Cisco ISE - 5440 - Endpoint abandoned EAP session and started new

Aileron88 · ‎09-27-2023

Hi,

We are running ISE 3.2 Patch 3 and using EAP-TLS. We are performing both machine and user authentication. We are seeing issues with a large number of '5440 Endpoint abandoned EAP session and started new'. The issue we have is that they seem to be happening at entirely random intervals, sometimes the client will authenticate ok and sometimes they won't. Sometimes they will abandon the session and re-auth within a second or two without issue and sometimes they will just not auth at all and the Windows 20 minute 802.1X block timer will run.

Anyone able to help!?

Thanks

marce1000 · ‎09-27-2023

- FYI : https://community.cisco.com/t5/network-access-control/5440-endpoint-abandoned-eap-session-and-started-new/m-p/4096506#M560853

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

thomas · ‎09-27-2023

You will need to do much more assessment of your endpoints failing since this is an issue with your endpoint 802.1X supplicant behavior and not ISE.

Are these large numbers of random 5440 failures truly random and from unique endpoints? Or... are they repeated at random intervals from a subset of endpoints in a specific location or through one or more network devices or even talking to a specific ISE PSN node? You need to narrow that down and troubleshoot from there. If it is truly random, revisit your supplicant configurations' timeouts which I assume is globally applied to all of these endpoints and ensure it is following our best practice timeout recommendations (7 second timeout with 3 retries).

Most likely culprit is a misconfiguration (ridiculously low timeout) or network latency (no response from ISE to endpoint before timeout) resulting in the endpoint trying again. Ultimately, ISE does not know why the endpoint did what it did, it just knows the endpoint initiated a new RADIUS session while ISE was still working on the old one.

From List of Cisco ISE Syslogs :

Message Code: 5440

Severity: WARN

Message Text: Endpoint abandoned EAP session and started new

Message Description: Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

Peter Koltl · ‎09-27-2023

Wired or wireless?

Massimo Baschieri · ‎09-27-2023

Among the others check MTU, almost all the time I had similar issues it was because of mtu.

If you have the chance to move temoporary to PEAP and it works it's for sure a mtu issue

Aileron88 · ‎09-30-2023

I’m working with TAC on this at the moment and they’re not sure the issue is MTU right now.

We have proved out that we can ping from site to ISE with an MTU OF 1500 and ISE to site with an MTU of 1472.

Currently looking at the possibility that the traffic is being dropped somewhere.

The switch is considered with a dot1x timeout of 10 seconds and 3 retries.

If this did turn out to be MTU eventually, what would cause this to happen intermittently?

Massimo Baschieri · ‎09-30-2023

Not sure about this, if you have and sd-wan between APs and ISE it may due to the traffic not traversing the same path each time.

If APs are placed in a dedicated vlan a possible workaround is to lower the mtu for that vlan.