cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5562
Views
10
Helpful
1
Replies

ISE - 5440 Endpoint abandoned EAP session and started new

We have phones that are getting rejected with 802.1z eap-tls after renewing the device's certificate. the old one expired and we replace it with a new one from the same internal CA that is trusted by our ISE.  

 

All phones are not working and ISE logs showing 5440 Endpoint abandoned EAP session and started new  

I found community discussion for this showing this maybe not trusted certificate or expired in the certificate chain. 

 

but where do I see that and what to do to fix it? 

 

 

 

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

If the new client certificate were NOT to be trusted by ISE, then ISE would very clearly report that in the TLS setup error messages. In your case, this should not be happening, since you mentioned that the issuing CA has not changed (and that same CA chain is still installed in the ISE Trusted Certificates list) 

In the past, when I have seen this error, it's been a transient condition - meaning - the clients are roaming into areas of bad coverage and they fail to complete the TLS communication (and there are re-transmissions involved). Either that, or the WLC is still hanging on to cached keying material from previous sessions and this is causing confusion (e.g. CCKM, 802.11r or OKC)

I would try deleting the client session on the WLC and watching the ISE Live Logs. 

If this condition does not clear, then check whether you have perhaps changed any other settings in ISE (e.g. changed some TLS security settings perhaps?). 

You could also check whether the Layer 3 gateway (SVI) of the VLAN that ISE PSN is connected to, has MTU set to 1500 bytes. Any MTU larger than that will cause these errors as well. It can happen that a certificate transfer exceeds the MTU and ISE cannot handle MTU larger than 1500 bytes.

Failing that, run an endpoint debug for the client MAC address and see what ISE captures. It should capture the client certificate that the client is trying to present to ISE. Along with a lot of debug information - it might give you a clue.

View solution in original post

1 Reply 1

Arne Bier
VIP
VIP

If the new client certificate were NOT to be trusted by ISE, then ISE would very clearly report that in the TLS setup error messages. In your case, this should not be happening, since you mentioned that the issuing CA has not changed (and that same CA chain is still installed in the ISE Trusted Certificates list) 

In the past, when I have seen this error, it's been a transient condition - meaning - the clients are roaming into areas of bad coverage and they fail to complete the TLS communication (and there are re-transmissions involved). Either that, or the WLC is still hanging on to cached keying material from previous sessions and this is causing confusion (e.g. CCKM, 802.11r or OKC)

I would try deleting the client session on the WLC and watching the ISE Live Logs. 

If this condition does not clear, then check whether you have perhaps changed any other settings in ISE (e.g. changed some TLS security settings perhaps?). 

You could also check whether the Layer 3 gateway (SVI) of the VLAN that ISE PSN is connected to, has MTU set to 1500 bytes. Any MTU larger than that will cause these errors as well. It can happen that a certificate transfer exceeds the MTU and ISE cannot handle MTU larger than 1500 bytes.

Failing that, run an endpoint debug for the client MAC address and see what ISE captures. It should capture the client certificate that the client is trying to present to ISE. Along with a lot of debug information - it might give you a clue.