topic Re: ISE silently dropping packet in Network Access Control

ISE silently dropping packet

Madura Malwatte — Tue, 12 Feb 2019 13:25:06 GMT

ISE 2.3 patch 5

I'm hitting this weird issue with ISE trying to get EAP-TLS with machine authentication working.

During the initial eap-tls flow, ISE receives the client hello access-request packet from the NAD, then responds with the access-challenge that contains the server hello/certificate/server key exchange/etc. This is over 5 eap-tls fragments (5 IP packets). The NAD acknowledges these with access-requests without issue. Next the NAD sends an access-request with its certificate/client key exchange/change cipher spec/etc. At a radius level the access-request looks to be fragmented over multiple packets, but the first fragment is fragmented at IP level as well with 1518 bytes on wire and another 419 bytes on the wire - this makes up the first access-request. Packet capture on the upstream device from ISE shows it forwarding both these packets, however packet capture on the ISE shows only the first Fragmented IP protocol packet. The remaining 419 byte packet needed to reassemble to get the access-request is not seen in the capture. Looks like the ISE is silently dropping this? Hence eap-tls times out and fails.

The first fragment of the access-request is more than 1500 bytes, is this the issue? It funny that the larger fragmented packet is received but the following 419 byte one is not.

The data portion (radius stuff) of the first fragment is 1480 bytes. Now when you add the IP and ethernet headers it will be at least 1514 bytes. Not sure why the NAD will send it this big when the MTU on the interface and globally is set to 1500 bytes.

Re: ISE silently dropping packet

paul — Tue, 12 Feb 2019 13:28:07 GMT

Are the PSNs behind an F5 load balancer? If so this is a known issue with the F5s. The F5s will drop packet fragments if they are too small.

Re: ISE silently dropping packet

Madura Malwatte — Tue, 12 Feb 2019 13:39:48 GMT

No they are not. I took a capture right in front of the PSN's on ACI EPG where the PSN VM's reside. And that capture shows both fragmented packets being forwarded, but PSN never gets the 2nd fragment.

Re: ISE silently dropping packet

Damien Miller — Tue, 12 Feb 2019 16:52:27 GMT

Your packet capture appears standard, you have a 1500 byte packet encapsulated with 14 bytes of header and a 4 byte CRC. The 1518 (or 1514 without CRC captured) bytes is the frame you expect to see in a capture if you are adhering to traditional ethernet and not adding vlan, trustsec, or macsec information. This is not an issue.

I have not run 2.3 myself, but I know with 2.1, 2.2 and 2.4 that we received eap-tls fragments, I do not recall having the issue you are facing. Relevant reading material for fragmented eap with packet capture examples, give it a read and see if anything helps.
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html

Re: ISE silently dropping packet

paul — Tue, 12 Feb 2019 17:38:57 GMT

Usually I see fragmentation when EAP-TLS packets are traversing DMVPN/GRE encapsulated links.

Re: ISE silently dropping packet

hslai — Sat, 16 Feb 2019 17:35:21 GMT

Adding to what said Damien Miller and paul,

I believe ISE will drop the 2nd packets if DF bit set.

Re: ISE silently dropping packet

mile.ljepojevic — Mon, 10 Jan 2022 16:46:01 GMT

Hi, and sorry for asking this, but did you configure "IP MTU" on the SVI that is used as source-interface for RADIUS?

I had the same issue and this was fixed in 5 minutes with this command.