Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28441
Views
46
Helpful
41
Replies

ISE Internal error suddenly appear

Go to solution
M.Jallad
Level 1
Level 1

‎11-11-2014 05:07 AM - edited ‎03-12-2019 05:44 PM

 

I started to see this error message suddenly 

"

[500] Internal Error

Please contact system administrator. If you are the System Administrator please consult the logs.

"

ISE deployment consists of two nodes one carrying Administration persona (primary) , and monitoring (secondary) and the other carrying Administration persona (secondary) , and monitoring (primary) persona, the setup was running smoothly without any issues. ISE version was 1.2; and after this issue appeared we did the required troubleshooting with no luck ; so we upgraded  both units to 1.3 and still facing the same issue.

We noticed a strange behavior on agent redirection ACL , when trying to reach basic services such as domain,DNS,.. (which are denied from redirection on the ACL) it appears to be redirected to ISE ( last permit ACE in redirection ACL counters increases contineously ) which shouldn't be the case in the posturing stage.

Anyone did face this issue , and what does this mean or have any ideas appreciate to share with us...

8 people had this problem
Labels:
0 Helpful
41 Replies 41

Go to solution
Steve Berglund
Level 1
Level 1
In response to Tiago Andrade de Paula

‎09-24-2015 07:20 AM

I just ran into this error 400 as well in 1.4. Disabled accounting as stated above and that did fix the problem. Interesting. 

0 Helpful

Go to solution
phosawyer
Level 1
Level 1
In response to Tiago Andrade de Paula

‎11-05-2015 07:16 AM

Was scratching my head over this as the bug says to disable Accounting on the internal WLC but it should be fine leaving it on the foreign anchor.

Disabled the Foreign Anchor accounting and bam it just started working.

0 Helpful

Go to solution
robertbrink1
Level 1
Level 1
In response to Tiago Andrade de Paula

‎04-06-2017 02:05 AM

Hi,

Our setup is as the following:

Local WLC on location (3650 ios-xe with 3.6.5) with guest wlan anchored up to a 5508 (8.3.102) located offsite. Cisco ISE runs 2.1 patch 3.

Windows and mobile clients gets the CWA with no errors and can authenticate to the guest network. But the Mac OSX (macbook) users often get "400 Bad Request" when they are redirected to the CWA on ISE. 

On our guest anchor the checkbox is checked but no serveres are defined since we dont have any here. On the local wlc we use accounting-list. So we have to remove the checkbox on the anchor ssid although there are no servers listed?

0 Helpful

Go to solution
ibrahim_hassan
Level 1
Level 1
In response to nrunge1

‎06-28-2015 02:46 AM

I upgraded to 1.4 , but I faced another error during redirection :(

it gives "[400] Bad Request "

 

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee
In response to pemasirid

‎03-03-2015 12:47 AM

Hello Pemasiri,

 

As there are multiple bugs with IE try with other browsers(Firefox with java applet) and if not resolved contact TAC to resolve the issue.

0 Helpful

Go to solution
Naresh Ginjupalli
Cisco Employee
Cisco Employee

‎11-15-2014 07:45 PM

Hi,

Do you have any admin Access Restrictions enabled on your ISE node. If so please check from which IP address your are accessing the ISE GUI.

If you have no such ISE restrictions, please check with the showtech file and see if your NIC's are having the correct IP address and are not swapped.

If you are not having any issues with the above checks, then I would suggest to open a TAC case immediately.

Thanks,

Naresh

0 Helpful

Go to solution
M.Jallad
Level 1
Level 1
In response to Naresh Ginjupalli

‎11-25-2014 12:34 AM

Hi Naresh,

I'm afraid this is not related to ISE GUI access. You see , end user NAC agent is not popping up even if you wait. when checking further for troubleshooting i saw the above captured URL on switch (this is the agent provisioning URL redirect policy returned from ISE for clients posturing) ; the correct URL should be the posturing URL not this error page.

This issue happens when restarting client PC. however , if you clear authentication session manually on switch, it successfully completes client posturing. However, after the next log off or restart the problem re-appears.

0 Helpful

Go to solution
hoytmann
Level 1
Level 1

‎11-18-2014 02:06 PM

I'm seeing the same issue, just upgraded to 1.3. Did you resolve your issue?

0 Helpful

Go to solution
M.Jallad
Level 1
Level 1
In response to hoytmann

‎11-25-2014 12:23 AM

Unfortunately issue still there. did you have this issue on the previous version ?

0 Helpful

Go to solution
nrunge1
Level 1
Level 1
In response to hoytmann

‎01-15-2015 03:37 PM

I think that I have the same issue here. Just upgraded to 1.3, we use a WLC redirect for CWA (self service guest). It appears to happen only a very small percentage of the time. I have checked and double checked my DNS configuration.

I have a case open with TAC. Just sent over debug logs. I took a peek and the guest log has the error "exception while handling page error: portalSessionId is null or empty", which may or may not be related.

Hopefully TAC has some answers but my guess is that 1.3 patches will resolve this.

I can't say I didn't know what I was getting into moving to 1.3 :]

 

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎11-20-2014 05:57 AM

did you change ISE  Hostname,  DNS resolvable on the ISE nodes ?

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎11-20-2014 07:03 AM

Change the DNS entries to point to the PSN. 

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

Go to solution
jai_chandra2001
Level 1
Level 1

‎12-26-2014 07:23 AM

I faced the same problem on multiple PC's during deployment on fresh install 1.3. Bug CSCur94336. The trigger might not be the same, but may be you are going through the same issue.

Primary issue is that when the ISE sends a redirect, there is a session id assigned to it. Both switch and ISE are aware of it during the policy enforcement duration(redirect duration). For some reason I guess the switch or ISE was deleting the session id. So the ISE returns the error saying it isnt aware of the session. With what I read on this thread so far, didn't look like a configuration issue to me. But I think experts can throw more light on this.

Patch for this will be released in January.

Go to solution
M.Jallad
Level 1
Level 1
In response to jai_chandra2001

‎12-30-2014 02:02 AM

Hi,

Actually the bug was raised after we opened the case with cisco TAC ad they decided to release patches for 1.2 (already released) and 1.3 which will be released soon. however, we are working normally on 1.2.1 , so you can try it if you have urgent issues now.

Regards,

Muayad,

0 Helpful

Go to solution
Michael Weller
Level 1
Level 1
In response to M.Jallad

‎01-05-2015 06:47 AM

Hi, I think I have a similar or maybe the very same issue. However, it applies to wireless and to guest / onboarding services only.

We do not do any posturing, but we get similar internal errors when redirected to the guest portal. Sometimes it also shows errors about unknown radius session.

TAC ticket regarding the issue is open, but we did not yet get a final analysis. This is a multiple WLC deployment using anchors for guest services. It seems that the choice of WLC in the mobility group/anchor to which the access point is actually registered somehow affects the frequency of this error but we are not sure about it.

I understand from the other posts, that it is clear, that this is an issue with 1.3. and latest 1.2 releases and not a Radius authenticator issue, right? (which would be helpful in our situtation since we can update ISE easier than WLC).

 

Regards,

Michael.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents