frames in the wrong VLAN as observed through DHCP snooping. Phone will show as ISE authenticated correctly and ISE will point the phone to the correct voice VLAN.
