Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
2
Replies

AD and ISE communication issue (high latency)

poornakumar
Level 1
Level 1

‎02-21-2025 08:54 AM

Hi Team,

We have been facing a P1 issue in Cisco ISE for over a week now. Despite multiple troubleshooting attempts across different devices, we haven't been able to fully isolate the root cause.

One of the key observations is that the domain controller (DC) is switching every 2 to 3 minutes, and we are unsure why this is happening. In ISE, we are also noticing a step latency of over 60,000 ms, which is significantly high and could be affecting authentication. Because of this, we are hitting multiple errors, including 5440, 5441, and 24403.

Additionally, I have collected logs that highlight RPC logon failures and communication issues with the domain controller:

24344 RPC Logon request failed – STATUS_ACCESS_DENIED, ERROR_RPC_NETLOGON_FAILED, Lskdk01@esss.local

24303 Communication with domain controller failed – srct600553.esss.local, ERROR_RPC_NETLOGON_FAILED

24344 RPC Logon request failed – STATUS_ACCESS_DENIED, ERROR_RPC_NETLOGON_FAILED, Lskdk01@esss.local

24303 Communication with domain controller failed – srct600554.esss.local, ERROR_RPC_NETLOGON_FAILED

24344 RPC Logon request failed – STATUS_ACCESS_DENIED, ERROR_RPC_NETLOGON_FAILED, Lskdk01@esss.local

24303 Communication with domain controller failed – srct600553.esss.local, ERROR_RPC_NETLOGON_FAILED

24305 Failover threshold has been exceeded

24403 User authentication against Active Directory failed – esss.local

22057 The advanced option that is configured for a failed authentication request is used

22061 The 'Reject' advanced option is configured in case of a failed authentication request

11823 EAP-MSCHAP authentication attempt failed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

5440 Endpoint abandoned EAP session and started new (Step latency = 47202 ms)


Given that network connectivity is stable (latency below 2–3 ms), we need to determine why the domain controller is switching so frequently. Could this be due to a misconfiguration in AD, load balancing issues, or domain trust settings? Are there any specific logs on the AD servers that can help us analyze why this behavior is occurring?

We also need to confirm whether this is purely an AD-side issue or if Cisco ISE has a bug or configuration issue that is contributing to this behavior. Are there any known bugs in ISE that could be causing unexpected DC switching or authentication latency issues?

As a temporary workaround, I would like to know if increasing the EAP authentication timer on the WLC could help mitigate the impact. Would this be effective, or are there other short-term fixes we can apply to reduce business disruption while we investigate further?

Due to confidentiality reasons, I am unable to provide PCAP captures, but I can share additional logs if needed. Please let me know the next steps and any recommendations on how to proceed.

0 Helpful
2 Replies 2

Jonatan Jonasson
Level 4
Level 4

‎02-21-2025 09:13 AM

Hi,

Could be a privilege issue as well, if the ISE computer account wasn't onboarded with enough/correct privileges, or if they were modified later.
And regarding the switching, does ISE have network access to all of the domain servers? (Do you have multiple sites etc etc)

That being said, as helpful as this community may be, when you have an issue like this that may be impacting the users on the network, it's often best to create a support case with Cisco (either directly or through your VAR, depending on your contracts), to find the root cause and solve the issue within a resonable timeframe.

0 Helpful

poornakumar
Level 1
Level 1
In response to Jonatan Jonasson

‎02-21-2025 05:29 PM - edited ‎02-21-2025 05:31 PM

Hi jonatan, 

 

Thanks for replying to the post. Actually the machine account had enough privilege and also it's working fine for 50% of the users. The issue is intermittent and we have multiple sites in EMEA and APAC region and the issue resolves in APAC region after making the domain controller static instead of dynamically configuring and also in EMEA region DC currently we have configure new DC also still we are facing the issue and there is no activities performed on ISE, LB and DC. And we have a P1 case opened in Cisco TAC, LB TAC and Microsoft TAC. 

0 Helpful
Customers Also Viewed These Support Documents