cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE CoA not send

phaaring
Beginner
Beginner

Hi All,

 

We have a Cisco ISE cluster with 4 nodes and using CoA for Wireless. Thats working fine.

 

The goal is to use CoA for switchports too and configured both ISE and the switch for CoA (default port). After initiating a CoA from ISE to a specific client (switchport) we found that the CoA is never recieved by the switch.

After creating and anlysing a TCP dump on the (right) PSN we found that ISE is never sending the CoA.

 

Below a screendump from the TCP dump with a full authentication.

 

Untitled.png

Direct after this authentication the CoA is send but its not found in the trace. 

 

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions

phaaring
Beginner
Beginner

Problem has been solved!

 

In the TCP dump of the PAN we found intercluster CoA traffic (from PAN to PSN) on UDP 3799. This traffic was not arrived at the PSN because all intercluster traffic is firewalled. After opening UDP 3799 between all cluster nodes the PSN is sending CoA to the switch on UDP 1700.

As far as I can found in the documentation intercluster CoA traffice should be send at UDP 1700

https://www.cisco.com/c/dam/en/us/td/i/400001-500000/420001-430000/425001-426000/425863.jpg

 

So intercluster traffic on UDP 3799 is not as designed!

 

Thank you all for helping

View solution in original post

8 REPLIES 8

Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor
I would recommend running some debugs on the switch side.
debug aaa coa
debug aaa pod
debug radius
And see what you come up with.
Does sh run all | i vsa return:
radius-server vsa send accounting
radius-server vsa send authentication
Also, ensure you have the radius server configured as a dynamic-author so the NAD will accept CoA requests from ISE.

See this for more info: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-rad-coa.html#GUID-D59DD994-7519-44F0-84A6-A3880C09A86C

HTH!

Make sure you have nothing blocking UDP/1700 (ACL ,FW ..)

Do you get a CoA error in the live logs ?

 

There is one FW and one ACL on the path between ISE and the switch. But both have no blocks and permit UDP 1700.

The log on both shows also no UDP 1700 traffic.

 

Yes, we receive an error in the ISE log

 

Untitled1.png