https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479800#M526062 <HTML><HEAD></HEAD><BODY><P>We are seeing this error on the second PSN</P><P></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/105106_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Fri, 03 Mar 2017 15:44:50 GMT umahar 2017-03-03T15:44:50Z https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479799#M526061 <HTML><HEAD></HEAD><BODY><P>We are doing some testing with F5 and PSNs.</P><P>Endpoint is abandoning eap sessions on one PSNs.</P><P>We clear the endpoint sessions on ISE Live sessions and also the persistence record on the PSN.</P><P>The F5 now sends the radius requests to the second on the same node group.</P><P>It seems that there is some stale entry on the PSNs in the same node group and the new PSN is rejecting this new radius request thinking that it already has a session. </P></BODY></HTML> Fri, 03 Mar 2017 15:11:11 GMT https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479799#M526061 umahar 2017-03-03T15:11:11Z https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479800#M526062 <HTML><HEAD></HEAD><BODY><P>We are seeing this error on the second PSN</P><P></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/105106_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Fri, 03 Mar 2017 15:44:50 GMT https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479800#M526062 umahar 2017-03-03T15:44:50Z https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479801#M526063 <HTML><HEAD></HEAD><BODY><P>Please ensure the sessions also cleared on the NAD. Then, enable the debug as recommended in the resolution. It would also help to perform packet captures.</P><P></P><P>When a new RADIUS auth request comes into ISE, it has no Class attribute. Once ISE processes it, it gives Class attribute in the response and then NAD will use it subsequently as a means to tell ISE to continue with the same conversation. If ISE receives a RADIUS request with Class attribute but it does not have the session, it would respond with this error.</P><P></P><P>ISE node groups are used for the sessions in pending state (e.g. CWA or Posture) and ISE profiling. They have no influence on this matter.</P></BODY></HTML> Mon, 06 Mar 2017 17:58:36 GMT https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479801#M526063 hslai 2017-03-06T17:58:36Z https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479802#M526064 <HTML><HEAD></HEAD><BODY><P>This is perfect, thanks for your post. @<SPAN class="font-color-meta" style="padding: 0 0 5px; font-size: 1.2em; font-family: arial; color: #8b8b8b;"><SPAN class="replyToName" style="font-weight: inherit; font-style: inherit; font-size: 14.4px; font-family: inherit;">hslai </SPAN></SPAN></P></BODY></HTML> Thu, 09 Mar 2017 06:34:58 GMT https://community.cisco.com/t5/network-access-control/persistence-of-failed-endpoints-abandoned-eap-session-between/m-p/3479802#M526064 sofitapaul 2017-03-09T06:34:58Z