04-13-2021 04:26 AM
We have 2 PSN nodes for client auth.
All works on PSN1. When PSN1 is offline auth is directed to PSN2. All clients then fail to authentication with the following error.
cisco endpoint started new session while the packet of the previous session is being processed
ISE is 2.24 patch 13. All information for above error seems to be bug related in previous versions. Anyone else had a similar issue that can shed any light on the matter?
Thanks
Solved! Go to Solution.
04-19-2021 10:22 PM
Sounds like a good problem to call TAC about.
04-13-2021 05:50 AM
I did not run into a similar issue on older versions of ISE. IMO it may not be a bad idea to plan on upgrading. As of today the suggested release is 2.7. At a minimum if you do not want to make a massive jump I would suggest upgrading at least to the latest patch for 2.2 (patch17). Something else to consider are the 2.2 EOL notices. See here: Cisco Identity Services Engine Software Version 2.2/2.2.1 Product Bulletin - Cisco
HTH!
04-13-2021 11:22 PM
Thanks for the reply Mike.
ISE is 2.4 patch 13 not 2.2. Above was a typo. We have the issue when 2.4 was patch 12 so upgraded to patch 13 with no success.
Yes we are planning to jump to version 3.0. soon. However the above is causing major issues currently from a failover point if view currently.
Thanks
04-14-2021 02:53 AM
Hi @bernards
your issue is happening when a particular PSN goes offline or not (for example: the same issue happens if PSN2 goes offline)?
Note: although it's fixed on 2.4 P11, please take a look at: CSCvr70581 Called-Station-ID missing in RADIUS Authentication detail report.
04-14-2021 11:35 AM
Hi Marcelo
The issue happens when PSN1 goes offline and clients then try to Auth with PSN2. When PSN1 comes back online clients Auth ok. So issue only happens when PSN1 is offline and PSN2 is live.
PSN1 is primary Auth node and PSN2 secondary for redundancy.
I will have a look at the link provided.
Thanks
04-14-2021 01:32 PM
Hi @bernards,
are you able to test PSN2 as a primary for a group of your Endpoints, just to double check if the issue is happening only on your PSN1 or on both PSNs?
04-15-2021 12:40 PM
Hi Marcelo
The issue only happens on the secondary PSN. All clients authenticate fine on the primary PSN.
When we flip over to test redundancy the issue with the error message happens to all clients.
Thanks
04-14-2021 11:38 AM
Hi Marcelo
To note. We are running patch 13 on version 2.4. I did see this bug when researching so thought it would be fixed in patch 13.
04-14-2021 05:47 PM
The error you referenced, "cisco endpoint started new session while the packet of the previous session is being processed", is most often seen during EAP authentication when the endpoints/client devices don't trust the server and/or certificate. Is it the EAP/dot1x authentication failing, and if so, do you use two the same EAP certificate on both nodes of the deployment? On the client supplicant config, it there a trusted server list set that only include PSN 1?
04-15-2021 12:44 PM
Hi Damien
Yes EAP clients are effected. Both PSN have correct EAP cert installed.
The client supplicant has correct trusted servers etc.
Strange thing is when we revert back to primary PSN all clients work. Firewall rules have been double checked and are the same within both DMZ locations. For some reason when we force clients to use the secondary PSN the issue is present.
Thanks
04-19-2021 10:22 PM
Sounds like a good problem to call TAC about.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide