Solved: Re: Having a spike of 15039* failures

SMcMillan50674 · ‎03-31-2021

Hello,

I'm new to ISE(2.4) and the location I just recently joined has a lot of users in different sections that can't access the internet with each one showing the 15039 failure error. I found the troubleshooting guide and have looked at other questions but I don't understand how to work my way to a fix action.

Also in ISE some users still have a IP address which is now unreachable but every user affected can't pull an DHCP address and I verified the scope was not full.

Here's an example of a working user's port

sh authentication sessions int gi 1/0/1

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/1 09e3 dot1x DATA Auth 832E013A0000005110F95D9A
Gi1/0/1 6fa0 mab VOICE Auth 832E013A0000001200021FFB

Runnable methods list:
Handle Priority Name
9 5 dot1x
20 10 mab
18 15 webauth

Any help would be greatly appreciated.

SMcMillan50674 · ‎04-09-2021

I'm not sure what helped the issue but endpoints are now pulling ip address although there are still a handful with the same issue so this may of not been an ISE issue.

View solution in original post

Marcelo Morais · ‎03-31-2021

Hi @SMcMillan50674

first of all, please double check if the Failure Reason is 15039 and not 15309.

At Administration > System > Logging > Message Catalog > filter the Message Code with your Failure Reason.

The Message Text and Message Description has a brief of the failure.

For example: the 15039 is a Rejected per Authorization Profile, in other words, you should double check your Policy at Policy > Policy Sets and double check your Authorization Policy configuration.

Hope this helps !!!

SMcMillan50674 · ‎04-06-2021

Thanks again for assisting Marcelo,

I noticed at this site everything runs through the default policy and then multiple Authorization policies. As I cram Documents and videos I noticed no one else does this, so could this be an issue or simply not best practice?

thomas · ‎04-06-2021

Generally, fine to keep things simple in the default policy when you start.

At some point you may want to split out authorizations into different policy sets for both administrative simplicity and performance. This could be done by Device Type (wired / wireless / VPN) or Location (regions or countries) or other conditions you choose. It depends on what you want to do...

thomas · ‎04-01-2021

15039

RADIUS

Rejected per authorization profile

Selected Authorization Profile contains ACCESS_REJECT attribute

Exactly as Marcelo said... what is your policy such that people or things are suddenly failing your policy? Looks like ISE is doing it's job.

You can find this list of errors in the Log Messages Reference and in ISE @ Administration > System > Logging > Message Catalog

SMcMillan50674 · ‎04-04-2021

I see we are just using the default policy set and looking at the attributes I still can't tell why some users are getting rejected but I will check the logs first thing.

SMcMillan50674 · ‎04-09-2021

I'm not sure what helped the issue but endpoints are now pulling ip address although there are still a handful with the same issue so this may of not been an ISE issue.