Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
191
Views
1
Helpful
1
Replies

Problem with PSN ISE node (error 5405 Radius session drop)

Go to solution
Aleksandr Pashko
Level 1
Level 1

‎06-10-2025 08:56 AM

Hello everyone!

Recently in Deployment ISE on PSN in one of the nodes the following errors appeared: when attempting to authorize via Dot1.x and MAB protocols.

AleksandrPashko_0-1749570871479.png

 

But there are also normal sessions.

After Radius Request Drop, due to load balancing configured on NADs, the device is successfully authenticated/authorized on the next PSN node in the group (there are only 3 PSN nodes in each group)

Rebooting the node does not help.

When deregistering (removing) a node from Deployment, all radius sessions are successful (when the node is Stand Alone)

Cisco Identity Services Engine Version 3.1.0.518
Cisco Identity Services Engine Patch Version 7

Could someone help us to resolve problem?

Thank you in advance!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎06-10-2025 02:28 PM

Sounds like a TAC case to me. But if you want to investigate yourself, then try reproducing it, and run a tcpdump on that node - if the RADIUS Access-Request packet looks normal (i.e. same as a 'working' request) then you can conclude that the PSN has lost its marbles. But since we (ISE admins) can't influence the programming of a PSN node (it's all done via the Admin node) there is little we can do, other than de-register, re-register, reboot etc. I don't understand why a de-registered node would work any differently to a registered one. The Services programming remains in tact after de-registration. 

Sometimes, you can force a config "push" to the PSNs by making a config change that should be replicated to all nodes - e.g. create a new dummy Policy Set that does nothing, and then delete it again - perhaps that's enough to force a reprogramming of the node. But it's just a guess.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎06-10-2025 02:28 PM

Sounds like a TAC case to me. But if you want to investigate yourself, then try reproducing it, and run a tcpdump on that node - if the RADIUS Access-Request packet looks normal (i.e. same as a 'working' request) then you can conclude that the PSN has lost its marbles. But since we (ISE admins) can't influence the programming of a PSN node (it's all done via the Admin node) there is little we can do, other than de-register, re-register, reboot etc. I don't understand why a de-registered node would work any differently to a registered one. The Services programming remains in tact after de-registration. 

Sometimes, you can force a config "push" to the PSNs by making a config change that should be replicated to all nodes - e.g. create a new dummy Policy Set that does nothing, and then delete it again - perhaps that's enough to force a reprogramming of the node. But it's just a guess.

Customers Also Viewed These Support Documents