https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002773#M229296 <HTML><HEAD></HEAD><BODY><P>Marco,</P><P></P><P>1. First we will have to see what the radius timeout values are set for on the network device. Also we need to identify if there is a relation to which network device(s) are generating this message and then try to increase the timeout values. For that device, if there is some latency some devices come with a default 5 second timer some up to 15.</P><P></P><P>2. If you are using AD where are the domain controllers with respect to the ACS, is there a firewall or any policing polices that the ACS is subject to in its path to the DCs? If not, how many domain controllers do you have and how many are local to the ACS itself? Are your "sites" configured properly with the DC infrastructure so that when ACS queries the domain it is receving domain controllers that are located closest to it? Also what version of ACS are you running? if you are on ACS 5.3 then installing the latest patch will help fix some critical AD issues.</P><P></P><P>3. How many authentications do you see on average when this issue occurs, what authentication mechanism are you using (eap-tls or peap), these authentication protocols are different in the way they operate and when it comes to authentications per second EAP-TLS does consume more processing power then the PEAP.</P><P></P><P>Thanks,</P><P>Tarik admani</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 19 Jul 2012 15:47:39 GMT Tarik Admani 2012-07-19T15:47:39Z https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002770#M229254 <P>Hi,</P><P></P><P>I had got in my ACS 5.3 the following error message, do you kown wich could me the problem.</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/2/6/8/94862-red.PNG" alt="red.PNG" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P></P><P>Best Regard,</P><P></P><P>Marco.</P> Mon, 11 Mar 2019 02:16:21 GMT https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002770#M229254 mhuaynate 2019-03-11T02:16:21Z https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002771#M229260 <HTML><HEAD></HEAD><BODY><P>Marco,</P><P></P><P>Please use this as a reference:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps9911/products_tech_note09186a0080bb8100.shtml#radius11013">http://www.cisco.com/en/US/products/ps9911/products_tech_note09186a0080bb8100.shtml#radius11013</A></P><P></P><P>n an ACS 5.3 deployment, users fail dot1x&nbsp; authentication. The database used is an Active Directory. The RADIUS&nbsp; failure code is shown here:</P><P></P><P><TT>RADIUS Request dropped: 11013 RADIUS packet already in the process</TT></P><P></P><H3><A name="sol31">Solution</A></H3><P></P><P>The ACS has ignored this request because it is a duplicate of another&nbsp; packet that is currently being processed. This can occur because of any&nbsp; of these:</P><P></P><UL><LI><P>The Average RADIUS Request Latency statistic is close to or exceeds the client RADIUS request timeout of the client.</P></LI><LI><P>External identity store can be very slow.</P></LI><LI><P>The ACS has been overloaded.</P></LI></UL><P></P><P>Perform these steps in order to resolve:</P><P></P><OL type="1"><LI><P>Increase the client RADIUS request timeout of the client.</P></LI><LI><P>Use a faster or additional external identity store.</P></LI><LI><P>Follow the ways to reduce the overload on ACS.</P></LI></OL><P></P><P>Thanks,</P><P>Tarik Admani</P></BODY></HTML> Sat, 07 Jul 2012 00:32:07 GMT https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002771#M229260 Tarik Admani 2012-07-07T00:32:07Z https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002772#M229275 <HTML><HEAD></HEAD><BODY><P>Hi tarik,</P><P></P><P>how can i do that ?</P><P></P><OL start="1" type="1"><LI><P>Increase the client RADIUS request timeout of the client.</P><BR /></LI><LI><P>Use a faster or additional external identity store.</P><BR /></LI><LI><P>Follow the ways to reduce the overload on ACS</P><BR /></LI></OL></BODY></HTML> Thu, 19 Jul 2012 15:22:23 GMT https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002772#M229275 mhuaynate 2012-07-19T15:22:23Z https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002773#M229296 <HTML><HEAD></HEAD><BODY><P>Marco,</P><P></P><P>1. First we will have to see what the radius timeout values are set for on the network device. Also we need to identify if there is a relation to which network device(s) are generating this message and then try to increase the timeout values. For that device, if there is some latency some devices come with a default 5 second timer some up to 15.</P><P></P><P>2. If you are using AD where are the domain controllers with respect to the ACS, is there a firewall or any policing polices that the ACS is subject to in its path to the DCs? If not, how many domain controllers do you have and how many are local to the ACS itself? Are your "sites" configured properly with the DC infrastructure so that when ACS queries the domain it is receving domain controllers that are located closest to it? Also what version of ACS are you running? if you are on ACS 5.3 then installing the latest patch will help fix some critical AD issues.</P><P></P><P>3. How many authentications do you see on average when this issue occurs, what authentication mechanism are you using (eap-tls or peap), these authentication protocols are different in the way they operate and when it comes to authentications per second EAP-TLS does consume more processing power then the PEAP.</P><P></P><P>Thanks,</P><P>Tarik admani</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 19 Jul 2012 15:47:39 GMT https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002773#M229296 Tarik Admani 2012-07-19T15:47:39Z https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002774#M229349 <HTML><HEAD></HEAD><BODY><P> Hi tarik,</P><P></P><P>this is the port configuration in the switch</P><P></P><P>interface FastEthernet0/12</P><P> switchport mode access</P><P> switchport voice vlan 10</P><P> authentication port-control auto</P><P> authentication host-mode multi-domain</P><P> authentication violation protect</P><P> authentication event fail action authorize vlan 11</P><P> authentication event fail retry 2 action authorize vlan 11</P><P> authentication event no-response action authorize vlan 11</P><P> authentication periodic</P><P> authentication timer reauthenticate 60</P><P> mab</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 10</P><P> dot1x max-reauth-req 3</P><P> spanning-tree portfast</P><P>end<SPAN id="mce_marker"> </SPAN></P><P></P><P>thank </P></BODY></HTML> Thu, 19 Jul 2012 16:17:15 GMT https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002774#M229349 mhuaynate 2012-07-19T16:17:15Z https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002775#M229443 <P>aaa accounting update newinfo</P> Fri, 25 Mar 2016 05:44:03 GMT https://community.cisco.com/t5/network-access-control/acs-log-11013-radius-packet-already-in-the-process/m-p/2002775#M229443 vovanZM18 2016-03-25T05:44:03Z