Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2081
Views
40
Helpful
3
Replies

EAP-TLS Failure with Dropped Auth-Request Packets

hml
Level 1
Level 1

‎03-09-2022 11:15 AM

Hello, I am having an issue getting EAP-TLS running in my environment. Basic rundown: Windows 10 with AnyConnect NAM, to 3850, to 4500, to 3850, to ISE running as a VM on ESXI. Certificates are all good according to NAM logs. The ISE policy set I'm using is super basic and fails at step 1 (authentication). Timeout is set to 90 seconds on the NAM and the switchport. So the basics are all there.

 

I'm getting error 5440 - Endpoint abandoned EAP session and started new. What I'm seeing in packet captures is this: the client validates the server (server hello done) and then replies (from the client to the authenticator switch) with a 1514 byte response. The authenticator then sends this off as a 1418 byte fragmented IP + 504 byte access-request. This pair of packets makes it to the core switch and then to the final access layer switch (SPAN on access switch #2 shows them both coming in). From here the switch drops the 504 byte access request and only forwards the 1418 byte fragment, so I suppose the ISE is not given the proper signal to reply with further access-challenges. The fragmented portion does say there are more fragments to be sent, and the original 1514 byte client response says the entire payload (EAP-TLS length) will be 5698 bytes. So the first switch tries again every 5 seconds until timeout.

 

Any ideas? I've read plenty on fragments being dropped by firewalls etc, but nothing for when the fragment makes it but the TLS portion is dropped. Also, I can't "see" any dropped packets at all on the switch that's losing those packets. There isn't congestion on the interface.

3 Replies 3

hslai
Cisco Employee
Cisco Employee

‎03-10-2022 08:49 PM

MHM Cisco World is correct that changing the interface MTU in ISE may likely help. CSCuu13045 ISE Enhancement support for Jumbo Frames is added in ISE 3.1. If using an older ISE release, please make sure the network infrastructure able to negotiate the MTU correctly.

hml
Level 1
Level 1
In response to hslai

‎03-22-2022 08:03 AM

Thanks for the response. I am running version 3.1. I'm not sure if it's normal or how to work around, but changing the MTU on the ISE interface to, for example, 9000 kicks me out of the web GUI (permanently or until reload) and does not help with authentication. Upon reload the interface MTU value defaults back to 1500.

0 Helpful
Customers Also Viewed These Support Documents