Troubleshooting SXP Devices on Edge Node Switch in SDA environment

Troubleshooting SXP Devices on Edge Node Switch in SDA environment

Before we start with the basics commands used to troubleshoot the TrustSec on the Edge node switch in the SDA environment, let see what this SXP is all about.

Cisco SXP stands for SGT Exchange Protocol and enables the propagation of Security Group Tags (SGTs) across network devices that do not support Cisco TrustSec hardware.

As we know that an endpoint that connects to a network with a common policy is assigned a scalable group tag. There are unique values associated with each Scalable Group Tag. For setting up a SXP connection between two different network devices, TCP is used as the transport protocol.

SXP connections consist of two peers, one designated as the speaker and the other as the listener. Alternatively, the peers can be configured for bi-directional communication where each of them can be both a speaker and a listener. Despite the fact that binding information can emanate from either peer, all connections are initiated by one of the peers.

Fig 1.1- Cisco SXP

We will discuss on the commands used to troubleshoot the SXP in Cisco SDA environment.

Command No1

NDNA-Switch1# show cts sxp connections vrf NDNA-PROD

The above mentioned command shows the SXP connection information including connection status, peer IP address, and source IP address. The vrf keyword must be used to see connection in any non-default VRFs.

If the connection remains in the “off” or “pending_on” state, check that the password and source IP address used for the connection is the same configured in ISE for the SXP device. Also check that SXP is enabled on the device with the cts sxp enable command

SXP : Enabled
Highest Version Supported: 4
Default Password : SetDefault
Key-Chain: Not Set
Default Key-Chain Name: Not Applicable
Default Source IP:
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not runningPeer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
Peer IP :
Source IP :
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
Connection inst# : 2
TCP conn fd : 3
TCP conn password: default SXP password
Hold timer is running
Duration since last state change: 10:17:02:11 (dd:hr:mm:sec)
Total num of SXP Connections = 1

Command No2

NDNA-Switch1# show cts sxp sgt-map vrf NDNA-PROD

The above mentioned command shows IP-to-SGT mappings received via an SXP peer. If mappings are sent in a non-default SXP domain, use the vrf keyword to specify the appropriate VRF and display IP-to-SGT mappings. 

This command only shows IP-to-SGT mappings learned by the SXP connection, and any static mappings configured from the CLI will not be displayed here. For all IP-to-SGT map information on the device use the show cts role-based sgt-map all command 

SXP Node ID(generated):0xAC10AF01(
IP-SGT Mappings as follows:
IPv4,SGT: < , 16:Inside_Cameras>
source : SXP;
Peer IP :;
Ins Num : 2;
Status : Active;
Seq Num : 201
Peer Seq: 0C01089B,
IPv4,SGT: < , 5:Inside_Contractor>
source : SXP;
Peer IP :;
Ins Num : 2;
Status : Active;
Seq Num : 203
Peer Seq: 0C01089B,Total number of IP-SGT Mappings: 02