Solved: Cisco Identity Services Engine (ISE) 2.2

jm.virtual01 · ‎04-16-2019

I have cisco ise 2.2 in our network. I have an issue with one switch stack in ISE, initially i have an error message in the live logs for this switch stack. The error message was "#CTSREQUEST#". I solved it by reapplying the PAC keys but after this, once i have successful connection between ISE ans switch but then after, i got another error message, the error message is "CTS TEST SERVER". I have no clue for this error message.

The another issue is with the authentication, i can not see any dot1x session from this switch. There is no any failure logs in the live logs on ISE or on Switch as well. Only mab authentication will happen successfully. The switch port configuration look fine and i am using multi domain authentication. I have one phone and PC connected on the interface. The phone can authenticate successfully through mab but not PC.

The PC should authenticate through dot1x but not.

when i hit the sh authentication session int x/x command, i can see only mab session, not dot1x. Can not see any auth or Unauth dot1x session.

kthiruve · ‎04-22-2019

Please open a TAC case if this is still an issue. This forum is to help solve simple configuration issue, understand design or for deployment related questions etc. This forum is not meant for deep dive troubleshooting.

-Krishnan

View solution in original post

gbekmezi · ‎04-16-2019

Do you see anything different when you plug the pc directly into the switch (not behind the phone)?

jm.virtual01 · ‎04-16-2019

No. If the PC is directly connected to the switch. There is no active session on that interface.

Damien Miller · ‎04-16-2019

If you're leveraging inline tagging I would do a "ping <radius server ip> size 1500" from the switch having the issue. One of the things you have to watch out for with TrustSec is mtu issues. Sometimes an interface doesn't get configured correctly, either with a software issue or a missing cts manual command. If using inline tagging, there is also an undocumented cts mtu bug on the ISR 4k/ASR/CSR platform that has since been fixed in more recent releases, you won't find it in the public facing bug tracker or any release notes.

And a couple questions, are you using load balancers? Which switch platform and software release?

jm.virtual01 · ‎04-17-2019

i can ping from the switch where i am facing the issue with the following command,

ping x.x.x.x size 1500

so mtu size is not an issue, i believe so

Are there any commands to check the connectivity between ISE to networking device ? I want to check the radius server status. I can ping all my server from the switch.

paul · ‎04-17-2019

If you are using EAP-TLS and there is a GRE tunnel between the switch and the ISE PSNs then you could be running into fragmentation drops if your PSNs are behind an F5 load balancer. F5 documents this issue here:

https://support.f5.com/csp/article/K17102

jm.virtual01 · ‎04-17-2019

i am using the tunnel. F5 is not in this picture.

jm.virtual01 · ‎04-17-2019

Are there any commands to check the connectivity between ISE and switch? I want to test the communication between switch and ISE.

kthiruve · ‎04-22-2019

Please open a TAC case if this is still an issue. This forum is to help solve simple configuration issue, understand design or for deployment related questions etc. This forum is not meant for deep dive troubleshooting.

-Krishnan