05-09-2019 07:58 AM
I recently posted something to do with CTS issues we are facing in our production SDA fabric. I want to bring this issue back because we are experiencing it again.
Versions:
ISE 2.3p5
DNAC 1.2.8
Overview: Cat 3850s running 16.9.2(s) and 9300s running 16.9.2 &/OR 16.6.5 are having CTS provisioning job hang ups. ISE radius live logs get flooded with request drops for CTS PAC provisioning. ISE NADs show the troublesome devices with PACs. However, when checking via CLI on the NADs they have no PACs upon a reboot. Each issue case the NADs have 2 hung provisioning jobs. I have to go into DNAC, re-provision the device in order for the NADs to get a new PAC. Note that there is then 1 CTS provisioning job still hung. Issuing another reboot takes care of the problem. In a previous post apparently manually removing radius server configs and re-adding them also fixes the issue.
Here are the steps and what I see after a reboot:
One difference between IOSs on separate test cases using 9300s (16.9.2 & 16.6.5) is that the issue is the same except the 16.6.5 host attempts to reach out to ISE authenticating with an identity known as "CTS-Test-Server".
If anyone can provide any insight it would be greatly appreciated. I have TAC engaged & I am working through my reps to get the BU involved. Thanks in advance.
Solved! Go to Solution.
05-10-2019 07:44 PM
Please continue working with TAC on this.
05-10-2019 07:44 PM
Please continue working with TAC on this.
03-11-2021 12:30 PM
good afternoon Mike! what was the solution to this problem?
03-12-2021 07:00 AM
@paataides if you encounter this the workaround shared above will help. However, I would recommend upgrades. After upgrading NADs and moving the ISE cluster to a higher version I never encountered the issue again thankfully. HTH!
03-12-2021 09:50 AM
Thanks Mike, i have TAC engaged but i dont want upgrade on this moment, very critical LOL
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: