cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
1
Helpful
8
Replies

Some WLC Showing Cisco ISE is in DEAD State

poornakumar
Level 1
Level 1

Hi Team,

In our deployment some wlc is showing cisco ise is in dead state but still traffic get forward.so what could be the possibl reason for that wlc's to mark ise as dead and in the same deployment other wlc are working fine and for dot1x we have configure with VIP that is working fine but for guest portal authentication we are facing this issue for guest real radius server ip is configured in wlc.

8 Replies 8

Leo Laohoo
Hall of Fame
Hall of Fame

Is the WLC a 9800?

yup correct..

Is the controller on 17.9.x?

poornakumar
Level 1
Level 1

Hi Team,

In our deployment some wlc is showing cisco ise is in dead state but still traffic get forward.so what could be the possibl reason for that wlc's to mark ise as dead and in the same deployment other wlc are working fine and for dot1x we have configure with VIP that is working fine but for guest portal authentication we are facing this issue for guest real radius server ip is configured in wlc.

not sure if I follow your question completely, but if you are having issue with Guest issues through ISE then follow this step by step guide and let me know at what stage are you failing

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220852-troubleshoot-central-web-authentication.html#toc-hId-1441757191

 

-hope this helps-

friend it simple 
WLC mark ISE dead when 
1- it not response to test packet
2-it slow response to authc packet <<- this case you face with wlc 
in ISE authc detail see if there is any latency 
if there is share the authc detail  

MHM

Hi 

Thanks for the reply.

We have find that the traffic is going to old LB in our deployment but the traffic need to pass through new LB.After removing the old LB and configure the new LB it is working fine.

regards,

poornakumar

Arne Bier
VIP
VIP

IIRC there are two parts of the "show aaa servers" command that show DEAD. One is the overall IP address, and the other is the SMD (Session Manager Daemon) - I never understood how it works. If you find out how to interpret the "show aaa servers" command let us know. I have seen cases where I had to "jump start" the Catalyst aaa radius processing (when it was DEAD) by sending test aaa group commands.