06-03-2025 09:20 AM
When I do a CoA command on my cisco ISE Server to any device it fails about ten times then it succeeds. It isn't a big deal because it eventually succeeds, but I'm wondering if anyone has an idea why it fails 10 times before it succeeds.
Switch Cisco 9300
ISE Server Firmware: 3.4.0.608
aaa server radius dynamic-author
client 192.168.1.2 dtls client-tp CiscoISEServer1-SelfSigned server-tp Switch-SELF-SIGNED
client 192.168.1.3 dtls client-tp CiscoISEServer2-SelfSigned server-tp Switch-SELF-SIGNED
dtls ip radius source-interface Vlan10
Fails (Ten Times)
Step ID | Description | Latency (ms) | |
91070 | RADIUS DTLS CoA handshake started | ||
91042 | RADIUS DTLS: sent client hello message | 0 | |
91042 | RADIUS DTLS: sent client hello message | 0 | |
91106 | RADIUS DTLS: received client hello verify request | 0 | |
91042 | RADIUS DTLS: sent client hello message | 0 | |
91042 | RADIUS DTLS: sent client hello message | 0 | |
91043 | RADIUS DTLS: received server hello message | 0 | |
91044 | RADIUS DTLS: received server certificate | 0 | |
91046 | RADIUS DTLS: received server done message | 0 | |
91048 | RADIUS DTLS: sent client key exchange message | 0 | |
91040 | RADIUS DTLS: sent change cipher spec message | 0 | |
91041 | RADIUS DTLS: sent finished message | 0 |
Connects one time
Step ID | Description | Latency (ms) | |
91070 | RADIUS DTLS CoA handshake started | ||
91042 | RADIUS DTLS: sent client hello message | 0 | |
91042 | RADIUS DTLS: sent client hello message | 0 | |
91106 | RADIUS DTLS: received client hello verify request | 0 | |
91042 | RADIUS DTLS: sent client hello message | 0 | |
91042 | RADIUS DTLS: sent client hello message | 0 | |
91043 | RADIUS DTLS: received server hello message | 0 | |
91044 | RADIUS DTLS: received server certificate | 0 | |
91046 | RADIUS DTLS: received server done message | 0 | |
91048 | RADIUS DTLS: sent client key exchange message | 0 | |
91040 | RADIUS DTLS: sent change cipher spec message | 0 | |
91041 | RADIUS DTLS: sent finished message | 0 | |
91041 | RADIUS DTLS: sent finished message | 0 | |
91049 | RADIUS DTLS: read server session ticket | 0 | |
91039 | RADIUS DTLS: received finished message | 0 |
06-03-2025 01:48 PM
Interesting - where do you see the CoA failure? Was it a CoA failure, or a TLS establishment failure?
06-03-2025 02:01 PM
The Cisco ISE log just says "5450 RADIUS DTLS handshake failed". After about ten attempts/logs later it says "5241 RADIUS DTLS handshake succeeded"
06-03-2025 02:44 PM
I haven't used DTLS yet - but I found a great Cisco article - have you seen this?
The suggestion to run a tcpdump seems a good one - to see why the TLS handshake is failing - perhaps it's negotiating various TLS versions and ciphers until Cat9K and ISE agree ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide