Solved: Re: Client Authentication issues with multipule PSN nodes

bernards · ‎04-13-2021

We have 2 PSN nodes for client auth.

All works on PSN1. When PSN1 is offline auth is directed to PSN2. All clients then fail to authentication with the following error.

cisco endpoint started new session while the packet of the previous session is being processed

ISE is 2.24 patch 13. All information for above error seems to be bug related in previous versions. Anyone else had a similar issue that can shed any light on the matter?

Thanks

thomas · ‎04-19-2021

Sounds like a good problem to call TAC about.

View solution in original post

Mike.Cifelli · ‎04-13-2021

I did not run into a similar issue on older versions of ISE. IMO it may not be a bad idea to plan on upgrading. As of today the suggested release is 2.7. At a minimum if you do not want to make a massive jump I would suggest upgrading at least to the latest patch for 2.2 (patch17). Something else to consider are the 2.2 EOL notices. See here: Cisco Identity Services Engine Software Version 2.2/2.2.1 Product Bulletin - Cisco

HTH!

bernards · ‎04-13-2021

Thanks for the reply Mike.

ISE is 2.4 patch 13 not 2.2. Above was a typo. We have the issue when 2.4 was patch 12 so upgraded to patch 13 with no success.

Yes we are planning to jump to version 3.0. soon. However the above is causing major issues currently from a failover point if view currently.

Thanks

Marcelo Morais · ‎04-14-2021

Hi @bernards

your issue is happening when a particular PSN goes offline or not (for example: the same issue happens if PSN2 goes offline)?

Note: although it's fixed on 2.4 P11, please take a look at: CSCvr70581 Called-Station-ID missing in RADIUS Authentication detail report.

bernards · ‎04-14-2021

Hi Marcelo

The issue happens when PSN1 goes offline and clients then try to Auth with PSN2. When PSN1 comes back online clients Auth ok. So issue only happens when PSN1 is offline and PSN2 is live.

PSN1 is primary Auth node and PSN2 secondary for redundancy.

I will have a look at the link provided.

Thanks

Marcelo Morais · ‎04-14-2021

Hi @bernards,

are you able to test PSN2 as a primary for a group of your Endpoints, just to double check if the issue is happening only on your PSN1 or on both PSNs?

bernards · ‎04-15-2021

Hi Marcelo

The issue only happens on the secondary PSN. All clients authenticate fine on the primary PSN.

When we flip over to test redundancy the issue with the error message happens to all clients.

Thanks

bernards · ‎04-14-2021

Hi Marcelo

To note. We are running patch 13 on version 2.4. I did see this bug when researching so thought it would be fixed in patch 13.

Damien Miller · ‎04-14-2021

The error you referenced, "cisco endpoint started new session while the packet of the previous session is being processed", is most often seen during EAP authentication when the endpoints/client devices don't trust the server and/or certificate. Is it the EAP/dot1x authentication failing, and if so, do you use two the same EAP certificate on both nodes of the deployment? On the client supplicant config, it there a trusted server list set that only include PSN 1?

bernards · ‎04-15-2021

Hi Damien

Yes EAP clients are effected. Both PSN have correct EAP cert installed.

The client supplicant has correct trusted servers etc.

Strange thing is when we revert back to primary PSN all clients work. Firewall rules have been double checked and are the same within both DMZ locations. For some reason when we force clients to use the secondary PSN the issue is present.

Thanks

thomas · ‎04-19-2021

Sounds like a good problem to call TAC about.