Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
6
Replies

Hi, I am presenting the following concern with Cisco ISE 2.7:

Rodrigo Infanta
Level 1
Level 1

‎06-09-2022 07:01 AM

Hi, I am presenting the following concern with Cisco ISE 2.7:

 

Some time ago we configured the maximum session limit in ISE to 3, in addition to this we configured the timeout of the profile associated with the ssid in the wlc (Configuration Tags & Profiles Policyà Advanced) with a time of 60 seconds, however at the time of disconnecting one of the devices from the Wifi network 60 seconds pass for the wlc to throw it as in ise, If you try to connect the same or another new device to the Wi-Fi network, the system indicates that the maximum session limit has been reached:

 

22098 New user session not allowed. The maximum limit of user sessions in the group has been reached

 

When I check the ISE live session if it is observed that the session ends, however, I cannot reconnect another device.

 

With this I understand that regardless of ISE indicating that I end the session this is not cleaned.

 

Only after increasing the MAX-SESSIONS number, authentication is successful.

 

Why does this happen?

 

Do old sessions get "stuck" in ISE or like ghosts and can't be released?

 

Shouldn't they be automatically released after the connection to the WLC is terminated?

 

Can't ISE recognize that the WLC is idle and delete obsolete sessions to re-authenticate?

 

Is there a default time defined in ISE that cleans up old and obsolete sessions? If so, can that time be modified?

 

Thank you!

0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎06-09-2022 08:07 AM

Is accounting is enabled on the WLC?

0 Helpful

Rodrigo Infanta
Level 1
Level 1
In response to ahollifield

‎06-09-2022 08:18 AM

yes, it is enabled.

Everything works normally until we limit the sessions on ISE.

0 Helpful

Arne Bier
VIP
VIP

‎06-09-2022 01:47 PM

@rin - do you actually see the WLC's RADIUS accounting Start and Stop requests in the ISE Operations Report? As Adam said, Accounting is crucial to the ISE session management - and as long as the WLC is sending the correct data then there should be no confusion in ISE. Of course there is always the possibility of a bug. I recently had an incident on a Cisco AireOS WLC controller where the RADIUS shared secret for the RADIUS Accounting was misconfigured (In the Security settings). You could see the errors on the WLC Alarm page too. I fixed that easily enough. Also ensure that Accounting is enabled under the WLAN Profile etc. 

 

Do you have any Queue Link Errors in your ISE? I don't know if this might be related, but if the communications between PSNs and MNT is not healthy then perhaps there is some inconsistency. If you have those errors (in Alarm panel, constantly) then regenerate the ISE Messaging Service certificate (under "Create Signing Request").

 

What patch of ISE 2.7?

0 Helpful

Rodrigo Infanta
Level 1
Level 1
In response to Arne Bier

‎06-09-2022 02:46 PM - edited ‎06-09-2022 02:50 PM

Hi Arne Bier

Yes, I can ensure that sessions start and end on ISE.

Session Terminated.PNG

If I have a doubt based on the communications between PSNs and MNT since searching I found the following

a. Sessions without accounting start (Authenticated) removed after 60 minutes,

b. Sessions with accounting stop (Terminated) removed after 15 minutes

c. Sessions in ‘Started’ state (MNT got accounting start) removed after 120 hours without Interim update.

 

Session ISE_2.jpg

 

Captura ISE.PNG

0 Helpful

Arne Bier
VIP
VIP

‎06-09-2022 04:27 PM

Strange. I have never implemented session limits to know if what you're experiencing is normal. I would have hoped that if ISE gets the Acct Start and Stop, then it would consider that a clean session termination. And then the next time that endpoint comes along, ISE should not have any prior knowledge about session limits.

I always enable interim accounting but in fairness, you can't rely on that to be sent in such a short span of time - e.g. if sessions terminate 60 seconds after a start, then it's unlikely that your interim acc updates would have been sent (based on the recommended 48 hours interval for interims). If you have Device Sensor enabled, then expect interims quite soon after Authentication because that is how Device Sensor talks to ISE. Perhaps that I also why I have never run into this issue.

 

I just tried in ISE 3.0 patch 5 and I can reproduce your issue - I set max user limit to 1 and then just did a re-auth.  I was greeted with the error that I had reached my maximum.  I don't think that's normal. Live Sessions says that both my endpoints are "Terminated"

 

I would open a TAC case. 

0 Helpful

Rodrigo Infanta
Level 1
Level 1
In response to Arne Bier

‎06-10-2022 07:21 AM

Thank you, last night we were working with a Cisco TAC engineer, however we did not obtain the expected results, until now there is no response to this behavior of ISE.

 

I thank you for reproducing our current scenario as it is very helpful. Until now we had not had that opportunity.

 

 

0 Helpful
Customers Also Viewed These Support Documents