Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ISE: Error 5411 No response received ...

Hi all,

we've been running Cisco ACS version 4.x half a year ago, but decided to upgrade to Cisco ISE. So we've made a fresh installation with our cisco partner. At the moment we're live with this equipment, but running in a lot of troubles, as we're receiving a lot of those errors each day. Once the users restart their PCs a few times the problem is solved, but at the moment its pretty annoying:

No response received during 120 seconds on last EAP message sent to the client

Steps from the detailed view:

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

11507  Extracted EAP-Response/Identity

12500  Prepared EAP-Request proposing EAP-TLS with challenge

12625  Valid EAP-Key-Name attribute received

11006  Returned RADIUS Access-Challenge

5411  No response received during 120 seconds on last EAP message sent to the client

Allowed Protocol: EAP-TLS and PEAP

Authentication Protocol : EAP-TLS

Actually I don't know which version we're running. Where can I check the proper release once on the webinterface?

Switches are 3750x with the following switchport configs (some things has been xxx-out), Firmware is Version 12.2(55)SE1:

interface GigabitEthernet1/0/1

description xxx

switchport access vlan xxx

switchport mode access

switchport voice vlan xxx

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize vlan xxx

authentication event no-response action authorize vlan xxx

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate 28800

mab

mls qos trust device cisco-phone

mls qos trust cos

macro description cisco-phone | cisco-phone

dot1x pae authenticator

dot1x timeout tx-period 15

dot1x timeout supp-timeout 15

auto qos voip cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQoS-Police-CiscoPhone

Can someone introduce anything to solve the problem, maybe some misconfiguration or improvements before starting a TAC-Case.

Thanks in advance

regards

Marc

7 REPLIES
Cisco Employee

Cisco ISE: Error 5411 No response received ...

Actually, it's annoying...No response received during 120 seconds on last EAP message sent to the client

Are you facing issue with all the machines/OS? If there is a specific OS, What OS and supplicant are you using on that machine?

What eap method do we have configured PEAP or EAP-TLS?

Status of "validate server certificate" on the client machines?

When exactly you see this message while booting up or anytime?

Does this message prevent users to authenticate?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Cisco ISE: Error 5411 No response received ...

The OS Version is Microsoft Windows 7 Professional 32 Bit

EAP method is EAP-TLS normally

The Client Machines have "Validate Server Certificate" enabled

When exactly you see this message while booting up or anytime / Does this message prevent users to authenticate?

- I've just checked todays ISE log for this error. There are about 82 errors on different clients today which I've called right now and asked if they had any problems with the PC. Most of them had for example: no network drives, no printers and about 5 people no connection until they've restarted their machin.

The PCs are connected to an CISCO 7965G telephone, which are also running with Certificates.

The proper version we're running is: 1.1.2.145

regards Marc

Marc

Cisco Employee

Re: Cisco ISE: Error 5411 No response received ...

The Global Help icon is located in the bottom left corner of the Global  Toolbar in the Cisco ISE window. You may check the ISE version there.

To launch Global Help, complete the following steps:


Step 1 On the global toolbar, move your cursor over the Help icon.

Step 2 Choose Online Help from the pop-up menu.

A new browser window appears displaying the Cisco ISE Online Help.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Cisco ISE: Error 5411 No response received ...

Any more Ideas?

Cisco Employee

Cisco ISE: Error 5411 No response received ...

Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts. For more information you can see the below link.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf

New Member

HI.

HI.

i am in similar suitation how did you reslove the issue?

New Member

Hi,

Hi,

we found out that our Windows Clients respond too slow to the dot1x requests. Setting the policy to have 3 tries for authentication instead of 1 solved almost all of those problems for us.

Regards

Marc

4784
Views
0
Helpful
7
Replies