I am getting the below error message from two PSNs (out of 4) & resulting 95% failed authentications on ISE
"5443 RADIUS request dropped due to reaching EAP sessions limit"
Could not find any documents/reference & trying to get on hold TAC in the mean time.
If anyone of you know what could it be, pls share your inputs
Wish I could help you, but I haven't seen those errors on my ISE, just others:)
Help out other by using the rating system and marking answered questions as "Answered"
Thanks for that..
here is bit more information about this evnts log in ISE system (1.2 Patch 4).
Event: 5405 RADIUS Request dropped
Failure Reason :5443 RADIUS request dropped due to reaching EAP sessions limit
Resolution : Wait a few seconds before invoking another RADIUS request with new EAP session. If system overload continues to occur, try restarting the ISE Server
Root cause: A RADIUS request was dropped due to reaching EAP sessions limit. This condition can be caused by too many parallel EAP authentication requests.
Worked with TAC & restarted the service of one PSN node & that brings that node to normal condition & removed the other PSN form the F5 pool until TAC analyze gathered support bundle from that.
It is not heavily loaded environment (3k wireless clients) at the moment & bit scary since we are expecting around 15k when students are back in early March. Authentication failure rate is around 100 in every 15-20s interval. Not sure what is the limitation of the ISE system itself to handle number of EAP sessions per second.
Interesting. Keep us posted... Something maybe with the F5's?
Sent from Cisco Technical Support iPhone App
Its a bug which will be fixed in ISE version 1.3
No event for failure reasons 5440/5441: Endpoint started a new session..
Thanks for this info, but I cannot see the bug detail due to previledge limitation.
Actually our error msg is slightly differnt what you posted
5443 RADIUS request dropped due to reaching EAP sessions limit
This issue is critical for me at the moment as other two PSN nodes fails today with same error message.
Working with TAC on this, but they did not mention any known bug for this so far.
I moved this discussion to Security hoping someone could help on this. Working with TAC on this (P1 case #628971299), for last 2 weeks but no singnificant progress.
Finally Cisco managed to find the root cause for this. It was due to client EAP sessions never get cleared (not properly terminated EAP sessions) & hit the session limit of each PSNs. Each PSN nodes has max EAP cache limit of 20k for 3495 appliance or high end UCS blades like UCS C220 or 10k for 3395 appliance. (Refer table 4 of below)
Cisco gave an engineering patch to fix it for us. But this will include patch 7 of ISE 1.2 in few weeks time. So you may never hit this bug as long as you are on that patch version of ISE.
CSCum60627 is the bug ID for anyone within Cisco to see detail (still it is not visible to public & I hope they will do that in future)
It took enormous amount of resource hours to find the root cause & get this fix. Thanks to Cisco Team around the globe for assisting us to resolve this issue.
I am having some issues with EAP-TLS and getting radius errors such as below. Cisco is thinking its related to the bug you mentioned.
CSCum60627 Client EAP sessions never get cleared
Did you ever experience issues with wireless apple clients authenticated through ISE getting dumped and falling back to a previous SSID? Below are the errors we are seeing in ISE.
5440 Endpoint abandoned EAP session and started new
5411 Suplicant stopped respsonding to ISE
5411 Supplicant stopped responding to ISE