Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6382
Views
0
Helpful
9
Replies

ISE-5443 RADIUS request dropped due to reaching EAP sessions limit

Rasika Nayanajith
VIP
VIP

‎01-28-2014 03:43 PM - edited ‎03-10-2019 09:20 PM

Hi Guys,

I am getting the below error message from two PSNs (out of 4) & resulting 95% failed authentications on ISE

"5443 RADIUS request dropped due to reaching EAP sessions limit"

Could not find any documents/reference & trying to get on hold TAC in the mean time.

If anyone of you know what could it be, pls share your inputs

TIA

Rasika

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

‎01-28-2014 04:07 PM

Rasika,

Wish I could help you, but I haven't seen those errors on my ISE, just others:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Rasika Nayanajith
VIP
VIP
In response to Scott Fella

‎01-28-2014 06:38 PM

Hi Scott,

Thanks for that..

here is bit more information about this evnts log in ISE system (1.2 Patch 4).

Event: 5405 RADIUS Request dropped

Failure Reason :5443 RADIUS request dropped due to reaching EAP sessions limit

Resolution : Wait a few seconds before invoking another RADIUS request with new EAP  session. If system overload continues to occur, try restarting the ISE  Server

Root cause: A RADIUS request was dropped due to reaching EAP sessions limit. This  condition can be caused by too many parallel EAP authentication  requests.

Worked with TAC & restarted the service of one PSN node & that brings that node to normal condition & removed the other PSN form the F5 pool until TAC analyze gathered support bundle from that.

It is not heavily loaded environment (3k wireless clients) at the moment & bit scary since we are expecting around 15k when students are back in early March. Authentication failure rate is around 100 in every 15-20s interval. Not sure what is the limitation of the ISE system itself to handle number of EAP sessions per second.


Rasika

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-28-2014 07:02 PM

Interesting. Keep us posted... Something maybe with the F5's?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Naveen Kumar
Level 4
Level 4

‎01-31-2014 12:15 AM

Its a bug which will be fixed in  ISE version 1.3

CSCuh86885

No event for failure reasons 5440/5441: Endpoint started a new session..

0 Helpful

Rasika Nayanajith
VIP
VIP
In response to Naveen Kumar

‎01-31-2014 12:51 AM

Hi Naveen,

Thanks for this info, but I cannot see the bug detail due to previledge limitation.

Actually our error msg is slightly differnt what you posted 

5443 RADIUS request dropped due to reaching EAP sessions limit

This issue is critical for me at the moment as other two PSN nodes fails today with same error message.

Working with TAC on this, but they did not mention any known bug for this so far.

Regards

Rasika

0 Helpful

mscottini
Level 1
Level 1
In response to Naveen Kumar

‎09-17-2014 09:40 AM

My God! Ise drive me nuts.. after version 1.1.1 until 1.2.1 and a lot of patches.. this solution should be more stable..

0 Helpful

Rasika Nayanajith
VIP
VIP

‎02-07-2014 09:00 PM

Hi Guys,

I moved this discussion to Security hoping someone could help on this. Working with TAC on this (P1 case #628971299), for last 2 weeks but no singnificant progress.

TIA

Rasika

0 Helpful

Rasika Nayanajith
VIP
VIP
In response to Rasika Nayanajith

‎02-24-2014 11:58 PM

Finally Cisco managed to find the root cause for this. It was due to client EAP sessions never get cleared (not properly terminated EAP sessions) & hit the session limit of each PSNs. Each PSN nodes has max EAP cache limit of 20k  for 3495 appliance or high end UCS blades like UCS C220  or 10k for 3395 appliance. (Refer table 4 of below)

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/qa_c67-658591.html

Cisco gave an engineering patch to fix it for us. But this will include patch 7 of ISE 1.2 in few weeks time. So you may never hit this bug as long as you are on that patch version of ISE.

CSCum60627 is the bug ID for anyone within Cisco to see detail (still it is not visible to public & I hope they will do that in future)

It took enormous amount of resource hours to find the root cause & get this fix. Thanks to Cisco Team around the globe for assisting us to  resolve this issue.

HTH

Rasika

0 Helpful

awatson20
Level 4
Level 4

‎04-14-2014 05:18 PM

I am having some issues with EAP-TLS and getting radius errors such as below.  Cisco is thinking its related to the bug you mentioned.

CSCum60627    Client EAP sessions never get cleared

Did you ever experience issues with wireless apple clients authenticated through ISE getting dumped and falling back to a previous SSID?  Below are the errors we are seeing in ISE.

 

5440 Endpoint abandoned EAP session and started new

 

5411 Suplicant stopped respsonding to ISE

 

5411 Supplicant stopped responding to ISE

0 Helpful
Customers Also Viewed These Support Documents