Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

ISE CoA not send

Go to solution
phaaring
Beginner
Beginner

‎06-19-2019 06:56 AM

Hi All,

 

We have a Cisco ISE cluster with 4 nodes and using CoA for Wireless. Thats working fine.

 

The goal is to use CoA for switchports too and configured both ISE and the switch for CoA (default port). After initiating a CoA from ISE to a specific client (switchport) we found that the CoA is never recieved by the switch.

After creating and anlysing a TCP dump on the (right) PSN we found that ISE is never sending the CoA.

 

Below a screendump from the TCP dump with a full authentication.

 

Untitled.png

Direct after this authentication the CoA is send but its not found in the trace. 

 

Any ideas?

1 person had this problem
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
phaaring
Beginner
Beginner

‎06-21-2019 01:56 AM

Problem has been solved!

 

In the TCP dump of the PAN we found intercluster CoA traffic (from PAN to PSN) on UDP 3799. This traffic was not arrived at the PSN because all intercluster traffic is firewalled. After opening UDP 3799 between all cluster nodes the PSN is sending CoA to the switch on UDP 1700.

As far as I can found in the documentation intercluster CoA traffice should be send at UDP 1700

https://www.cisco.com/c/dam/en/us/td/i/400001-500000/420001-430000/425001-426000/425863.jpg

 

So intercluster traffic on UDP 3799 is not as designed!

 

Thank you all for helping

View solution in original post

8 REPLIES 8

Go to solution
Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor

‎06-19-2019 07:47 AM

I would recommend running some debugs on the switch side.
debug aaa coa
debug aaa pod
debug radius
And see what you come up with.
Does sh run all | i vsa return:
radius-server vsa send accounting
radius-server vsa send authentication
Also, ensure you have the radius server configured as a dynamic-author so the NAD will accept CoA requests from ISE.

See this for more info: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-rad-coa.html#GUID-D59DD994-7519-44F0-84A6-A3880C09A86C

HTH!

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎06-20-2019 12:45 AM

Make sure you have nothing blocking UDP/1700 (ACL ,FW ..)

Do you get a CoA error in the live logs ?

 

0 Helpful

Go to solution
phaaring
Beginner
Beginner
In response to ldanny

‎06-20-2019 12:59 AM - edited ‎06-20-2019 01:00 AM

There is one FW and one ACL on the path between ISE and the switch. But both have no blocks and permit UDP 1700.

The log on both shows also no UDP 1700 traffic.

 

Yes, we receive an error in the ISE log

 

Untitled1.png

 

0 Helpful