cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5974
Views
0
Helpful
16
Replies

ISE 1.2 Patch 12

stephendrkw
Level 3
Level 3

Hi all,

 

I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.

 

None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.

 

"5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"

 

Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x

I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)

 

Any info out there about 5441 before I log a TAC?????

 

Thanks.

 

16 Replies 16

mohanak
Cisco Employee
Cisco Employee
No event for failure reasons 5440/5441: Endpoint started a new session..
CSCuh86885

I can't view details of bug CSCuh86885 via the Cisco bug search tool. Can you please paste all the info in this thread for me.

 

Thanks

We have same problem - After upgrade of Cisco ISE to 1.2 patch 12 (previous was patch 9) this message started to appear.... 

Our scenario - LAN 802.1x - authentication FAST with eap chaining..

Machine authentication via certificate - no error message appears

User authentication (chaining) -

 two messages appears -

 

5413 RADIUS Accounting-Request dropped

5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session.

We have rolled back to patch 11 - and everything looks fine (no error message)

There is something wrong with the patch 12. – it looks that only user authentication is affected

 

see in the attachment....

Having the same issue here on Patch 12 after applying fix patch

Dashboard and client counts are all going down and becoming inaccurate.

WLAN and LAN with 802.1x

Event5413 RADIUS Accounting-Request dropped
Failure Reason

5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session.

We had applied this patch to get current with the BASH vulnerability.

Please post the contents of the bug listed above.

Thanks,

Chris

I received an email from Sac Support @Cisco not long after I posted this discussion, Cisco are investigating the issue at the moment, I've asked for an update.

 

If no response I'll log a TAC and update this thread when I find out more......I'm hoping for patch 13 soon!

I have opened a TAC case. Right now, as you said, Cisco investigate my logs from switch and ISE. We will see...

I got a confirmation from Cisco TAC. We are hitting the Bug ID CSCur35455 in our deployment. Bug description is not customer visible yet.  Based on the Cisco, this bug is quite "Deployment specific" and other ISE deployments does not have the same issue. Fix will be released in patch 13.

sounds like we might have to wait till next year...at least Cisco have identified the bug

FYI -I have upgraded to ISE 1.3 and am still getting these errors.  Any new info?

 

thx

HI - I have Cisco ISE running on version 1.3 and getting errors for 5440 with endpoint initiates a new session. Can anyone please confirm that this is just a cosmetic bug and not affecting authentications? 

Thanks,

Sandeep

Hello,

 

Regarding:

CSCuh86885    No event for failure reasons 5440/5441: Endpoint started a new session.

This bug is basically cosmetic. This means there is no event associated when error 5440 / 5441 are triggered, but that has nothing to do with why those error are triggered.

I am working on a TAC case with Tomas. I or He will post the result once we come to any conclusion.

Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:

 

It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.

 

Event5400 Authentication failed
Failure Reason12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
ResolutionVerify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root causeSession was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

Cisco has released patch 13 for ISE 1.2. And the problem was solved. One point - every node in cluster (or standalone) rebooted after patch was applied. This is quite change, because previous patches for ISE 1.2 only disable/enable services.

 

 

Hi cisartomas, thanks for updating us.

One thing Cisco identified this bug as CSCuh86885 (as in this thread Bistein Migette who I have dealt with in previous TAC calls).

I'm looking through the latest release notes updated 23rd December under 1.2 resolved caveats I can't see big fix for CSCuh86885?

Can you let me know where this fix is listed under the latest release notes....maybe CSCur35455?

thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: