Hi @Greg Gibbs thanks for the reply.

Are you aware of any other customers who are experiencing the same issues as it sounds like it's a common issue when deploying ISE in Azure? I noticed on the recent deployment guide that it refers to a fix by Microsoft in certain regions, do you know what the actual fix is? We've escalated this with our account manager at Microsoft but it would be good to understand if others are having the same issue as its a big problem for us and we cannot resolve it at the moment.

Cloud Deployment Guide 

Due to this known issue, do one of the following:

1. Select regions where Azure Cloud has already implemented the fixes: East Asia (eastasia) and West Central US (westcentralus).

2. Cisco ISE customers should raise an Azure support ticket. Microsoft has agreed to take the following actions:

   1. Pin the subscription to ensure all instances within that subscription are deployed on hardware generation 7.

   2. Enable the "allow out-of-order fragments" option, which allows fragments to pass through to the destination instead of being dropped.

My understanding is that pre-Gen 7 hardware is unable to reassemble the out-of-sequence fragments properly, but Microsoft would have to confirm that is the case.

Any customer running ISE nodes in Azure with EAP-TLS flows would have this issue. I've had customers with multi-cloud environments deploy ISE in AWS instead of Azure as AWS does not have this issue.

Hi @Greg Gibbs ,

We aren't having much joy with Microsoft, there suggested fixes are not applicable and we are unable to migrated to AWS as all our infrastructure is in Azure. 

I've seen articles suggest setting the MTU on the PSN interface to 1300 and other sites suggest adding the framed-mtu to the authz profiles but i'd like to get more information before we start making random changes. 

I can see packet fragementation on our Azure inferface on our fortinet firewall but our networking team are telling us its normal to see fragmentation on L3 network and that there is nothing we can do to re-order the packets before sending to Azure to ensure they are in order and do not get dropped? 

Its incredibly frustrating as Microsoft are saying its nothing to do with them and the Cisco guide implies some fixes have been applied in certain regions but it would be good to understand exactly what has been changed. 

We migrated ISE to azure based on the Cisco deployment guide and it was suggested that its a simple fix from Microsoft when it doesn't appear to be that way. 

You could certainly try those options, but I'm not confident they will make any difference. None of them will change the fact that the Windows native supplicant uses large EAP messages (1470 bytes), which forces the fragmentation at the IP layer.

The combination of these two factors (expected fragmentation and dropping out of sequence fragments) results in the problem.

FWIW, the OSX supplicant appears to use 1270 byte EAP messages, so Apple appears to have a better grasp on basic networking than MS. I know this doesn't help the situation you're having though.

@Greg Gibbs 

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning#azure-and-fragmentation

Cisco Bug id updated on 3rd Feb, 2025

https://bst.cisco.com/quickview/bug/CSCwe82033

I am not sure under this bug why it's only mentioned Network Access Device (Access Point or Switch), when we are doing the EAP-TLS with central auth that time NAD device should be WLC. is not it? is this something incorrectly mentioned in the bug ID?

@InfraISE2020, I have only personally worked with customers to deploy ISE in AWS. I don't have visibility of any specific customers that have deployed ISE in Azure for these regions.

I'm not aware of any MS documentation that specifically states what is changed in the newer hardware that resolves this issue. It stands to reason that it would be something in the fragmentation reassembly code and/or hardware (like the ASIC).

I cannot speak to what MS is doing to resolve this. You would need to speak with them for current info.

The fragmentation and out-of-sequence packets are due to the large certificate payload. EAP-TTLS(PAP) does not use client side certificates, so it should not have the same issues. It is password-based, however, so there may be various other implications.

This is still going on and I think it is not going to change.  I'm facing the same issue and reached out to Microsoft about this, the basically said the following:

1. If out-of-order fragment reordering is needed, Azure can only enable this with the following limitations and requirements:

- The VM needs to be fully maintained and have all the applicable security patches in a timely manner

- The out-of-order fragments must originate from the internet to a public IP address attached directly to a VM.

- The out-of-order fragment reordering flag only supports specific VM SKUs, generally Dsv4, Ev4, Bv1 and earlier.  The compute optimized FSv2, which Cisco recommends to use for a PSN, wasn't supported according to the Azure engineer

- Allowing out-of-order fragments reordering exclusively applies to public IPs attached to the VMs. It is not supported for load balancing, ExpressRoutes or VPN gateways. 

- All the VMs MUST be deployed into a new empty subscription, which is pinned to compatible hardware clusters

- If VNets need to communicate across subscriptions you can use VNET peering, although VNet peering does NOT inherit the UDP fragment flag. 

Also, Cisco is stating that two Azure regions have a 'fix' applied already and that these regions will allow out-of-order fragmented UDP. I've asked Microsoft about this and they claim that this is false.  The Azure engineer told me that Azure East Asia and Azure West Central US also need this flag and will drop out of order fragments by default. 

Note that it seems that ONLY Microsoft Azure is doing this. AWS, OCI and physical DCs that I've tried  seem to not drop the fragmented traffic and my 802.1 eap-tls supplicants could authenticate fine if the PSN was hosted there. 

What you can do is pointing a supplicant to test with to a specific PSN node and then run packet captures across your network path.  You can track them by using the identification field field in the IP header (e.g. wireshark: ip.id == 0x66c4). Look if there is a lot of fragmented traffic and try to track the fragmented access-requests.  Check if you see certain sessions that aren't received by the ISE node and check if they egress your Express route interface on prem. If there's an intermediate device like a firewall in between you can check if that hop receives all the fragments or not. If it was egressing correctly at your on prem express route interface but not received on the PSN you at least know that its getting lost somewhere in between the express route and Azure. 

To create a tcp dump on the PSN:

Go to Operations -> Diagnostic tools -> TCP dump and select the PSN node to create a pcap on the PSN VM itself.