cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

77
Views
0
Helpful
1
Replies
Beginner

5440 Endpoint abandoned EAP session and started new When ISE put behind IPSEC

Hello All,

 

We faced with an issue 5440 Endpoint abandoned EAP session and started new

Devices:

AP 3700 in Autonomous Mode

Cisco ISE 2.4

PFSense

Juniper SRX

 

Connection:

Client <==Wireless==> AP(3700i) <====> Juniper SRX <=== IPSec ===> PFSense <=====> Cisco ISE 2.4.0.357 Patch 9

 

Attached the AP Test Configuration and also please find the error message from ISE as below:

ise.JPG

 

I tried several AP it doesn't work. Is there anyway to get more specific error?

 

Debug dot1x from AP:

*Mar 4 00:38:56.041: AAA/BIND(000005C3): Bind i/f
*Mar 4 00:38:56.041: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.097: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.097: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.097: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.261: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.261: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.357: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.357: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.357: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.369: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.837: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.837: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.837: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.861: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.865: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.865: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.865: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.873: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.877: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.877: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.877: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.885: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.889: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.889: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.889: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.893: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.897: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.897: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.897: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.905: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.905: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.905: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.905: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.913: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:56.917: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:56.917: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:56.917: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:38:56.921: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 4 00:38:57.365: dot1x-ev(Do1): Role determination not required
*Mar 4 00:38:57.365: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:38:57.365: AAA/AUTHEN/PPP (000005C3): Pick method list 'eap_methods'
*Mar 4 00:39:15.373: dot1x-ev(Do1): Role determination not required
*Mar 4 00:39:15.373: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:39:20.373: dot1x-ev(Do1): Role determination not required
*Mar 4 00:39:20.373: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:39:25.385: dot1x-ev(Do1): Role determination not required
*Mar 4 00:39:25.385: dot1x-packet(Do1): Queuing an EAPOL pkt on Authenticator Q
*Mar 4 00:39:30.401: Dot11Radio1: Going to delete client 38de.adce.cc69 Reason: request

 


Thank you in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

Re: 5440 Endpoint abandoned EAP session and started new When ISE put behind IPSEC

One of the common causes of EAP issues such as this is ip fragments being dropped by one of the devices inline. I would be looking for fragment drops on the SRX first, then pfsense.
1 REPLY 1
Highlighted
VIP Engager

Re: 5440 Endpoint abandoned EAP session and started new When ISE put behind IPSEC

One of the common causes of EAP issues such as this is ip fragments being dropped by one of the devices inline. I would be looking for fragment drops on the SRX first, then pfsense.