Is this a new deployment or do you have more users this year than last year? It 
could be load related. That 5441 error log indicates there are queued RADIUS 
packets at ISE which cannot be processed in timely manner. Try adding ISE 
service node to see if that can help. Also check this link about something to 
be tuned at WLC side: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html.

Cheers,

Dennis Xu | Analyst III, Network Infrastructure
Computing and Communications Services (CCS) | University of Guelph
University Centre | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56217 | d...@uoguelph.ca 
www.uoguelph.ca/ccs | twitter.com/ccsnews | facebook.com/CCSUofG


-----Original Message-----
From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Kenny, Eric
Sent: Wednesday, October 9, 2019 9:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC & ISE combo issues

Hi Mathieu,

One thing you might want to verify is that the RADIUS timeout values match in 
both the WLCs and in ISE.  If these values differ, you may end up in a 
situation like this where one side gives up and the other side is not aware.
-----------------------------------
Eric Kenny
Network Architect
Harvard University ITS
-----------------------------------

> On Oct 8, 2019, at 2:50 PM, Mathieu Sturm <mathieu.st...@hogent.be> wrote:
> 
> Hello, since the start of the new academic year we’ve been having some 
> troubles with our Cisco setup. We have 3 Cisco WLC 5520’s (one of these is 
> standby), around 850ap’s and 5 Cisco ISE’s (1 admin node, 1 monitor node and 
> 3 radius-only nodes). 
>  
> We have this setup since 2018. There were some problems sometimes but nothing 
> major. Now recently it’s taking a long time for people to get connected. We 
> have around 20k students and 3K staff with peaks to nearly 9K associations.
>  
> The problem is that it is difficult to get connected sometimes. I see the 
> user trying to connect in the WLC’s but don’t see them trying in the ISE’s 
> (it looks like the attempt gets lost somewher).
> I can see the following worrying log message in the wlc:
>  
> RADIUS auth-server X.X.X.X unavailable
>  
> Or
>  
> These logs in the ISE
>  
> 5441 Endpoint started new session while the packet of previous session is 
> being processed. Dropping new session.
> 12930 Supplicant stopped responding to ISE after sending it the first 
> PEAP message
>  
>  
> It looks like there is some sort of bottleneck between WLC and ISE.
>  
> Further information: the identity store is a bunch of Windows Domain 
> Controllers (6 in total).
>  
> Any ideas?  
>  
> Mathieu Sturm
> Hoofdmedewerker Netwerkbeheer
> 
> <image001.png>
> 
> Directie Financiën, Infrastructuur en IT Afdeling Netwerkbeheer Campus 
> Schoonmeerssen - Gebouw B  Lokaal B0.75 Valentin Vaerwyckweg 1 - 9000 
> Gent
> +32 9 243 35 23
> www.hogent.be
>  
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire 
> community list. If you want to reply only to the person who sent the 
> message, copy and paste their email address and forward the email 
> reply. Additional participation and subscription information can be 
> found at https://www.educause.edu/community
> 


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to