Cisco Community
English
Register
LEARN MORE about Cisco's cybersecurity announcements this week
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7985
Views
14
Helpful
10
Replies
Ashley Georgeson
Ashley Georgeson Beginner
Beginner
‎10-07-2013 08:25 AM
‎10-07-2013 08:25 AM

ISE 1.2 Error Messages

Hi forum,

We have an ISE deployment that we are lab testing.

This is running v1.2.0.899 with Patch 2 installed.

We have an authC policy configured for domain-joined computers for 802.1x and domain credentials:

     Condition: Wired_802.1X

     Allow Protocols: PEAP_CHAPv2

     Use: AD

This works, and authenticates both the machine (pre-login) and user (post-login).

However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.

These messages are not shown in the Cisco ISE Log Messages spreadsheet!

    5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.

    5405 RADIUS Request dropped

    5440 Endpoint abandoned EAP session and started new

Has anybody else exxperienced this or can explain why I am seeing this behaviour?

All helpful responses rated!

Thanks Ash.

Labels:
Everyone's tags (2)
1 person had this problem
Reply
10 REPLIES 10
Muhammad Munir
Muhammad Munir Contributor
Contributor
‎10-08-2013 01:17 AM
‎10-08-2013 01:17 AM

ISE 1.2 Error Messages

Hi

Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.

•Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.

•Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send accounting

radius-server vsa send authentication

0 Helpful
Reply
GERALD LECAILLIER
GERALD LECAILLIER Beginner
Beginner
‎03-17-2015 06:21 AM
‎03-17-2015 06:21 AM

Hello,We have same problem

Hello,

We have same problem with 1.3.

"5440 Endpoint abandoned EAP session and started new"

 

We have 3 active directories:

- 2 on the same LAN: OK (wireless and wired connection)

- 1 behind two firewalls: problem (only for wireless)

 

We set WLC EAP timers to :

 

config advanced eap identity-request-retries 20
config advanced eap request-retries 20
config advanced eap eapol-key-timeout 5000
config advanced eap eapol-key-retries 4

 

But it seems that AD3 dont have time to reply...

 

If someone has an idea, he is welcome :)

 

Thanks,

0 Helpful
Reply
mukka
mukka Beginner
Beginner
‎11-24-2015 06:24 AM
‎11-24-2015 06:24 AM

Hi all,

Hi all,

anyone solved it ? I have a similar issue with ISE 1.4

 

I am trying to deploy EAP_chaining with user and machine certificate. (anyconnect 3.1.11004)

 

If the user has the certificate all is working fine, but if the user not have it, I can see "Endpoint abandoned EAP session and started new.....)

 

thanks.

0 Helpful
Reply
sergio.matos
sergio.matos Beginner
Beginner
‎01-26-2016 10:33 AM
‎01-26-2016 10:33 AM

Hello just to say in the Ise

Hello just to say in the Ise Version 1.3.0.876 its not resolved yet, iam issuing same problems 

5440 Endpoint abandoned EAP session and started new

I have 200 Endpoint working well and sudenly the PSN stopped to accept more Endpoints my limit per PSN is 2500.

So iam using W8.1 machines behind 7940/7960 ip phones 

So iam driving Nuts!

0 Helpful
Reply
Jatin Katyal
Jatin Katyal Cisco Employee
Cisco Employee
‎10-08-2013 01:36 AM
‎10-08-2013 01:36 AM

ISE 1.2 Error Messages

You may want to take a look at

CSCuh86885    No event for failure reasons 5440/5441: Endpoint started a new session..

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
Reply
Ashley Georgeson
Ashley Georgeson Beginner
Beginner
‎10-09-2013 09:00 AM
‎10-09-2013 09:00 AM

ISE 1.2 Error Messages

This bug does not appear to be public yet.

Any ideas why?

0 Helpful
Reply
Jatin Katyal
Jatin Katyal Cisco Employee
Cisco Employee
‎10-09-2013 10:30 AM
‎10-09-2013 10:30 AM

ISE 1.2 Error Messages

This is an external defect but duplicate of

CSCui21439    message texts do not reflect 1.2 added/modified value

I'm going to paste the description/content here from the defect.

Environment: 
Build: 1.2.0.891
install from iso and configured from scratch. 

Deployment:
Node1: pri(A), Pri(M),PDP
Node2: Sec(A)
Node3: Sec(M)
Node4: PDP
Node5: PDP

Node4 and Node5 were placed in node group. 

Procedure:
1. configured multiple nics on node4 and node5 with ip address and host alias. 
2. Configured policy sets to serve requests coming for eth0 and eth1. 
3. tried round-trips ( BYOD flows ) with both eth0 and eth1. 

Observation:
1. Under live authentications page, admin could see events which are having below failure reasons without event details ( i.e. event column is blank )
"5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session."
"5440 Endpoint abandoned EAP session and started new"

2. But under Operations -- > Reports -- > Auth service status --- > Radius errors report, event details  are getting appeared 

so the problem is in reports admin could able to see event details for above failure reasons but not in live authentications page. 
so, there is no functional impact as admin could see event details from reports section.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
0 Helpful
Reply
Abha Jha
Abha Jha Cisco Employee
Cisco Employee
‎10-09-2013 10:52 AM
‎10-09-2013 10:52 AM

ISE 1.2 Error Messages

Its a bug which will be fixed in  ISE version 1.3

CSCuh86885

No event for failure reasons 5440/5441: Endpoint started a new session..

0 Helpful
Reply
Highlighted
Ashley Georgeson
Ashley Georgeson Beginner
Beginner
‎10-10-2013 03:34 AM
‎10-10-2013 03:34 AM

ISE 1.2 Error Messages

So this will be fixed in the next major release of ISE (v1.3) not in the next ISE 1.2 Patch (v1.2 Patch 3)?

Many thanks, Ash.

0 Helpful
Reply
Abha Jha
Abha Jha Cisco Employee
Cisco Employee
‎10-10-2013 10:05 AM
‎10-10-2013 10:05 AM

ISE 1.2 Error Messages

It will be fixed only in version ISE version 1.3

0 Helpful
Reply
Latest Contents
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
ISE My Devices & Sponsor Portal as a User Change Password Po...
Created by Jason Kunst on 12-05-2019 10:24 AM
0
0
0
0
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP) What are the licensing requirements for this solution? My Devices - For using the password change with My Devices you need plus licenses as ... view more
WHITEPAPER - Firepower Threat Defense Cloud Management with ...
Created by Marvin Rhoads on 11-29-2019 07:57 PM
0
10
0
10
  Overview   In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging. We will use the following Cisco products: Fu... view more
How Does Cisco Defense Orchestrator Manage Firepower Threat ...
Created by suhegade on 11-26-2019 09:06 PM
0
0
0
0
These days everything is in the cloud. We all know that Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. Using Cisco Defense Orchestrator (CDO), you can manage physical or virt... view more
How Does Cisco Defense Orchestrator Manage Adaptive Security...
Created by suhegade on 11-26-2019 09:03 PM
0
10
0
10
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems wi... view more
CreatePlease to create content
Discussion
Blog
Document
Video