cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
206
Views
0
Helpful
3
Replies

DTLS Handshake Fails and than Connects

BlackDiamond71
Level 1
Level 1

When I do a CoA command on my cisco ISE Server to any device it fails about ten times then it succeeds. It isn't a big deal because it eventually succeeds, but I'm wondering if anyone has an idea why it fails 10 times before it succeeds.

Switch Cisco 9300

ISE Server Firmware: 3.4.0.608

aaa server radius dynamic-author
client 192.168.1.2 dtls client-tp CiscoISEServer1-SelfSigned server-tp Switch-SELF-SIGNED
client 192.168.1.3 dtls client-tp CiscoISEServer2-SelfSigned server-tp Switch-SELF-SIGNED
dtls ip radius source-interface Vlan10

Fails (Ten Times)

Steps

 Step IDDescriptionLatency (ms)
 91070RADIUS DTLS CoA handshake started
 91042RADIUS DTLS: sent client hello message0
 91042RADIUS DTLS: sent client hello message0
 91106RADIUS DTLS: received client hello verify request0
 91042RADIUS DTLS: sent client hello message0
 91042RADIUS DTLS: sent client hello message0
 91043RADIUS DTLS: received server hello message0
 91044RADIUS DTLS: received server certificate0
 91046RADIUS DTLS: received server done message0
 91048RADIUS DTLS: sent client key exchange message0
 91040RADIUS DTLS: sent change cipher spec message0
 91041RADIUS DTLS: sent finished message0

Connects one time

Steps

 Step IDDescriptionLatency (ms)
 91070RADIUS DTLS CoA handshake started
 91042RADIUS DTLS: sent client hello message0
 91042RADIUS DTLS: sent client hello message0
 91106RADIUS DTLS: received client hello verify request0
 91042RADIUS DTLS: sent client hello message0
 91042RADIUS DTLS: sent client hello message0
 91043RADIUS DTLS: received server hello message0
 91044RADIUS DTLS: received server certificate0
 91046RADIUS DTLS: received server done message0
 91048RADIUS DTLS: sent client key exchange message0
 91040RADIUS DTLS: sent change cipher spec message0
 91041RADIUS DTLS: sent finished message0
 91041RADIUS DTLS: sent finished message0
 91049RADIUS DTLS: read server session ticket0
 91039RADIUS DTLS: received finished message0
3 Replies 3

Arne Bier
VIP
VIP

Interesting - where do you see the CoA failure? Was it a CoA failure, or a TLS establishment failure?

BlackDiamond71
Level 1
Level 1

The Cisco ISE log just says "5450 RADIUS DTLS handshake failed". After about ten attempts/logs later it says "5241 RADIUS DTLS handshake succeeded"

I haven't used DTLS yet - but I found a great Cisco article - have you seen this?

The suggestion to run a tcpdump seems a good one - to see why the TLS handshake is failing - perhaps it's negotiating various TLS versions and ciphers until Cat9K and ISE agree ?