Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6017
Views
0
Helpful
5
Replies

ACS LOG 11013 RADIUS packet already in the process

mhuaynate
Level 1
Level 1

‎07-05-2012 02:16 PM - edited ‎03-10-2019 07:16 PM

Hi,

I had got in my ACS 5.3 the following error message, do you kown wich could me the problem.

red.PNG

Best Regard,

Marco.

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎07-06-2012 05:32 PM

Marco,

Please use this as a reference:

http://www.cisco.com/en/US/products/ps9911/products_tech_note09186a0080bb8100.shtml#radius11013

n an ACS 5.3 deployment, users fail dot1x  authentication. The database used is an Active Directory. The RADIUS  failure code is shown here:

RADIUS Request dropped: 11013 RADIUS packet already in the process

Solution

The ACS has ignored this request because it is a duplicate of another  packet that is currently being processed. This can occur because of any  of these:

  • The Average RADIUS Request Latency statistic is close to or exceeds the client RADIUS request timeout of the client.

  • External identity store can be very slow.

  • The ACS has been overloaded.

Perform these steps in order to resolve:

  1. Increase the client RADIUS request timeout of the client.

  2. Use a faster or additional external identity store.

  3. Follow the ways to reduce the overload on ACS.

Thanks,

Tarik Admani

0 Helpful

mhuaynate
Level 1
Level 1
In response to Tarik Admani

‎07-19-2012 08:22 AM

Hi tarik,

how can i do that ?

  1. Increase the client RADIUS request timeout of the client.


  2. Use a faster or additional external identity store.


  3. Follow the ways to reduce the overload on ACS


0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to mhuaynate

‎07-19-2012 08:47 AM

Marco,

1. First we will have to see what the radius timeout values are set for on the network device. Also we need to identify if there is a relation to which network device(s) are generating this message and then try to increase the timeout values. For that device, if there is some latency some devices come with a default 5 second timer some up to 15.

2. If you are using AD where are the domain controllers with respect to the ACS, is there a firewall or any policing polices that the ACS is subject to in its path to the DCs? If not, how many domain controllers do you have and how many are local to the ACS itself? Are your "sites" configured properly with the DC infrastructure so that when ACS queries the domain it is receving domain controllers that are located closest to it? Also what version of ACS are you running? if you are on ACS 5.3 then installing the latest patch will help fix some critical AD issues.

3. How many authentications do you see on average when this issue occurs, what authentication mechanism are you using (eap-tls or peap), these authentication protocols are different in the way they operate and when it comes to authentications per second EAP-TLS does consume more processing power then the PEAP.

Thanks,

Tarik admani

Tarik Admani
*Please rate helpful posts*

0 Helpful

mhuaynate
Level 1
Level 1
In response to Tarik Admani

‎07-19-2012 09:17 AM

Hi tarik,

this is the port configuration in the switch

interface FastEthernet0/12

switchport mode access

switchport voice vlan 10

authentication port-control auto

authentication host-mode multi-domain

authentication violation protect

authentication event fail action authorize vlan 11

authentication event fail retry 2 action authorize vlan 11

authentication event no-response action authorize vlan 11

authentication periodic

authentication timer reauthenticate 60

mab

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x max-reauth-req 3

spanning-tree portfast

end

thank

0 Helpful

vovanZM18
Level 1
Level 1
In response to mhuaynate

‎03-24-2016 10:44 PM

aaa accounting update newinfo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents