topic ISE 1.2 Error Messages in Network Access Control

ISE 1.2 Error Messages

Ashley Georgeson — Mon, 11 Mar 2019 03:58:15 GMT

Hi forum,

We have an ISE deployment that we are lab testing.

This is running v1.2.0.899 with Patch 2 installed.

We have an authC policy configured for domain-joined computers for 802.1x and domain credentials:

Condition: Wired_802.1X

Allow Protocols: PEAP_CHAPv2

Use: AD

This works, and authenticates both the machine (pre-login) and user (post-login).

However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.

These messages are not shown in the Cisco ISE Log Messages spreadsheet!

5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.

5405 RADIUS Request dropped

5440 Endpoint abandoned EAP session and started new

Has anybody else exxperienced this or can explain why I am seeing this behaviour?

All helpful responses rated!

Thanks Ash.

ISE 1.2 Error Messages

Muhammad Munir — Tue, 08 Oct 2013 08:17:16 GMT

Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.

•Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.

•Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send accounting

radius-server vsa send authentication

ISE 1.2 Error Messages

Jatin Katyal — Tue, 08 Oct 2013 08:36:39 GMT

You may want to take a look at

CSCuh86885 No event for failure reasons 5440/5441: Endpoint started a new session..

~BR
Jatin Katyal

**Do rate helpful posts**

ISE 1.2 Error Messages

Ashley Georgeson — Wed, 09 Oct 2013 16:00:26 GMT

This bug does not appear to be public yet.

Any ideas why?

ISE 1.2 Error Messages

Jatin Katyal — Wed, 09 Oct 2013 17:30:19 GMT

This is an external defect but duplicate of

CSCui21439 message texts do not reflect 1.2 added/modified value

I'm going to paste the description/content here from the defect.

Environment: 
Build: 1.2.0.891
install from iso and configured from scratch. 

Deployment:
Node1: pri(A), Pri(M),PDP
Node2: Sec(A)
Node3: Sec(M)
Node4: PDP
Node5: PDP

Node4 and Node5 were placed in node group. 

Procedure:
1. configured multiple nics on node4 and node5 with ip address and host alias. 
2. Configured policy sets to serve requests coming for eth0 and eth1. 
3. tried round-trips ( BYOD flows ) with both eth0 and eth1. 

Observation:
1. Under live authentications page, admin could see events which are having below failure reasons without event details ( i.e. event column is blank )
"5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session."
"5440 Endpoint abandoned EAP session and started new"

2. But under Operations -- > Reports -- > Auth service status --- > Radius errors report, event details  are getting appeared 

so the problem is in reports admin could able to see event details for above failure reasons but not in live authentications page. 
so, there is no functional impact as admin could see event details from reports section.

~BR
Jatin Katyal

**Do rate helpful posts**

ISE 1.2 Error Messages

Abha Jha — Wed, 09 Oct 2013 17:52:03 GMT

Its a bug which will be fixed in ISE version 1.3

CSCuh86885

No event for failure reasons 5440/5441: Endpoint started a new session..

ISE 1.2 Error Messages

Ashley Georgeson — Thu, 10 Oct 2013 10:34:45 GMT

So this will be fixed in the next major release of ISE (v1.3) not in the next ISE 1.2 Patch (v1.2 Patch 3)?

Many thanks, Ash.

ISE 1.2 Error Messages

Abha Jha — Thu, 10 Oct 2013 17:05:38 GMT

It will be fixed only in version ISE version 1.3

Hello,We have same problem

GERALD LECAILLIER — Tue, 17 Mar 2015 13:21:45 GMT

Hello,

We have same problem with 1.3.

"5440 Endpoint abandoned EAP session and started new"

We have 3 active directories:

- 2 on the same LAN: OK (wireless and wired connection)

- 1 behind two firewalls: problem (only for wireless)

We set WLC EAP timers to :

config advanced eap identity-request-retries 20
config advanced eap request-retries 20
config advanced eap eapol-key-timeout 5000
config advanced eap eapol-key-retries 4

But it seems that AD3 dont have time to reply...

If someone has an idea, he is welcome 🙂

Thanks,

Hi all,

mukka — Tue, 24 Nov 2015 14:24:28 GMT

Hi all,

anyone solved it ? I have a similar issue with ISE 1.4

I am trying to deploy EAP_chaining with user and machine certificate. (anyconnect 3.1.11004)

If the user has the certificate all is working fine, but if the user not have it, I can see "Endpoint abandoned EAP session and started new.....)

thanks.

Hello just to say in the Ise

sergio.matos — Tue, 26 Jan 2016 18:33:23 GMT

Hello just to say in the Ise Version 1.3.0.876 its not resolved yet, iam issuing same problems

5440 Endpoint abandoned EAP session and started new

I have 200 Endpoint working well and sudenly the PSN stopped to accept more Endpoints my limit per PSN is 2500.

So iam using W8.1 machines behind 7940/7960 ip phones

So iam driving Nuts!