Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
VIP Purple

ISE-5443 RADIUS request dropped due to reaching EAP sessions limit

Hi Guys,

I am getting the below error message from two PSNs (out of 4) & resulting 95% failed authentications on ISE

"5443 RADIUS request dropped due to reaching EAP sessions limit"

Could not find any documents/reference & trying to get on hold TAC in the mean time.

If anyone of you know what could it be, pls share your inputs

TIA

Rasika

Everyone's tags (2)
9 REPLIES
Hall of Fame Super Silver

ISE-5443 RADIUS request dropped due to reaching EAP sessions lim

Rasika,

Wish I could help you, but I haven't seen those errors on my ISE, just others:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: ISE-5443 RADIUS request dropped due to reaching EAP sessions

Hi Scott,

Thanks for that..

here is bit more information about this evnts log in ISE system (1.2 Patch 4).

Event: 5405 RADIUS Request dropped

Failure Reason :5443 RADIUS request dropped due to reaching EAP sessions limit

Resolution : Wait a few seconds before invoking another RADIUS request with new EAP  session. If system overload continues to occur, try restarting the ISE  Server

Root cause: A RADIUS request was dropped due to reaching EAP sessions limit. This  condition can be caused by too many parallel EAP authentication  requests.

Worked with TAC & restarted the service of one PSN node & that brings that node to normal condition & removed the other PSN form the F5 pool until TAC analyze gathered support bundle from that.

It is not heavily loaded environment (3k wireless clients) at the moment & bit scary since we are expecting around 15k when students are back in early March. Authentication failure rate is around 100 in every 15-20s interval. Not sure what is the limitation of the ISE system itself to handle number of EAP sessions per second.


Rasika

Hall of Fame Super Silver

Re: ISE-5443 RADIUS request dropped due to reaching EAP sessions

Interesting. Keep us posted... Something maybe with the F5's?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: ISE-5443 RADIUS request dropped due to reaching EAP sessions

Its a bug which will be fixed in  ISE version 1.3

CSCuh86885

No event for failure reasons 5440/5441: Endpoint started a new session..

VIP Purple

Re: ISE-5443 RADIUS request dropped due to reaching EAP sessions

Hi Naveen,

Thanks for this info, but I cannot see the bug detail due to previledge limitation.

Actually our error msg is slightly differnt what you posted

5443 RADIUS request dropped due to reaching EAP sessions limit

This issue is critical for me at the moment as other two PSN nodes fails today with same error message.

Working with TAC on this, but they did not mention any known bug for this so far.

Regards

Rasika

New Member

My God! Ise drive me nuts..

My God! Ise drive me nuts.. after version 1.1.1 until 1.2.1 and a lot of patches.. this solution should be more stable..

VIP Purple

Re: ISE-5443 RADIUS request dropped due to reaching EAP sessions

Hi Guys,

I moved this discussion to Security hoping someone could help on this. Working with TAC on this (P1 case #628971299), for last 2 weeks but no singnificant progress.

TIA

Rasika

VIP Purple

ISE-5443 RADIUS request dropped due to reaching EAP sessions lim

Finally Cisco managed to find the root cause for this. It was due to client EAP sessions never get cleared (not properly terminated EAP sessions) & hit the session limit of each PSNs. Each PSN nodes has max EAP cache limit of 20k  for 3495 appliance or high end UCS blades like UCS C220  or 10k for 3395 appliance. (Refer table 4 of below)

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/qa_c67-658591.html

Cisco gave an engineering patch to fix it for us. But this will include patch 7 of ISE 1.2 in few weeks time. So you may never hit this bug as long as you are on that patch version of ISE.

CSCum60627 is the bug ID for anyone within Cisco to see detail (still it is not visible to public & I hope they will do that in future)

It took enormous amount of resource hours to find the root cause & get this fix. Thanks to Cisco Team around the globe for assisting us to  resolve this issue.

HTH

Rasika

New Member

I am having some issues with

I am having some issues with EAP-TLS and getting radius errors such as below.  Cisco is thinking its related to the bug you mentioned.

CSCum60627    Client EAP sessions never get cleared

Did you ever experience issues with wireless apple clients authenticated through ISE getting dumped and falling back to a previous SSID?  Below are the errors we are seeing in ISE.

 

5440 Endpoint abandoned EAP session and started new

 

5411 Suplicant stopped respsonding to ISE

 

5411 Supplicant stopped responding to ISE

2159
Views
0
Helpful
9
Replies
CreatePlease to create content