03-08-2023 08:21 AM
Hello All,
Recently found there are lots of VPN anyconnect user authenticated last year but halted in ISE live session, and occupied more base license.
Actually, the users had dropped on the ASA devices, but still see active live session on ISE.
I tried "session termination", but not work.
ISE send out CoA disconnect request, and got "5417 Dynamic Authorization failed"
Checked on ASA, see the log can not find out the session. Because the session had dropped long time ago.
%ASA-4-109102: Received CoA Disconnect from 172.20.1.156, but cannot find named session ac17120a127b600061caa8fb.
The problem is that all of these last year's sessions actually not exist in ASA, we want to terminate these unused live sessions on ISE, but ISE will send CoA to ASA to request termination, but there is no session found that caused termination failed.
We have to terminate these sessions because occupied lots of base license.
Is there any other way can force terminate these radius live sessions on ISE(version 2.6) to release base license?
Thank you very much for your help and discussion!
thanks
Jeffery
Solved! Go to Solution.
03-10-2023 06:00 AM
Yes you can try application configure ise option 1, take into account that this command does restart some of the services within the box, you need to run it first on the primary MNT and next in the secondary MNT, in case you don't see any major changes within your behavior you might reload the 2 servers pMNT and then sMNT.
Please rate and let me know if that helped you.
Cheers.
03-08-2023 10:30 AM
Do you have RADIUS Accounting enabled on the ASA? I'm not sure of way to forcibly delete these (other than deleting the endpoint from context visibility maybe?). What patch of 2.6 are you on?
03-08-2023 11:28 AM
Please review through a capture between the ASA and the PSN if there are Radius accounting stop packets, these packets should be exchanged between ISE and all the NAD to finish up sessions, another idea is to review if you are in the latest patch to oversee if you are not running in a known bug.
Let me know if that helped.
03-08-2023 03:54 PM
Hello Rodrigo,
Check on vpn configuration on ASA5500, missed the accounting group. I have just added it. Could avoid session halt next time. Thank you so much.
But still can not terminate these old live session on ISE.
Mar 08 2023 23:06:33: %ASA-4-109102: Received CoA Disconnect from 172.20.1.156, but cannot find named session ac17120a127b600061caa8fb.
Mar 08 2023 23:06:37: %ASA-4-109102: Received CoA Update from 172.20.1.156, but cannot find named session ac17120a127b600061caa8fb.
Any suggestion how to force-clean these old live session on ISE to release base license?
tunnel-group SSLVPN_outsourcing general-attributes
address-pool anyconnect_clients
authentication-server-group ISERadius
accounting-server-group ISERadius------------------->miss the accounting group, just add it.
default-group-policy SSLVPN_Policy_outsourcing
ISE version is 2.6.0.156, no patch installed.
Really need terminate these old live sessioned on ISE to free base license .
Verify appropriate your help!
Have a good day!
Jeffery
03-08-2023 04:32 PM
03-09-2023 06:55 AM
Thanks, Ahollifield
I see the current latest patch is 2.6.0.156-Patch12. We can schedule to install this patch. Will consider upgrade 3.x in the future, but not now.
I want to clean up the lost of dead live session which doesn't exist on ASA5500 anymore.
Actually, the normal online live session is under 50 but now exceed 200 base license, got license alarm.
We shutdown and restart the ISE, but still see the dead live session.
If we install the latest 2.6.0.156-Patch12, will help disconnect these sessions?
Thank You
Jeffery
03-09-2023 07:22 AM
03-09-2023 08:41 AM
hi @jefferyshi the sessions information of authentications on ISE are stored within the MNT, what you might try to do for now is to reboot both of your MNT nodes to review if the licensing consumption number decreases, however it's recommended as it has been said here that you go towards one of the newest versions of ISE .
Let me know if that helped you .
03-10-2023 02:45 AM
Hello Rodrigo,
We have 2 nodes primary and backup. Do we need reload both at same time? Both enabled monitoring.
I also see some stuck live session in "Started" status.
probably due to network connection issue loss the accounting packets, it could happen.
Not understand why ISE don't clear stuck live session even more than 1 year.
I see the cli command have a "Reset M&T Session Database" option, will this can help clean up Radius live session?
hk4ise01/admin# application configure ise
Selection configuration option
[1]Reset M&T Session Database <----------
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
Thank you very much!
Jeffery
03-10-2023 06:00 AM
Yes you can try application configure ise option 1, take into account that this command does restart some of the services within the box, you need to run it first on the primary MNT and next in the secondary MNT, in case you don't see any major changes within your behavior you might reload the 2 servers pMNT and then sMNT.
Please rate and let me know if that helped you.
Cheers.
03-10-2023 07:17 PM - edited 03-11-2023 07:40 AM
Hello Rodrigo,
After Reset M&T Session Database on pMNT, the stuck live session cleaned up.
Thank You
Jeffery
03-12-2023 09:47 AM
@jefferyshi For your future reference, you may also use ISE Monitoring REST API / Using API calls for Session Management / Stale Sessions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide