cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16469
Views
10
Helpful
17
Replies

ISE - AD 802.1x Authentication Failure (All of the sudden)

jacovr
Level 1
Level 1

 

 

I have a WLC using ISE to authenticate through AD.  (No certificates - only username & password)

ISE is single node deployment.

 

Its been running fine for the past 6 months, but all of a sudden I get the following errors:

 

Failure Reason:  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist

Resolution:  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.

Root cause:  Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

 

Any Ideas why this would happen ?

 

17 Replies 17

nspasov
Cisco Employee
Cisco Employee

Has anything changed in the environment? For example, have you introduced a load-balancer or made changes to an existing one?

 

Thank you for rating helpful posts! 

No.  NOTHING has changed.

 

I had to restart the ISE box this morning, and the problem went away.
 

No I'm worried, what will cause it to come back again.

 

 

We had a simular issue. TAC had us go to the cli and issue the following on the psn's

applicaton congifuration ise

select 5

answer yes to the next two questions.

This clears the AD cache and resolved our issue.

Hi

Clearing AD chache (or reboot PSN) is only workarounds & It could occur again. We hit similar issue & ISE 1.2 patch 7 had fix for that. Make sure your ISE environment is updated with latest patch of ISE 1.2.0 or you have 1.2.1.

PS: bug detail is not published by cisco & keep it as internal.

 

HTH

Rasika

**** Pls rate all useful responses ****

Hi,

Thanks for the reply. Running patch 9, also clearing the cache every Monday. Hopefully when we uprade to 1.2.1 this will be resolved.

Hi

Do you have multiple PSN & do you use load balancer (F5,etc) to load balance Auth requests ?

We have that kind of setup (F5 to loadbalance ). In that scenario "Failure Reason:  12953" is not an uncommon.

Generaly we get less than 5% total auth failures every day. Main failure reason is the above.

Thanks for using rating system as well.

HTH

Rasika

Hello,

We're taking this kind of failure. When the failure occurs, the authentication stops. At this point, we have to restart the device for remediate the authentication.

The failure has "anonymous" identity like the attachment.

The Cisco ISE version is 1.4.0.253.

Do you have any recommendation to solve the problem?

Kindly Regards,

Can you please share the bug ID that you are referring to?

Hi Neno,

We were hitting CSCun25815

HTH

Rasika

**** Pls rate all usefull responses ****

 

Thank you!!! (+5 from me)

Thanx Guys.

 

I have loaded all the latest patches, and thus far it is quite stable.

 

Jaco

Matteo Comisso
Level 1
Level 1

Hi,

have you configured a valid NTP server on ISE? Public or private?

 

Maybe something happened with the time configuration, this could explain the behaviour.

 

Best regards,

Matteo

Yes.  I have a Public NTP server configured.

 

 

Next time this happens (If it happens). Check the following:

1. In CLI issue: show clock and verify that the time is correct and it matches your AD

2. In CLI issue: show ntp and verify that it is working and operational

3. In GUI check your AD connection: administration > identity management > external identity stores > active directory

Review Cisco Networking for a $25 gift card