Good afternoon, We are curious if there are any other campuses out there which are running Cisco ISE version 2.1.0.474 (patch 3). We are running into issues where users on our 802.1x enabled SSID are able to authenticate sometimes, but not always (intermittent connectivity). Re-authentications for devices that are able to connect may also fail, leading to device disconnects. We see messages on the controllers stating that the ISE PSNs are not able to respond to authentication requests on time, and even after disabling aggressive failover, the controllers (WiSM 2 and WLC 5520) are still failing over between our two ISE PSN nodes for authentications. TAC seems to be taking a while to figure out what our issues might be.
We found a bug report during our own troubleshooting at https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc69935/?referring_site=bugquickviewredir "ISE 2.1 dropping radius traffic for stuck packet in duplicate manager", and we just want to know if anyone else has or is running this version and have run into similar issues? In case some are not able to view the bug notes, the symptoms listed are: Symptom: frequent radius drops very early (with in the first 10 steps) in the detail logs of a failed authentication endpoint frequently abandoning eap session or stopped responding - could be during peap tunnel establishment high authentication latency with little to no load problems on PSN. ISE failure reasons: packet already in process, ISE failed messages for unexpected eap fragment or invalid radius attribute prrt-server logs show duplicateManager setting nasip + source port + pktid in dup list with "added=true" the auth process finishes for a known duplicate session but the duplicatmanager never sets the same combo of nasip + source port + pktid to removed=true Next incomming packet with same NASIP, source port, and pktid combo will be rejected as "duplicate: even though it might be fore a different session, or endpoint or even auth method.i.e. MAB vs Dot1x Known Affected Releases: (1) 2.1(0.474) Known Fixed Releases: (1) 2.1(0.904) We have seen the "ISE failure reasons: packet already in process" and "high authentication latency with little to no load problems on PSN" at least. As far as I'm aware we still haven't confirmed this is exactly the problem we're facing as we're still working with TAC, but the symptoms seem similar. We think it might be best to just go ahead and upgrade to the next patch (2.1(0.904)) even though it was recommended to us by Cisco and done early last week, but we'd like to know if anyone else has experienced similar issues and what was the solution. ISE upgrades take a long time per node (and we have 4 total) which is why it is not such an easy decision. Maybe this can also serve as a sort of warning in case others are planning an ISE upgrade soon and aren't quite at version 2.2+ yet. Thank you, Michael Matlick Network Control Specialist University of Maryland, Baltimore CITS ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
