Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5806
Views
15
Helpful
8
Replies

ISE CoA not send

Go to solution
phaaring
Level 1
Level 1

‎06-19-2019 06:56 AM

Hi All,

 

We have a Cisco ISE cluster with 4 nodes and using CoA for Wireless. Thats working fine.

 

The goal is to use CoA for switchports too and configured both ISE and the switch for CoA (default port). After initiating a CoA from ISE to a specific client (switchport) we found that the CoA is never recieved by the switch.

After creating and anlysing a TCP dump on the (right) PSN we found that ISE is never sending the CoA.

 

Below a screendump from the TCP dump with a full authentication.

 

Untitled.png

Direct after this authentication the CoA is send but its not found in the trace. 

 

Any ideas?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
phaaring
Level 1
Level 1

‎06-21-2019 01:56 AM

Problem has been solved!

 

In the TCP dump of the PAN we found intercluster CoA traffic (from PAN to PSN) on UDP 3799. This traffic was not arrived at the PSN because all intercluster traffic is firewalled. After opening UDP 3799 between all cluster nodes the PSN is sending CoA to the switch on UDP 1700.

As far as I can found in the documentation intercluster CoA traffice should be send at UDP 1700

https://www.cisco.com/c/dam/en/us/td/i/400001-500000/420001-430000/425001-426000/425863.jpg

 

So intercluster traffic on UDP 3799 is not as designed!

 

Thank you all for helping

View solution in original post

8 Replies 8

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-19-2019 07:47 AM

I would recommend running some debugs on the switch side.
debug aaa coa
debug aaa pod
debug radius
And see what you come up with.
Does sh run all | i vsa return:
radius-server vsa send accounting
radius-server vsa send authentication
Also, ensure you have the radius server configured as a dynamic-author so the NAD will accept CoA requests from ISE.

See this for more info: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-rad-coa.html#GUID-D59DD994-7519-44F0-84A6-A3880C09A86C

HTH!

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎06-20-2019 12:45 AM

Make sure you have nothing blocking UDP/1700 (ACL ,FW ..)

Do you get a CoA error in the live logs ?

 

0 Helpful

Go to solution
phaaring
Level 1
Level 1
In response to ldanny

‎06-20-2019 12:59 AM - edited ‎06-20-2019 01:00 AM

There is one FW and one ACL on the path between ISE and the switch. But both have no blocks and permit UDP 1700.

The log on both shows also no UDP 1700 traffic.

 

Yes, we receive an error in the ISE log

 

Untitled1.png

 

0 Helpful

Go to solution
phaaring
Level 1
Level 1
In response to Mike.Cifelli

‎06-20-2019 12:54 AM

Mike, thanks for your suggestions.

All of the suggested configurations are present. The debugs do not give any results becuase the packet is not send by ISE. The TCP dump on the ISE network interface shows zero CoA packets, so it should be an ISE issue.

0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to phaaring

‎06-20-2019 03:49 AM

Run a debug on runtime-AAA to see if ISE is sending CoA.

 

If you still cant get resolution please open a TAC case for further troubleshooting.

0 Helpful

Go to solution
phaaring
Level 1
Level 1

‎06-21-2019 01:56 AM

Problem has been solved!

 

In the TCP dump of the PAN we found intercluster CoA traffic (from PAN to PSN) on UDP 3799. This traffic was not arrived at the PSN because all intercluster traffic is firewalled. After opening UDP 3799 between all cluster nodes the PSN is sending CoA to the switch on UDP 1700.

As far as I can found in the documentation intercluster CoA traffice should be send at UDP 1700

https://www.cisco.com/c/dam/en/us/td/i/400001-500000/420001-430000/425001-426000/425863.jpg

 

So intercluster traffic on UDP 3799 is not as designed!

 

Thank you all for helping

Go to solution
Antho_Balitrand
Level 1
Level 1
In response to phaaring

‎10-28-2019 06:15 AM

Hi, 

 

Interesting information, thanks for sharing. 

Which ISE version are you using ? 

 

Indeed, UDP 3799 is not one of the flows that need to be opened for the cluster to work (based on the documentation). 

I have a scenario with load-balanced PSNs where this behaviour would be interesting. 

0 Helpful

Go to solution
Antho_Balitrand
Level 1
Level 1
In response to Antho_Balitrand

‎02-04-2020 01:07 PM

Hello, 

 

Even if your problem is solved, take a look here : 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

 

(CISCO ISE Policy Service Node ports / Session) : 

  • RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799

Note 

UDP port 3799 is not configurable.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents