Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS LOG 11013 RADIUS packet already in the process

Hi,

I had got in my ACS 5.3 the following error message, do you kown wich could me the problem.

red.PNG

Best Regard,

Marco.

Everyone's tags (6)
5 REPLIES

ACS LOG 11013 RADIUS packet already in the process

Marco,

Please use this as a reference:

http://www.cisco.com/en/US/products/ps9911/products_tech_note09186a0080bb8100.shtml#radius11013

n an ACS 5.3 deployment, users fail dot1x  authentication. The database used is an Active Directory. The RADIUS  failure code is shown here:

RADIUS Request dropped: 11013 RADIUS packet already in the process

Solution

The ACS has ignored this request because it is a duplicate of another  packet that is currently being processed. This can occur because of any  of these:

  • The Average RADIUS Request Latency statistic is close to or exceeds the client RADIUS request timeout of the client.

  • External identity store can be very slow.

  • The ACS has been overloaded.

Perform these steps in order to resolve:

  1. Increase the client RADIUS request timeout of the client.

  2. Use a faster or additional external identity store.

  3. Follow the ways to reduce the overload on ACS.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
Community Member

ACS LOG 11013 RADIUS packet already in the process

Hi tarik,

how can i do that ?

  1. Increase the client RADIUS request timeout of the client.


  2. Use a faster or additional external identity store.


  3. Follow the ways to reduce the overload on ACS


ACS LOG 11013 RADIUS packet already in the process

Marco,

1. First we will have to see what the radius timeout values are set for on the network device. Also we need to identify if there is a relation to which network device(s) are generating this message and then try to increase the timeout values. For that device, if there is some latency some devices come with a default 5 second timer some up to 15.

2. If you are using AD where are the domain controllers with respect to the ACS, is there a firewall or any policing polices that the ACS is subject to in its path to the DCs? If not, how many domain controllers do you have and how many are local to the ACS itself? Are your "sites" configured properly with the DC infrastructure so that when ACS queries the domain it is receving domain controllers that are located closest to it? Also what version of ACS are you running? if you are on ACS 5.3 then installing the latest patch will help fix some critical AD issues.

3. How many authentications do you see on average when this issue occurs, what authentication mechanism are you using (eap-tls or peap), these authentication protocols are different in the way they operate and when it comes to authentications per second EAP-TLS does consume more processing power then the PEAP.

Thanks,

Tarik admani

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

ACS LOG 11013 RADIUS packet already in the process

Hi tarik,

this is the port configuration in the switch

interface FastEthernet0/12

switchport mode access

switchport voice vlan 10

authentication port-control auto

authentication host-mode multi-domain

authentication violation protect

authentication event fail action authorize vlan 11

authentication event fail retry 2 action authorize vlan 11

authentication event no-response action authorize vlan 11

authentication periodic

authentication timer reauthenticate 60

mab

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x max-reauth-req 3

spanning-tree portfast

end

thank

Community Member

aaa accounting update newinfo

aaa accounting update newinfo

4140
Views
0
Helpful
5
Replies
CreatePlease to create content