Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3192
Views
5
Helpful
3
Replies
Michal Olsovsky
Beginner
Beginner
‎08-21-2019 02:50 AM
‎08-21-2019 02:50 AM

CTS Request before PAC provisioning making RADIUS server DEAD

Hi,

after recent upgrade of C3650s from 16.6.4 to 16.6.6 switches started requesting CTS data before PAC is provisioned. Because of this ISE is dropping RADIUS messages with the error message 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute. These silent drops are effectively marking the RADIUS server "DEAD" and because of "radius-server deadtime 15" making it unusable for some time. 

 

Does anyone else also observed this change of CTS request behavior? Is this now new expected behavior? Is there a way to force the switch to ask for CTS data only once the PAC is provisioned or change the ISE not to silently drop the requests but reply with access reject message?

 

Thank you.

1 person had this problem
0 Helpful
3 REPLIES 3
Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor
‎08-21-2019 05:59 AM
‎08-21-2019 05:59 AM

I had the exact same issue in my SDA fabric across the campus on both 9K and 3K series switches to include edge nodes and intermediary nodes. The nodes experienced the same issue even when testing other SW releases too. I had a TAC ticket and several calls with the BU on the issue and they were unable to replicate the issue so the case was left as a monitoring case. Since then we have upgraded both our DNAC and ISE cluster and I have not seen the issue since (knock on wood). To further expand on the issue we were facing:
Switches would have two hung CTS provisioning jobs, and no PACs. The NAD in ISE would show valid PAC, but drop requests. Therefore, as you also mentioned on the NAD itself radius server would be found as dead.
Our workarounds used to temporarily fix the issue relating to our unique scenario in SDA was to go into DNAC, re-provision the device (this re-provision would terminate one of the two hung CTS jobs), then a fresh reboot of device would make the device happy. And by happy I mean no more hung jobs, and it would successfully pull down its PAC from ISE. If you are not running SDA I have found that removing your radius server configs and re-applying may do the trick for you.
I know this does not directly answer your question, but I wanted to share that I have found pretty much the same issue. My recommendation would be to contact TAC to make them aware, work that angle, and potentially test some upgrades. Good luck & HTH!
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎08-21-2019 08:09 AM
‎08-21-2019 08:09 AM

I have found that leveraging the automated-tester feature reduces the resolution time of this.

Mike, I had the same hung CTS pac provisioning in earlier releases or when load balancer persistence settings were misconfigured.
0 Helpful
Michal Olsovsky
Beginner
Beginner
In response to Damien Miller
‎08-23-2019 03:55 AM
‎08-23-2019 03:55 AM

Hi,

 

RADIUS servers are probed every 1 with the automate-tester feature and ISE is sending back access-reject messages however this doesn't bring the RADIUS servers UP again. I have also tried to remove the whole RADIUS config and applied back but no difference. Looks that logging a case is the only option left.

 

Thank you!

0 Helpful
Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube