Solved: Re: Hung CTS PAC provisioning job

Mike.Cifelli · ‎04-29-2019

I have a couple of cat 9300 uxm switches in my SDA fabric that continue to attempt to reach out to ISE for pac provisioning. The devices have a valid pac that is not expired. It seems that they have a hung provisioning job. What is the best way of killing the hung session without blowing away the actual pac in use? I would prefer an easier way and would love to avoid having to remove it from fabric and re-add it.

In ISE radius live logs I see:

5405 RADIUS Request dropped
AAA:service-type=cts-pac-provisioning

On the devices I see:
#sh cts provisioning
A-ID: Unknown
Server XXXXX, using shared secret
Req-ID 1c6b002a: callback func 0xffef5a6ba8, context (nil)

#sh cts pacs returns valid pac and shows everything is good.

The hosts 8021x sessions and everything seem to be fine. However, every couple of minutes the live logs get flooded with the attempts/drops. My other fabric switches show no outstanding provisioning jobs. The two devices in question were rebooted over the weekend.

Damien Miller · ‎04-29-2019

We had some interesting issues with 3850's and radius/pac processes when running 3.7. Some of them have been fixed with a simple enter and exit of the "aaa group server radius <name>".

Out of curiosity, what version of software is this on?

View solution in original post

Mike.Cifelli · ‎04-29-2019

Update: A reload of the device seemed to have terminated the hung provisioning job. If anyone knows of any other ways please advise.

Damien Miller · ‎04-29-2019

We had some interesting issues with 3850's and radius/pac processes when running 3.7. Some of them have been fixed with a simple enter and exit of the "aaa group server radius <name>".

Out of curiosity, what version of software is this on?

Mike.Cifelli · ‎04-30-2019

16.9.2 Fuji. Thanks for the info on the removal of the radius group as another way to resolve the issue.