Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
5
Helpful
9
Replies

IPhone stop sending certificate to server in EAP exchange

Aleksandr Pashko
Level 1
Level 1

‎02-17-2023 06:11 AM

Hello everyone

We encountered a problem connecting client devices to the Wi-Fi SSID, which authorizes users through an external Cisco ISE server. Only iphones and ipads connect to it. Once we noticed that some device stops connecting.
Turning Wi-Fi on / off, rebooting the device and other manipulations with it do not help. Performance is restored only if you "forget the network" and reconnect. The problem was noticed on IOS 15.6.1, 16.1.2, 16.2, 16.3.

After troubleshooting we found that the  problem on the stage of EAP exchange - between Apple mobile deviecs. There's a successfull answer on the left and the failed on the right of the screenshot

For some reasons the device after some time in response to an Identity request  from server stops sending a certificate, and sends  "Close Notify" instead of it. And we can see nothing in the Live Logs on the Cisco ISE's side.

AleksandrPashko_0-1676641951792.png

 

Labels:
9 Replies 9

MHM Cisco World
VIP
VIP

‎02-17-2023 06:18 AM

check the above line 
there is fragment 
so in one hops between the client and Server some hope is fragment and it some times pass and other time it failed 
if your use MPLS then check the MTU you use. 

0 Helpful

Aleksandr Pashko
Level 1
Level 1
In response to MHM Cisco World

‎02-20-2023 03:35 AM

thank you for the answer, 

We're not using the MPLS in out network, and the ISE node and WLC in the same network

You want me to increase the MTU? where exactly you need to check and, if necessary, increase the MTU if it is really necessary?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Aleksandr Pashko

‎02-20-2023 03:37 AM

ISE and WLC in same network but are the AP/client in same one ?

0 Helpful

Aleksandr Pashko
Level 1
Level 1
In response to MHM Cisco World

‎02-20-2023 06:17 AM

ISQ and WLC on the same network, but AP's and clients in the different 

0 Helpful

Rich R
VIP
VIP

‎02-19-2023 02:55 AM - edited ‎02-19-2023 02:56 AM

Those are TLS fragments which is expected for an 1877 byte segment.  And that's the one that's working anyway so clearly not a problem.

Regarding the original problem:
- Either you've found an iOS bug which only Apple can fix for you
- Or ISE is sending something that's triggering the device to close the TLS connection so the packets before that need to be inspected closely.  Check things like your certs - have all your nodes been fully updated with matching certs and full cert chain for example? Also in this regard fragmentation could be an issue - if ISE is not using TLS fragmentation and trying to send large IP packets which then require IP fragmentation in the network - we occasionally see problems with this particularly on the TLS server cert packets which always exceed MTU.  We always recommend customers to make sure they implement TLS fragmentation.

This article is quite old but have a look: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html
Get packet captures on both ends and pay attention to what's happening on both ends before the failure.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Aleksandr Pashko
Level 1
Level 1
In response to Rich R

‎02-20-2023 03:27 AM

Thank you for the answer, let me check it

0 Helpful

Aleksandr Pashko
Level 1
Level 1
In response to Rich R

‎02-21-2023 02:17 AM

Maybe it helps here're the screenshots of Server Hello of successfull and failed EAP exchange , I can't see any differenses - both of them are fragmented, on both of them suggests the same server certificate keychain with the same common name

AleksandrPashko_0-1676972532316.png

AleksandrPashko_2-1676974604184.png

 

 

0 Helpful

Rich R
VIP
VIP

‎02-21-2023 02:24 AM

Then I'm inclined to think it's an Apple bug ...
I'd open a TAC case for it - make sure TAC agree it's an Apple fault (in case it's something we missed) then try to get them to raise it with Apple unless you have an existing relationship with Apple through which you can raise it directly.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Aleksandr Pashko
Level 1
Level 1
In response to Rich R

‎02-22-2023 04:32 AM

You mean it can be Apple bug for different devices (iPhone and iPad)  with different iOS versions (5.6.1, 16.1.2, 16.2, 16.3)?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card