No network connectivity on a Cisco switch port when using an Enforcer in LAN mode.

Symptoms
Agent computer does not have network connectivity.

When checking the connected Media Access Control (MAC) addresses by using the "show mac-address-table" on the on the Cisco switch, the output shows nothing is connected to the port in question. A client is plugged into the port in question, and it is expected that its MAC address would be shown.

Upon review of the Enforcer kernel.log, the client passes the Host Integrity test and a command has been sent to the switch to either open the port or assign it to a particular VLAN.

A 4500/4000 or a 5500/5000 series Cisco switch is being used.

This is caused by the Cisco switch having Spanning Tree Protocol turned on, and the Spanning Tree check takes too long, causing the connection to time out. From Cisco: "Spanning Tree Protocol dictates that the port starts out blocking, and then immediately moves through the listening and learning phases. By default, the port spends approximately 15 seconds listening and 15 seconds learning. During the listening state, the switch tries to determine where the port fits in the spanning tree topology. The switch especially wants to know whether this port is part of a physical loop. If the port is part of a loop, the port can be chosen to go into blocking mode. The blocking mode means that the port does not send or receive user data in order to eliminate loops. If the port is not part of a loop, the port proceeds to the learning state, in which the port learns which MAC addresses live off this port. This entire STP initialization process takes about 30 seconds. If you connect a workstation or a server with a single NIC card or an IP phone to a switch port, the connection cannot create a physical loop. These connections are considered leaf nodes. There is no reason to make the workstation wait 30 seconds while the switch checks for loops if the workstation cannot cause a loop. Cisco added the PortFast or fast-start feature. With this feature, the STP for this port assumes that the port is not part of a loop and immediately moves to the forwarding state and does not go through the blocking, listening, or learning states. This command does not turn STP off. This command makes STP skip a few initial steps (unnecessary steps, in this circumstance) on the selected port." (taken from http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml).

In the Cisco switch Command Line Interface (CLI), add the command "set spantree portfast 2/1 enable" to the interface in question. This will speed up the spanning-tree process by cutting out some of the checks, and the client will not be disconnected because of time-out issues.


References
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml