[CISCO ISE][12935 ] Supplicant stopped responding to ISE during EAP-TL

Shabin ASOKAN · ‎04-25-2024

Hello Everyone,

I am contacting you all because i don't seem to find the needed information to resolve my issues, even though there are many similar topic as mine with the same error.

We have an infrastructure using FTD ASA5506 with switch CISCO WS-C2960S-48TS-L, everything was working fine.

We have recently replace our firewall (since it's not upgradable anymore) with a FortiGate 60F.

Everything is working fine except for the user's devices that can't authenticate on the switch and receive the correct VLAN ID.

For some reason we get the following error on the CISCO ISE :

I hope you can help us on this matter

Let me know what information i can give you to help us resolve this problem.

Thank you all for your time and help.

Best regard

Arne Bier · ‎04-25-2024

Hello @Shabin ASOKAN

I have a suspicion that this is related to incorrect MTU size, since the EAP failure mentions there is a breakdown during cert exchange. In a typical EAP cert exchange (client or server) the total size of all certs (Root, Intermediate) tends to be larger than 1500 bytes.

If the FW was acting as a default gateway for the VLAN that ISE is using for its Gig0 interface, then I am pretty sure that the MTU on that Fortigate interface is greater than 1500 bytes. There is a requirement to ensure that the L3 on the ISE Management VLAN is using an MTU of 1500. Anything bigger than that and the cert exchange will fail, because ISE does not support jumbo frames for its management.

Shabin ASOKAN · ‎04-26-2024

Hello @Arne Bier,

Thank you for your reply.

I had read about that and checked the switch MTU which was fine, but did not think of checking the MTU on the firewall.

In our infrastructure context, the ISE is behind an IPsec tunnel, therefore, should it be the WAN interface's MTU that could be the problem ?

So far, here is what i found, WAN has an MTU of 1500 and VPN tunnel has an MTU of 1420 (see SC attached) :

If the MTU is smaller than 1500, could it also be a problem ?

Have a nice day.

Shabin ASOKAN · ‎04-26-2024

Hello @Arne Bier,

Turns out i have found another article in which you explained a few things in the link below :

https://community.cisco.com/t5/network-access-control/ise-802-1x-auth-error-5440-and-12935/td-p/4891218

What was interesting is the way to figure out the maximum MTU size accepted by the CISCO ISE, you propose to ping the cisco ISE, specifying the MTU size, in my case, the higher i can go is 1470, though my ipsec tunnel interface's MTU is 1420.

Just in case, i brought the MTU size down to 1300 for now, will test it next week since in can't access the remote device at the moment.

Should i maybe change the WAN interface MTU ?

I will keep you updated on the results next Monday, if this works, it will be a nice win for this end of week after a lot of research.

Thank you for your time and help

Shabin ASOKAN · ‎04-29-2024

Hello @Arne Bier,

It would seem the change we've done last week hasn't resolved our issue.

I will investigate some more, i only changed the MTU on the IPsec tunnel interface, should I maybe do it as well on the ISP interface ?

I thank you for your help.

Have a nice day.

Arne Bier · ‎04-29-2024

I hate messing around with MTU sizes ... mostly because I don't know the best way to solve this (i.e. if, and what value to set the MTU, and in which places in the network). Is the Fortigate configured to drop UDP fragments? I don't see how else ISE (whose GigE interface has MTU=1500) is supposed to handle a large certificate exchange greater than1500 bytes without fragmentation.

Shabin ASOKAN · ‎05-02-2024

Thank you @Arne Bier for your help and time on this.

I have engaged a discussion with FortiGate, i hope they will help us resolve this issue.
I'll let you know our find in case it can help someone else.

Best regards.