Can you please share the bug

jacovr · ‎07-25-2014

I have a WLC using ISE to authenticate through AD. (No certificates - only username & password)

ISE is single node deployment.

Its been running fine for the past 6 months, but all of a sudden I get the following errors:

Failure Reason: 12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist

Resolution: Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.

Root cause: Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

Any Ideas why this would happen ?

nspasov · ‎07-29-2014

Has anything changed in the environment? For example, have you introduced a load-balancer or made changes to an existing one?

Thank you for rating helpful posts!

jacovr · ‎07-29-2014

No. NOTHING has changed.

I had to restart the ISE box this morning, and the problem went away.

No I'm worried, what will cause it to come back again.

rschwart · ‎08-14-2014

We had a simular issue. TAC had us go to the cli and issue the following on the psn's

applicaton congifuration ise

select 5

answer yes to the next two questions.

This clears the AD cache and resolved our issue.

Rasika Nayanajith · ‎08-14-2014

Hi

Clearing AD chache (or reboot PSN) is only workarounds & It could occur again. We hit similar issue & ISE 1.2 patch 7 had fix for that. Make sure your ISE environment is updated with latest patch of ISE 1.2.0 or you have 1.2.1.

PS: bug detail is not published by cisco & keep it as internal.

HTH

Rasika

**** Pls rate all useful responses ****

rschwart · ‎08-14-2014

Hi,

Thanks for the reply. Running patch 9, also clearing the cache every Monday. Hopefully when we uprade to 1.2.1 this will be resolved.

Rasika Nayanajith · ‎08-14-2014

Hi

Do you have multiple PSN & do you use load balancer (F5,etc) to load balance Auth requests ?

We have that kind of setup (F5 to loadbalance ). In that scenario "Failure Reason: 12953" is not an uncommon.

Generaly we get less than 5% total auth failures every day. Main failure reason is the above.

Thanks for using rating system as well.

HTH

Rasika

muhittinm1 · ‎12-29-2015

Hello,

We're taking this kind of failure. When the failure occurs, the authentication stops. At this point, we have to restart the device for remediate the authentication.

The failure has "anonymous" identity like the attachment.

The Cisco ISE version is 1.4.0.253.

Do you have any recommendation to solve the problem?

Kindly Regards,

nspasov · ‎08-15-2014

Can you please share the bug ID that you are referring to?

Rasika Nayanajith · ‎08-15-2014

Hi Neno,

We were hitting CSCun25815

HTH

Rasika

**** Pls rate all usefull responses ****

nspasov · ‎08-18-2014

Thank you!!! (+5 from me)

jacovr · ‎08-18-2014

Thanx Guys.

I have loaded all the latest patches, and thus far it is quite stable.

Jaco

Matteo Comisso · ‎07-29-2014

Hi,

have you configured a valid NTP server on ISE? Public or private?

Maybe something happened with the time configuration, this could explain the behaviour.

Best regards,

Matteo

jacovr · ‎07-29-2014

Yes. I have a Public NTP server configured.

nspasov · ‎07-29-2014

Next time this happens (If it happens). Check the following:

1. In CLI issue: show clock and verify that the time is correct and it matches your AD

2. In CLI issue: show ntp and verify that it is working and operational

3. In GUI check your AD connection: administration > identity management > external identity stores > active directory

ISE - AD 802.1x Authentication Failure (All of the sudden)