cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15693
Views
0
Helpful
12
Replies

Cisco ISE: Error 5411 No response received ...

Marc Richter
Level 1
Level 1

Hi all,

we've been running Cisco ACS version 4.x half a year ago, but decided to upgrade to Cisco ISE. So we've made a fresh installation with our cisco partner. At the moment we're live with this equipment, but running in a lot of troubles, as we're receiving a lot of those errors each day. Once the users restart their PCs a few times the problem is solved, but at the moment its pretty annoying:

No response received during 120 seconds on last EAP message sent to the client

Steps from the detailed view:

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

11507  Extracted EAP-Response/Identity

12500  Prepared EAP-Request proposing EAP-TLS with challenge

12625  Valid EAP-Key-Name attribute received

11006  Returned RADIUS Access-Challenge

5411  No response received during 120 seconds on last EAP message sent to the client

Allowed Protocol: EAP-TLS and PEAP

Authentication Protocol : EAP-TLS

Actually I don't know which version we're running. Where can I check the proper release once on the webinterface?

Switches are 3750x with the following switchport configs (some things has been xxx-out), Firmware is Version 12.2(55)SE1:

interface GigabitEthernet1/0/1

description xxx

switchport access vlan xxx

switchport mode access

switchport voice vlan xxx

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize vlan xxx

authentication event no-response action authorize vlan xxx

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate 28800

mab

mls qos trust device cisco-phone

mls qos trust cos

macro description cisco-phone | cisco-phone

dot1x pae authenticator

dot1x timeout tx-period 15

dot1x timeout supp-timeout 15

auto qos voip cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQoS-Police-CiscoPhone

Can someone introduce anything to solve the problem, maybe some misconfiguration or improvements before starting a TAC-Case.

Thanks in advance

regards

Marc

12 Replies 12

Jatin Katyal
Cisco Employee
Cisco Employee

Actually, it's annoying...No response received during 120 seconds on last EAP message sent to the client

Are you facing issue with all the machines/OS? If there is a specific OS, What OS and supplicant are you using on that machine?

What eap method do we have configured PEAP or EAP-TLS?

Status of "validate server certificate" on the client machines?

When exactly you see this message while booting up or anytime?

Does this message prevent users to authenticate?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

The OS Version is Microsoft Windows 7 Professional 32 Bit

EAP method is EAP-TLS normally

The Client Machines have "Validate Server Certificate" enabled

When exactly you see this message while booting up or anytime / Does this message prevent users to authenticate?

- I've just checked todays ISE log for this error. There are about 82 errors on different clients today which I've called right now and asked if they had any problems with the PC. Most of them had for example: no network drives, no printers and about 5 people no connection until they've restarted their machin.

The PCs are connected to an CISCO 7965G telephone, which are also running with Certificates.

The proper version we're running is: 1.1.2.145

regards Marc

Marc

Jatin Katyal
Cisco Employee
Cisco Employee

The Global Help icon is located in the bottom left corner of the Global  Toolbar in the Cisco ISE window. You may check the ISE version there.

To launch Global Help, complete the following steps:


Step 1 On the global toolbar, move your cursor over the Help icon.

Step 2 Choose Online Help from the pop-up menu.

A new browser window appears displaying the Cisco ISE Online Help.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Marc Richter
Level 1
Level 1

Any more Ideas?

Ravi Singh
Level 7
Level 7

Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts. For more information you can see the below link.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf

HI.

i am in similar suitation how did you reslove the issue?

please do not forget to rate.

Hi,

we found out that our Windows Clients respond too slow to the dot1x requests. Setting the policy to have 3 tries for authentication instead of 1 solved almost all of those problems for us.

Regards

Marc

Hi, 

 

where exactly did you go? where is the specific setting that you mentioned? we are facing the same issue, but  havent found where to set the retries that you stated, 

 

thanks so much for your help

I know this is late, but this task is performed via a GPO or Group Policy in Windows domain.  You would have to get with your Active Directory Team or if you are the network administrator you could follow these steps.

 

https://msdn.microsoft.com/en-us/library/bb742376.aspx

Hi,

 

Quick one. We are having similar issues to what is described here. What was the group policy option you edited, because I cannot see if in the Wired Network (802.3 Policies) in GPO.

 

Thanks,

Phil

Hi,

 

Quick one. We are having similar issues to what is described here. What was the group policy option you edited, because I cannot see if in the Wired Network (802.3 Policies) in GPO.

 

Thanks,

Phil

Hi,

I had the same issue and we fixed when we reinsert DNS entries on Active Directory configuration.

Best,

Emerson Albuquerque


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: