topic ISE: 5436 RADIUS packet already in the process in Network Access Control

ISE: 5436 RADIUS packet already in the process

chrisathe.atitung — Mon, 22 Nov 2021 14:37:56 GMT

Dear,

I am facing an issue with my ISE server, relative to the event "5436 RADIUS packet already in the process".

Indeed, I manage the network access (autentication & authorisation) of my wireless Guest network through an ISE server (radius). All the the wifi guest clients connect to Light Weight Access Point which are centrally managed by Cisco Controllers (WLC).

The WLC redirects client to the ISE server portal in order to create himself his credentials for the first time. Once done and every time the client will be authenticated, the ISE server sends the "change of authorisation" to WLC in order to grant him network access.

Since a while, a lot wifi Guest clients can't access to the wifi Guess network because they can't submit again the network access request due to the error message "5436 RADIUS packet already in the process" find out in the ISE Work Centers Reports.

Does anyone can help me ?

Re: ISE: 5436 RADIUS packet already in the process

Greg Gibbs — Mon, 22 Nov 2021 22:46:17 GMT

There are various reasons you could be seeing the 5436 events. It could be related to bugID CSCvt34876, but there is not enough information to provide much meaningful assistance.

You mention CoA... are you seeing any CoA failure logs? Have you confirmed that CoA (RFC-3576) is enabled on the controller?

What has happened "since a while"? ISE or WLC software updates, changes, etc?

Please see How to Ask the Community for Help and open a TAC case if this an urgent issue.

Re: ISE: 5436 RADIUS packet already in the process

chrisathe.atitung — Tue, 23 Nov 2021 17:46:42 GMT

Dear Greg,

Thank you for your reply.

The issue started without any network changes, no upgrade.

The CoA is indeed enabled on my ISE server.

But when checking Radius live logs of failed authentications, I am not seeing any log of CoA.

When looking at Operations/Reports/Diagnostics/ISE counters, I saw this counter relative to the CoA :

Counter Attribute Threshold => TC-NAC: CoA Issued | UCS_SMALL | 250

When looking at Operations/Reports/Diagnostics/Misconfigured NAS, I saw the following messages several times for different endpoints. I showed below for only one endpoint device but there are some in xlsx file in attchment :

Message => NAS conducted several failed authentications of the same scenario,

Failure Reason : 12929 NAS sends RADIUS accounting update messages too frequently

Details :

ConfigVersionId=67,Device IP Address=x.x.x.x,Device Port=32772,DestinationIPAddress=y.y.y.12,DestinationPort=1813,RadiusPacketType=AccountingRequest,UserName=48-FD-A3-B3-E6-F2,Protocol=Radius,RequestLatency=1,NetworkDeviceName=WLC1,User-Name=48-FD-A3-B3-E6-F2,NAS-Port=1,Framed-IP-Address=w.w.5.63,Class=CACS:03025d0a007a7d007c189d61:ISE_1/426340496/4488658,Called-Station-ID=64-9e-f3-65-b1-80,NAS-Identifier=WLC1,Acct-Status-Type=Interim-Update,Acct-Delay-Time=0,Acct-Input-Octets=19016,Acct-Output-Octets=18845,Acct-Session-Id=619d187c/48:fd:a3:b3:e6:f2/8064786,Acct-Authentic=RADIUS,Acct-Session-Time=434,Acct-Input-Packets=123,Acct-Output-Packets=93,Acct-Input-Gigawords=0,Acct-Output-Gigawords=0,Event-Timestamp=1637685806,NAS-Port-Type=Wireless - IEEE 802.11,Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 921,cisco-av-pair=audit-session-id=03025d0a007a7d007c189d61,Airespace-Wlan-Id=7,NetworkDeviceProfileName=Cisco,NetworkDeviceProfileId=730d45ba-a3d3-49a8-9e07-a20ca3dae75b,IsThirdPartyDeviceFlow=false,SSID=64-9e-f3-65-b1-80,AcsSessionID=ISE_1/426340496/4492143,SelectedAccessService=Wireless_Protocols,Step=11004,Step=11017,Step=15049,Step=15008,Step=15004,Step=22094,Step=11005,Step=12929,Step=5435,NetworkDeviceGroups=Location#All Locations#All Wireless Location,NetworkDeviceGroups=Device Type#All Device Types#Wireless,CPMSessionID=03025d0a007a7d007c189d61,EndPointMACAddress=48-FD-A3-B3-E6-F2,ISEPolicySetName=Wireless,AllowedProtocolMatchedRule=MAB,StepData=4=MAB,DTLSSupport=Unknown,RadiusFlowType=WirelessMAB,Network Device Profile=Cisco,Model Name=AIR-CT8510-K9,Software Version=7.6.130.21,Location=Location#All Locations#All Wireless Location,Device Type=Device Type#All Device Types#Wireless

Does this give you more details ? If you need specific informations, I can provide it.

Thanks !

Re: ISE: 5436 RADIUS packet already in the process

thomas — Tue, 30 Nov 2021 20:51:54 GMT

As Greg said, we are missing any real details. I suggest you create a TAC case if Guests are unable to get network access and you may need to do a packet capture to understand the exact packet flow from the WLC.

Message Code: 5436

Severity: WARN

Message Text: RADIUS packet already in the process

Message Description: Ignoring this request because it is a duplicate of another packet that is currently being processed

Local Target Message Format: <timestamp> <seq_num> 5436 WARN RADIUS: RADIUS packet already in the process, <log details>

Remote Target Message Format: <pri_num> <timestamp> <IP address/hostname> <CISE_logging category> <msg_id> <total seg> <seg num><timestamp> <seq_num> 5436 WARN RADIUS: RADIUS packet already in the process, <log details>