Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10525
Views
14
Helpful
10
Replies

ISE 1.2 Error Messages

Ashley Georgeson
Level 1
Level 1

‎10-07-2013 08:25 AM - edited ‎03-10-2019 08:58 PM

Hi forum,

We have an ISE deployment that we are lab testing.

This is running v1.2.0.899 with Patch 2 installed.

We have an authC policy configured for domain-joined computers for 802.1x and domain credentials:

     Condition: Wired_802.1X

     Allow Protocols: PEAP_CHAPv2

     Use: AD

This works, and authenticates both the machine (pre-login) and user (post-login).

However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.

These messages are not shown in the Cisco ISE Log Messages spreadsheet!

    5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.

    5405 RADIUS Request dropped

    5440 Endpoint abandoned EAP session and started new

Has anybody else exxperienced this or can explain why I am seeing this behaviour?

All helpful responses rated!

Thanks Ash.

1 person had this problem
Labels:
10 Replies 10

Muhammad Munir
Level 5
Level 5

‎10-08-2013 01:17 AM

Hi

Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.

•Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.

•Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send accounting

radius-server vsa send authentication

0 Helpful

GERALD LECAILLIER
Level 1
Level 1
In response to Muhammad Munir

‎03-17-2015 06:21 AM

Hello,

We have same problem with 1.3.

"5440 Endpoint abandoned EAP session and started new"

 

We have 3 active directories:

- 2 on the same LAN: OK (wireless and wired connection)

- 1 behind two firewalls: problem (only for wireless)

 

We set WLC EAP timers to :

 

config advanced eap identity-request-retries 20
config advanced eap request-retries 20
config advanced eap eapol-key-timeout 5000
config advanced eap eapol-key-retries 4

 

But it seems that AD3 dont have time to reply...

 

If someone has an idea, he is welcome :)

 

Thanks,

0 Helpful

mukka
Level 1
Level 1
In response to GERALD LECAILLIER

‎11-24-2015 06:24 AM

Hi all,

anyone solved it ? I have a similar issue with ISE 1.4

 

I am trying to deploy EAP_chaining with user and machine certificate. (anyconnect 3.1.11004)

 

If the user has the certificate all is working fine, but if the user not have it, I can see "Endpoint abandoned EAP session and started new.....)

 

thanks.

0 Helpful

sergio.matos
Level 1
Level 1
In response to mukka

‎01-26-2016 10:33 AM

Hello just to say in the Ise Version 1.3.0.876 its not resolved yet, iam issuing same problems 

5440 Endpoint abandoned EAP session and started new

I have 200 Endpoint working well and sudenly the PSN stopped to accept more Endpoints my limit per PSN is 2500.

So iam using W8.1 machines behind 7940/7960 ip phones 

So iam driving Nuts!

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎10-08-2013 01:36 AM

You may want to take a look at

CSCuh86885    No event for failure reasons 5440/5441: Endpoint started a new session..

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Ashley Georgeson
Level 1
Level 1
In response to Jatin Katyal

‎10-09-2013 09:00 AM

This bug does not appear to be public yet.

Any ideas why?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Ashley Georgeson

‎10-09-2013 10:30 AM

This is an external defect but duplicate of

CSCui21439    message texts do not reflect 1.2 added/modified value

I'm going to paste the description/content here from the defect.

Environment: 
Build: 1.2.0.891
install from iso and configured from scratch. 

Deployment:
Node1: pri(A), Pri(M),PDP
Node2: Sec(A)
Node3: Sec(M)
Node4: PDP
Node5: PDP

Node4 and Node5 were placed in node group. 

Procedure:
1. configured multiple nics on node4 and node5 with ip address and host alias. 
2. Configured policy sets to serve requests coming for eth0 and eth1. 
3. tried round-trips ( BYOD flows ) with both eth0 and eth1. 

Observation:
1. Under live authentications page, admin could see events which are having below failure reasons without event details ( i.e. event column is blank )
"5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session."
"5440 Endpoint abandoned EAP session and started new"

2. But under Operations -- > Reports -- > Auth service status --- > Radius errors report, event details  are getting appeared 

so the problem is in reports admin could able to see event details for above failure reasons but not in live authentications page. 
so, there is no functional impact as admin could see event details from reports section.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Abha Jha
Cisco Employee
Cisco Employee

‎10-09-2013 10:52 AM

Its a bug which will be fixed in  ISE version 1.3

CSCuh86885

No event for failure reasons 5440/5441: Endpoint started a new session..

0 Helpful

Ashley Georgeson
Level 1
Level 1
In response to Abha Jha

‎10-10-2013 03:34 AM

So this will be fixed in the next major release of ISE (v1.3) not in the next ISE 1.2 Patch (v1.2 Patch 3)?

Many thanks, Ash.

0 Helpful

Abha Jha
Cisco Employee
Cisco Employee
In response to Ashley Georgeson

‎10-10-2013 10:05 AM

It will be fixed only in version ISE version 1.3

0 Helpful
Customers Also Viewed These Support Documents