03-09-2022 11:15 AM
Hello, I am having an issue getting EAP-TLS running in my environment. Basic rundown: Windows 10 with AnyConnect NAM, to 3850, to 4500, to 3850, to ISE running as a VM on ESXI. Certificates are all good according to NAM logs. The ISE policy set I'm using is super basic and fails at step 1 (authentication). Timeout is set to 90 seconds on the NAM and the switchport. So the basics are all there.
I'm getting error 5440 - Endpoint abandoned EAP session and started new. What I'm seeing in packet captures is this: the client validates the server (server hello done) and then replies (from the client to the authenticator switch) with a 1514 byte response. The authenticator then sends this off as a 1418 byte fragmented IP + 504 byte access-request. This pair of packets makes it to the core switch and then to the final access layer switch (SPAN on access switch #2 shows them both coming in). From here the switch drops the 504 byte access request and only forwards the 1418 byte fragment, so I suppose the ISE is not given the proper signal to reply with further access-challenges. The fragmented portion does say there are more fragments to be sent, and the original 1514 byte client response says the entire payload (EAP-TLS length) will be 5698 bytes. So the first switch tries again every 5 seconds until timeout.
Any ideas? I've read plenty on fragments being dropped by firewalls etc, but nothing for when the fragment makes it but the TLS portion is dropped. Also, I can't "see" any dropped packets at all on the switch that's losing those packets. There isn't congestion on the interface.
03-09-2022 03:03 PM
03-10-2022 08:49 PM
MHM Cisco World is correct that changing the interface MTU in ISE may likely help. CSCuu13045 ISE Enhancement support for Jumbo Frames is added in ISE 3.1. If using an older ISE release, please make sure the network infrastructure able to negotiate the MTU correctly.
03-22-2022 08:03 AM
Thanks for the response. I am running version 3.1. I'm not sure if it's normal or how to work around, but changing the MTU on the ISE interface to, for example, 9000 kicks me out of the web GUI (permanently or until reload) and does not help with authentication. Upon reload the interface MTU value defaults back to 1500.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide