cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17795
Views
14
Helpful
37
Replies

ISE 1.2 - Error 12929 NAS sends RADIUS accounting update messages too frequently

David Pease
Level 1
Level 1

We are currently running Cisco ISE 1.2, and every day under the "Misconfigured Network Devices" section on the main ISE Page, I have a huge list of different devices that are all being flagged with the following error message:

 

"12929 NAS sends RADIUS accounting update messages too frequently." " NAS sends RADIUS accounting update messages too frequently
Verify NAS configuration. Verify known NAS issues."

 

The list of devices seems to all be Cisco switches; albeit different models, IOS versions, ect.  

 

i have searched on this issue, and the closest thing to a fix I can find is that it would be fixed in a WLC update, but that was 9 months ago.    I would like to know what causes this issue, and what needs to be altered in ISE, or on the switches to resolve this.

 

Thank You.

 

37 Replies 37

Any news from TAC?

We have the same problem with ISE 1.2.0.876 and IOS 15.0(2)SE5.

Regards

Sebastian

 

 

Hi David,

I know this is an old ticket but i was seeing a similar issue issue turns out i had over looked the "aaa accounting update newinfo periodic 2880" line while following this guide for ISE switch setup:

https://communities.cisco.com/docs/DOC-68171

Regards

Gurudatt Pai
Cisco Employee
Cisco Employee

 

 CSCuh20269    WLC sends acc updates too frequently, indicates user roams to itself  is the defect specifically on the WLC that is fixed in one of the 7.6 releases.

 

Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing  a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.

 

Regards,

Gurudatt

Escalation engineer, SAMPG | CCIE#28227

Cisco systems

Gurudatt, 

 

The issue is reporting to be seen on 2960 and 3560 Switches as well.   Our devices would not be changing IPs enough to warrant 500 notifications a day.

 

 

Sam Hertica
Cisco Employee
Cisco Employee

Hey David,

 

I'm working a similar case where the NAD actually sent accounting messages for interfaces without dot1x enabled, but were up/up. In this case, the customer has the following in the global config

Macro auto monitor
Access-session template monitor

There's some global commands required for ip dhcp snooping, so disabling them outright isn't the best solution for the time being. there's discussions about putting forward a feature to disable it on a per-port basis as this is intentional behavior apparently.

 

If I'm wrong about my assumption, and you don't have either of those commands in the running config, I would recommend taking a packet capture from a PSN and filter for the specific accounting messages from the switch and see if there's anything wonky on there. Example wireshark filter being 'radius.code == 4 && ip.src == 1.2.3.4'. If you're comfortable posting it up on the forums I can take a look as well.

preston trogden
Level 1
Level 1

I believe this is supposed to be fixed in the 1.2.1 patch for ISE they just released.

I updated to 1.2.1 and the error is still alive and well ;) 

 

 

o.k. after 2 weeks on patch 1.2.1 - it has gotten better. I hasn´t gone away completly, but under "normal" conditions it is almost gone. If for example, a building has a power failure, and 2000 devices come back online - then you still get this message. But my error messages have gone back quite alot after patch 1.2.1. 

 

Hi MeMySelfundCisco,

 

you updated to 1.2.1 and your have alway error messages ?

 

Thank for your experience!

 

preston trogden
Level 1
Level 1

the "start-stop" records seem to be what its picking up as accounting updates. My "misconifgured devices" area had very few notices in it the other day so i waited for a new one to pop up and went into the logs and saw the only thing it was reporting was the "start and stops" of the accounting functions of the command "aaa acccounting dot1x default start-stop group ISE local"  and that seems to be what it is seeings as an accounting update. I am a junior network analyst so i have not gotten approval to tinker with the settings in the switches to see if that is in fact the case. Anyone care to be the Guinea pig?

For the time being, i just went into settings and turned off that alarm.

julambert
Level 1
Level 1

Hey Guy,

I have the same issue on 2960S. Someone have a solution to solve the problem ?

I had "aaa accounting update periodic 15"

and it didn´t change anything.

 

Thanks for your help!

Rene S.
Level 1
Level 1
we're runnning ISE 1.3 and WLC 8.0.120.0 and I still get those messages....

lisacoody
Level 1
Level 1

Newly installed ISE 2.1 with 5508's running code 8.0.133. I'm seeing the messages too.

Hi!

In my scenario ISE 1.4.0.253 WLC 5508  version 8.0 I´m seeing the messages too.

Thanks for updates!.

David.

seb.wefers
Level 1
Level 1

In my szenario it seems like its not the fault of the RADIUS server. I saw actually RADIUS accounting interim-update packets on the network. After a time i discoverd an end devices loosing its IP and sending another DHCP request all the time. This devices causes the switch to send RADIUS accounting update packets. Even when aaa accounting update was not set i saw accounting interim-update packets.

Cisco: " Even after removing the interim accounting update, the switch was sending packet as there was change in critical information (ip address/reauthentication) . This is working as design, so to change this behavior, we need to open a feature request."

So if you have the above error message, turn on tcpdump on your ise and filter for your RADIUS accounting port. Maybe you can find the source of the problem.

Regards,

Sebastian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: