https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387012#M566747 <P>Hi Marcelo&nbsp;</P><P>&nbsp;</P><P>To note. We are running patch 13 on version 2.4. I did see this bug when researching so thought it would be fixed in patch 13.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Apr 2021 18:38:52 GMT bernards 2021-04-14T18:38:52Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386116#M566708 <P>We have 2 PSN nodes for client auth.</P><P>&nbsp;</P><P>All works on PSN1. When PSN1 is offline auth is directed to PSN2. All clients then fail to authentication with the following error.</P><P>&nbsp;</P><P>cisco endpoint started new session while the packet of the previous session is being processed</P><P>&nbsp;</P><P>ISE is 2.24 patch 13. All information for above error seems to be bug related in previous versions. Anyone else had a similar issue that can shed any light on the matter?</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Tue, 13 Apr 2021 11:26:30 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386116#M566708 bernards 2021-04-13T11:26:30Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386156#M566710 <P>I did not run into a similar issue on older versions of ISE.&nbsp; IMO it may not be a bad idea to plan on upgrading.&nbsp; As of today the suggested release is 2.7.&nbsp; At a minimum if you do not want to make a massive jump I would suggest upgrading at least to the latest patch for 2.2 (patch17).&nbsp; Something else to consider are the 2.2 EOL notices.&nbsp; See here:&nbsp;<A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743180.html" target="_blank">Cisco Identity Services Engine Software Version 2.2/2.2.1 Product Bulletin - Cisco</A></P> <P>HTH!</P> Tue, 13 Apr 2021 12:50:23 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386156#M566710 Mike.Cifelli 2021-04-13T12:50:23Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386649#M566729 <P>Thanks for the reply Mike.</P><P>&nbsp;</P><P>ISE is 2.4 patch 13 not 2.2. Above was a typo. We have the issue when 2.4 was patch 12 so upgraded to patch 13 with no success.</P><P>&nbsp;</P><P>Yes we are planning to jump to version 3.0. soon. However the above is causing major issues currently from a failover point if view currently.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Apr 2021 06:22:37 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386649#M566729 bernards 2021-04-14T06:22:37Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386748#M566738 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256646">@bernards</a></P><P class="lia-align-justify">&nbsp;your issue is happening when a particular <STRONG>PSN</STRONG> goes offline or not (for example: the same issue happens if <STRONG>PSN2</STRONG> goes offline)?</P><P class="lia-align-justify">Note: although it's fixed on <STRONG>2.4 P11</STRONG>, please take a look at:&nbsp;<A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr70581" target="_blank" rel="noopener">CSCvr70581 Called-Station-ID missing in RADIUS Authentication detail report</A>.</P><P class="lia-align-justify">&nbsp;</P> Wed, 14 Apr 2021 09:53:02 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4386748#M566738 Marcelo Morais 2021-04-14T09:53:02Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387011#M566746 <P>Hi Marcelo&nbsp;</P><P>The issue happens when PSN1 goes offline and clients then try to Auth with PSN2. When PSN1 comes back online clients Auth ok. So issue only happens when PSN1 is offline and PSN2 is live.</P><P>&nbsp;</P><P>PSN1 is primary Auth node and PSN2 secondary for redundancy.</P><P>&nbsp;</P><P>I will have a look at the link provided.</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Apr 2021 18:35:40 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387011#M566746 bernards 2021-04-14T18:35:40Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387012#M566747 <P>Hi Marcelo&nbsp;</P><P>&nbsp;</P><P>To note. We are running patch 13 on version 2.4. I did see this bug when researching so thought it would be fixed in patch 13.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Apr 2021 18:38:52 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387012#M566747 bernards 2021-04-14T18:38:52Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387078#M566748 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256646">@bernards</a>,</P><P>&nbsp;are you able to test <STRONG>PSN2</STRONG> as a <U>primary</U> for a group of your <STRONG>Endpoints</STRONG>, just to double check if the issue is happening only on your <STRONG>PSN1</STRONG> or on both <STRONG>PSNs</STRONG>?</P> Wed, 14 Apr 2021 20:32:01 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387078#M566748 Marcelo Morais 2021-04-14T20:32:01Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387169#M566750 <P>The error you referenced, "<SPAN>cisco endpoint started new session while the packet of the previous session is being processed", is most often seen during EAP authentication when the endpoints/client devices don't trust the server and/or certificate. Is it the EAP/dot1x authentication failing, and if so, do you use two the same EAP certificate on both nodes of the deployment? On the client supplicant config, it there a trusted server list set that only include PSN 1?&nbsp;</SPAN></P> Thu, 15 Apr 2021 00:47:09 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387169#M566750 Damien Miller 2021-04-15T00:47:09Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387752#M566759 <P>Hi Marcelo&nbsp;</P><P>&nbsp;</P><P>The issue only happens on the secondary PSN. All clients authenticate fine on the primary PSN.</P><P>When we flip over to test redundancy the issue with the error message happens to all clients.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Thu, 15 Apr 2021 19:40:21 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387752#M566759 bernards 2021-04-15T19:40:21Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387756#M566760 <P>Hi Damien&nbsp;</P><P>&nbsp;</P><P>Yes EAP clients are effected. Both PSN have correct EAP cert&nbsp;installed.</P><P>&nbsp;</P><P>The client supplicant has correct trusted servers etc.</P><P>&nbsp;</P><P>Strange thing is when we revert back to primary PSN all clients work. Firewall rules have been double checked and are the same within both DMZ locations. For some reason when we force clients to use the secondary PSN the issue is present.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Thu, 15 Apr 2021 19:44:10 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4387756#M566760 bernards 2021-04-15T19:44:10Z https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4389839#M566809 <P>Sounds like a good problem to call TAC about.</P> Tue, 20 Apr 2021 05:22:43 GMT https://community.cisco.com/t5/network-access-control/client-authentication-issues-with-multipule-psn-nodes/m-p/4389839#M566809 thomas 2021-04-20T05:22:43Z