cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2479
Views
3
Helpful
11
Replies

How to force terminated dead radius live sessions on ISE 2.6

jefferyshi
Level 1
Level 1

Hello All,

Recently found there are lots of VPN anyconnect user authenticated last year but halted in ISE live session, and occupied more base license. 

Actually, the users had dropped on the ASA devices, but still see active live session on ISE.

try-session termination.png

I tried "session termination", but not work.

ISE send out CoA disconnect request, and got "5417 Dynamic Authorization failed"

Checked on ASA, see the log can not find out the session. Because the session had dropped long time ago.

%ASA-4-109102: Received CoA Disconnect from 172.20.1.156, but cannot find named session ac17120a127b600061caa8fb.

 

微信图片_20230308235432.png

The problem is that all of these last year's sessions actually not exist in ASA, we want to terminate these unused live sessions on ISE, but ISE will send CoA to ASA to request termination, but there is no session found that caused termination failed.

We have to terminate these sessions because occupied lots of base license.

Is there any other way can force terminate these radius live sessions on ISE(version 2.6) to release base license?

Thank you very much for your help and discussion!

 

thanks

Jeffery

 

 

 

 

1 Accepted Solution

Accepted Solutions

Yes you can try application configure ise option 1, take into account that this command does restart some of the services within the box, you need to run it first on the primary MNT and next in the secondary MNT, in case you don't see any major changes within your behavior you might reload the 2 servers pMNT and then sMNT. 

Please rate and let me know if that helped you. 

Cheers.

View solution in original post

11 Replies 11

Do you have RADIUS Accounting enabled on the ASA?  I'm not sure of way to forcibly delete these (other than deleting the endpoint from context visibility maybe?).  What patch of 2.6 are you on?  

Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2503911.html

Rodrigo Diaz
Cisco Employee
Cisco Employee

Please review through a capture between the ASA and the PSN if there are Radius accounting stop packets, these packets should be exchanged between ISE and all the NAD to finish up sessions, another idea is to review if you are in the latest patch to oversee if you are not running in a known bug. 

Let me know if that helped. 

Hello Rodrigo,

Check on vpn configuration on ASA5500, missed the accounting group. I have just added it. Could avoid session halt next time. Thank you so much.

But still can not terminate these old live session on ISE. 

Mar 08 2023 23:06:33: %ASA-4-109102: Received CoA Disconnect from 172.20.1.156, but cannot find named session ac17120a127b600061caa8fb.
Mar 08 2023 23:06:37: %ASA-4-109102: Received CoA Update from 172.20.1.156, but cannot find named session ac17120a127b600061caa8fb.

Any suggestion how to force-clean these old live session on ISE to release base license?

jefferyshi_0-1678318661205.png

 

tunnel-group SSLVPN_outsourcing general-attributes
address-pool anyconnect_clients
authentication-server-group ISERadius
accounting-server-group ISERadius------------------->miss the accounting group, just add it. 

default-group-policy SSLVPN_Policy_outsourcing

 

ISE version is 2.6.0.156, no patch installed.

Really need terminate these old live sessioned on ISE to free base license . 

 

Verify appropriate your help!

Have a good day!

Jeffery

 

You should install the latest patch, tons of vulnerabilities and bugs in unpatched ISE 2.6. Also you should plan an upgrade to 3.1 or 3.2 since 2.6 has an EOL announced.

jefferyshi
Level 1
Level 1

Thanks, Ahollifield

I see the current latest patch is 2.6.0.156-Patch12. We can schedule to install this patch. Will consider upgrade 3.x in the future, but not now.

I want to clean up the lost of dead live session which doesn't exist on ASA5500 anymore.

Actually, the normal online live session is under 50 but now exceed 200 base license, got license alarm.

We shutdown and restart the ISE, but still see the dead live session.

 

jefferyshi_0-1678372442498.png

If we install the latest 2.6.0.156-Patch12, will help disconnect these sessions?

Thank You

Jeffery

 

 

 

 

Maybe, maybe not. But I wouldn’t bother spending anymore time troubleshooting until you install the latest patch.

hi @jefferyshi the sessions information of authentications on ISE are stored within the MNT, what you might try to do for now is to reboot both of your MNT nodes to review if the licensing consumption number decreases, however it's recommended as it has been said here that you go towards one of the newest versions of ISE .  

Let me know if that helped you . 

Hello Rodrigo,

We have 2 nodes primary and backup. Do we need reload both at same time? Both enabled monitoring.

jefferyshi_1-1678444540751.png

I also see some stuck live session in "Started" status.

probably due to network connection issue loss the accounting packets, it could happen.

Not understand why ISE don't clear stuck live session even more than 1 year.

jefferyshi_0-1678444444125.png

I see the cli command have a "Reset M&T Session Database" option, will this can help clean up Radius live session?

hk4ise01/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database         <----------
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics

Thank you very much!

Jeffery

 

 

Yes you can try application configure ise option 1, take into account that this command does restart some of the services within the box, you need to run it first on the primary MNT and next in the secondary MNT, in case you don't see any major changes within your behavior you might reload the 2 servers pMNT and then sMNT. 

Please rate and let me know if that helped you. 

Cheers.

Hello Rodrigo,

After Reset M&T Session Database on pMNT, the stuck live session cleaned up.

Thank You

 

Jeffery