08-01-2019 07:58 AM
We recently upgraded from ISE 2.1 to 2.4, and since we have been seeing more random client auth issues. We are using ISE mainly for authentications using PEAP on a wireless network. Since the upgrade, clients are reporting issues and in the ISE logs we are mainly seeing this error.
5440 Endpoint abandoned EAP session and started new |
We have seen this error before, but it is more related now to clients actually having connection issues. We have not applied the patches yet, as we were waiting a couple of weeks to let the upgrade burn in. Any ideas or suggestions, or known issues with this issue?
Solved! Go to Solution.
08-01-2019 09:07 AM
08-01-2019 09:07 AM
08-02-2019 01:13 AM
- Or let your Intranet burn out ? Bear me I don't want to get into simple bashing towards Cisco. I believe CISCO ISE is a marvelous product with a vast number of possibilities BUT as many people have experienced before : due to it's complexity (configuration and the different-nodes-complexity) AND It being mission critical on the Intranet it is simply not designed for upgrading production nodes. Many people therefore build a second/new environment in place to replace the old-versioned-ISE setup. I used to have a script witch could switch radius servers(PSN Nodes) on the millisecond in the running config of a switch using the CISCO-CONFIG-MIB. Sometimes for new major version it's even better then to re-enter the policies from scratch to take advantage of new features in the most optimal way. Consider following these practices when upgrading to new ISE versions.
M.
08-02-2019 08:55 AM
upgrade the patch as suggested. Also, are these Windows clients? any event log which can be seen ?
08-06-2019 07:50 AM
We applied the 2.4 Patch 9, and this seemed to make auth issues better at first, but we are continuing to see problems. Most of our endpoints are mobile iphones or android devices. From the client perspective, it appears that they cannot connect to the SSID. ISE shows the client constantly abandoning and establishing a new EAP session. The wireless controller shows the client authenticated. A debug basically shows the client going through the EAP process over and over. This all started after upgrading to 2.4
See a lot of these errors in ISE:
5440 Endpoint abandoned EAP session and started new
12934 Supplicant stopped responding to ISE during PEAP tunnel establishment
08-06-2019 09:13 AM
- As an additional debug-resource you may also involve the Wireless Debug Analyzer , which can be found from the link below :
https://developer.cisco.com/docs/wireless-troubleshooting-tools/
M.
08-06-2019 09:51 AM
08-06-2019 10:28 AM
The cert did not change, and I have had clients forget, and accept the cert again anyways. At this time, it appears this issue may be related to the radius timeout setting on the WLC default at 2 secs. We are increasing this to 10. Not a lot of evidence yet to back this up, but looking at the logs it appears that maybe this is the cause of the EAP retransmits. Is anyone aware of increased latency being introduced in 2.4? We were previously on 2.1 without any issues.
01-28-2020 12:03 PM
01-28-2020 01:13 PM
08-07-2019 11:30 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: