This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We recently upgraded from ISE 2.1 to 2.4, and since we have been seeing more random client auth issues. We are using ISE mainly for authentications using PEAP on a wireless network. Since the upgrade, clients are reporting issues and in the ISE logs we are mainly seeing this error.
|5440 Endpoint abandoned EAP session and started new|
We have seen this error before, but it is more related now to clients actually having connection issues. We have not applied the patches yet, as we were waiting a couple of weeks to let the upgrade burn in. Any ideas or suggestions, or known issues with this issue?
Solved! Go to Solution.
- Or let your Intranet burn out ? Bear me I don't want to get into simple bashing towards Cisco. I believe CISCO ISE is a marvelous product with a vast number of possibilities BUT as many people have experienced before : due to it's complexity (configuration and the different-nodes-complexity) AND It being mission critical on the Intranet it is simply not designed for upgrading production nodes. Many people therefore build a second/new environment in place to replace the old-versioned-ISE setup. I used to have a script witch could switch radius servers(PSN Nodes) on the millisecond in the running config of a switch using the CISCO-CONFIG-MIB. Sometimes for new major version it's even better then to re-enter the policies from scratch to take advantage of new features in the most optimal way. Consider following these practices when upgrading to new ISE versions.
We applied the 2.4 Patch 9, and this seemed to make auth issues better at first, but we are continuing to see problems. Most of our endpoints are mobile iphones or android devices. From the client perspective, it appears that they cannot connect to the SSID. ISE shows the client constantly abandoning and establishing a new EAP session. The wireless controller shows the client authenticated. A debug basically shows the client going through the EAP process over and over. This all started after upgrading to 2.4
See a lot of these errors in ISE:
5440 Endpoint abandoned EAP session and started new
12934 Supplicant stopped responding to ISE during PEAP tunnel establishment
- As an additional debug-resource you may also involve the Wireless Debug Analyzer , which can be found from the link below :
The cert did not change, and I have had clients forget, and accept the cert again anyways. At this time, it appears this issue may be related to the radius timeout setting on the WLC default at 2 secs. We are increasing this to 10. Not a lot of evidence yet to back this up, but looking at the logs it appears that maybe this is the cause of the EAP retransmits. Is anyone aware of increased latency being introduced in 2.4? We were previously on 2.1 without any issues.