09-27-2023 12:26 AM
Hi,
We are running ISE 3.2 Patch 3 and using EAP-TLS. We are performing both machine and user authentication. We are seeing issues with a large number of '5440 Endpoint abandoned EAP session and started new'. The issue we have is that they seem to be happening at entirely random intervals, sometimes the client will authenticate ok and sometimes they won't. Sometimes they will abandon the session and re-auth within a second or two without issue and sometimes they will just not auth at all and the Windows 20 minute 802.1X block timer will run.
Anyone able to help!?
Thanks
09-27-2023 02:52 AM
M.
09-27-2023 07:27 AM - edited 09-27-2023 07:29 AM
You will need to do much more assessment of your endpoints failing since this is an issue with your endpoint 802.1X supplicant behavior and not ISE.
Are these large numbers of random 5440 failures truly random and from unique endpoints? Or... are they repeated at random intervals from a subset of endpoints in a specific location or through one or more network devices or even talking to a specific ISE PSN node? You need to narrow that down and troubleshoot from there. If it is truly random, revisit your supplicant configurations' timeouts which I assume is globally applied to all of these endpoints and ensure it is following our best practice timeout recommendations (7 second timeout with 3 retries).
Most likely culprit is a misconfiguration (ridiculously low timeout) or network latency (no response from ISE to endpoint before timeout) resulting in the endpoint trying again. Ultimately, ISE does not know why the endpoint did what it did, it just knows the endpoint initiated a new RADIUS session while ISE was still working on the old one.
From List of Cisco ISE Syslogs :
Message Code: 5440
Severity: WARN
Message Text: Endpoint abandoned EAP session and started new
Message Description: Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
09-27-2023 07:35 AM
Wired or wireless?
09-27-2023 09:17 PM
Among the others check MTU, almost all the time I had similar issues it was because of mtu.
If you have the chance to move temoporary to PEAP and it works it's for sure a mtu issue
09-30-2023 05:29 AM
I’m working with TAC on this at the moment and they’re not sure the issue is MTU right now.
We have proved out that we can ping from site to ISE with an MTU OF 1500 and ISE to site with an MTU of 1472.
Currently looking at the possibility that the traffic is being dropped somewhere.
The switch is considered with a dot1x timeout of 10 seconds and 3 retries.
If this did turn out to be MTU eventually, what would cause this to happen intermittently?
09-30-2023 09:18 PM
Not sure about this, if you have and sd-wan between APs and ISE it may due to the traffic not traversing the same path each time.
If APs are placed in a dedicated vlan a possible workaround is to lower the mtu for that vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide