Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Internal error suddenly appear

 

I started to see this error message suddenly 

"

[500] Internal Error

Please contact system administrator. If you are the System Administrator please consult the logs.

"

ISE deployment consists of two nodes one carrying Administration persona (primary) , and monitoring (secondary) and the other carrying Administration persona (secondary) , and monitoring (primary) persona, the setup was running smoothly without any issues. ISE version was 1.2; and after this issue appeared we did the required troubleshooting with no luck ; so we upgraded  both units to 1.3 and still facing the same issue.

We noticed a strange behavior on agent redirection ACL , when trying to reach basic services such as domain,DNS,.. (which are denied from redirection on the ACL) it appears to be redirected to ISE ( last permit ACE in redirection ACL counters increases contineously ) which shouldn't be the case in the posturing stage.

Anyone did face this issue , and what does this mean or have any ideas appreciate to share with us...

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

I faced the same problem on

I faced the same problem on multiple PC's during deployment on fresh install 1.3. Bug CSCur94336. The trigger might not be the same, but may be you are going through the same issue.

Primary issue is that when the ISE sends a redirect, there is a session id assigned to it. Both switch and ISE are aware of it during the policy enforcement duration(redirect duration). For some reason I guess the switch or ISE was deleting the session id. So the ISE returns the error saying it isnt aware of the session. With what I read on this thread so far, didn't look like a configuration issue to me. But I think experts can throw more light on this.

Patch for this will be released in January.

40 REPLIES

Can you post your auth.+ post

Can you post your auth.+ post. policies? Since you are using 1.3 , you can expert the policies directly to your admin pc. While you face the above issue during posture, have you removed thed network cable and reconnected the client and tested the network access? are they able to go through it?

New Member

Hi Salodh,Attached the

Hi Salodh,

Attached the exported policies.

You are right when removing the cable or clearing the authentication session or logging off NAC agent pops up normally and client get postured. However, when restarting the PC again the problem appears again.

 

New Member

Hello,We are also facing the

Hello,

We are also facing the same issue.We see that browser is trying to redirect (see the attached printscreen) and also when we manualy entered the url with session id etc it given the internal server error message.

The strange thing is that it works for one SSID but it does not work for another SSID, all the configuration as same and on ISE we see it hits the Web Auth redirection authz policy. Client can resolve FQDN of ISE etc.?

Has anybody find any solution or workaround for this issue.

Thanks in advance

 

 

 

New Member

How many Wireless Controllers

How many Wireless Controllers are involved in your situation? Is there a mobility group? (an active-standby HA config would count as one controller, since the standby does not do anything). Do you use anchor controllers? Maybe your SSIDs are anchored on different controllers?

 

If you have more than one controller, check if radius accounting is enabled for your SSIDs. If so, enable radius accounting at most on one of your controllers.

 

Multiple controllers, doing all accounting but with possibly different settings on different SSIDs, and maybe different timing issues involved, c/would cause your symptoms.

Check the link in my post above.

If you only have a single wlc, or already disabled accounting. Sorry, then I do not have an idea.

Michael.

 

 

New Member

Hi Michael,Thanks for your

Hi Michael,


Thanks for your response. In our case we have only two controllers in a high available scenario.

I have tested both accounting enable/disabled but get the same error. the client gets the redirect url with browser showing "web authentication" but it simply keep trying only and on ISE monitoring also I can see it hits the correct Authz policy (redirection).

I am wondering why one SSID works without any issue  and why it doe not work for other SSID with the same settings..?

Any other thoughts as per your experience.?

Thanks in advance.

 

 

 

 

New Member

No, sorry. This scenario

No, sorry. This scenario worked for me. I know - though - that there are apparently issues with WLCs creating consistent Radius session IDs and that ISE is easily confused about this and that this is one way to trigger an error 500 in ISE.

 

If you did not yet try, I'd recommend using latest 7.6. for WLC, 8.x has issues too. But this is also only a wild guess.

 

Michael.

New Member

Hi Michael,Just to give you

Hi Michael,

Just to give you some update, we have upgraded the WLC to 7.6.130 code but the issue is still the same. 

I am already getting guest portal redirection for one SSID but not for other SSID. In the client PC I can see the redirection url and in the browser also showing Web Authentication page is trying to open but it does keep trying only.

Regards,

Pemasiri

 

New Member

Hi at all, we faced this

Hi at all, 

we faced this error last week until yesterday!!

On the ise was the configured Port for guest 8443!

After this changing to Port 8449 and set up a new Portalpage all works fine as before! 

I think only changing the Port brings back the function!!

Maybe we found a workaround?

Best Regards. 

Mario

New Member

Hi i got the same error 500

Hi i got the same error 500 in a guest wireless deployment with a 5508 WLC. It was functioning quite well until it the error appeared. 

We have 2 ISE 1.3 with no patches installed (Two-Node-Redundant) with a 5508 WLC. 

Do you suggest me to change the port 8443 to a different one to solve the issue? After you made the change have you found any other issues with error 500?

Hope you can help.

Thanks a lot.

New Member

I worked with TAC on this

I worked with TAC on this since the day that I made my initial post. It got to the point where they basically said "patch ISE and see if it goes away..."

I am currently in the process of upgrading to 1.4

New Member

I had the same error and got

I had the same error and got it to go away when I disabled RADIUS accounting on my anchor controller. I de-selected accounting all together for that SSID. 

 

Make sure your client is de-auth'd on both WLC's and try the CWA page again.

New Member

Since my last post I spoke

Since my last post I spoke with our help desk supervisor and it appears the issue is no longer present. 

New Member

Are you faced this error "

Are you faced this error "[400] Bad Request" , it appeared after user registration when click on "sign me On"  

Hi John. It´s correct. I was

Hi John. 

It´s correct. I was with the same problem ( redirect portal Guest )

===  

[ 400 ] Bad Request

The request is invalid due to malformed syntax or invalid data.

Possible cause is unknown, invalid, or terminated RADIUS session ID. Please advise the System Admin to consult the logs and ensure that the RADIUS session was not generated by a different PSN or due to a deny access policy match 

 

===
 

*** I DISABLE the radius accounting in the Anchor WLC and WORKS !

Somebody Know why I have to do this change to work int 1.4 cisco ISE ? ? ? 

tks a lot

 

New Member

I just ran into this as well

I just ran into this error 400 as well in 1.4. Disabled accounting as stated above and that did fix the problem. Interesting. 

New Member

Was scratching my head over

Was scratching my head over this as the bug says to disable Accounting on the internal WLC but it should be fine leaving it on the foreign anchor.

Disabled the Foreign Anchor accounting and bam it just started working.

New Member

Hi,

Hi,

Our setup is as the following:

Local WLC on location (3650 ios-xe with 3.6.5) with guest wlan anchored up to a 5508 (8.3.102) located offsite. Cisco ISE runs 2.1 patch 3.

Windows and mobile clients gets the CWA with no errors and can authenticate to the guest network. But the Mac OSX (macbook) users often get "400 Bad Request" when they are redirected to the CWA on ISE. 

On our guest anchor the checkbox is checked but no serveres are defined since we dont have any here. On the local wlc we use accounting-list. So we have to remove the checkbox on the anchor ssid although there are no servers listed?

New Member

I upgraded to 1.4 , but I

I upgraded to 1.4 , but I faced another error during redirection :(

it gives "[400] Bad Request "

 

Gold

Hello Pemasiri, As there are

Hello Pemasiri,

 

As there are multiple bugs with IE try with other browsers(Firefox with java applet) and if not resolved contact TAC to resolve the issue.

Cisco Employee

Hi,Do you have any admin

Hi,

Do you have any admin Access Restrictions enabled on your ISE node. If so please check from which IP address your are accessing the ISE GUI.

If you have no such ISE restrictions, please check with the showtech file and see if your NIC's are having the correct IP address and are not swapped.

If you are not having any issues with the above checks, then I would suggest to open a TAC case immediately.

Thanks,

Naresh

New Member

Hi Naresh,I'm afraid this is

Hi Naresh,

I'm afraid this is not related to ISE GUI access. You see , end user NAC agent is not popping up even if you wait. when checking further for troubleshooting i saw the above captured URL on switch (this is the agent provisioning URL redirect policy returned from ISE for clients posturing) ; the correct URL should be the posturing URL not this error page.

This issue happens when restarting client PC. however , if you clear authentication session manually on switch, it successfully completes client posturing. However, after the next log off or restart the problem re-appears.

New Member

I'm seeing the same issue,

I'm seeing the same issue, just upgraded to 1.3. Did you resolve your issue?

New Member

Unfortunately issue still

Unfortunately issue still there. did you have this issue on the previous version ?

New Member

I think that I have the same

I think that I have the same issue here. Just upgraded to 1.3, we use a WLC redirect for CWA (self service guest). It appears to happen only a very small percentage of the time. I have checked and double checked my DNS configuration.

I have a case open with TAC. Just sent over debug logs. I took a peek and the guest log has the error "exception while handling page error: portalSessionId is null or empty", which may or may not be related.

Hopefully TAC has some answers but my guess is that 1.3 patches will resolve this.

I can't say I didn't know what I was getting into moving to 1.3 :]

 

Cisco Employee

did you change ISE  Hostname,

did you change ISE  Hostname,  DNS resolvable on the ISE nodes ?

Cisco Employee

Change the DNS entries to

Change the DNS entries to point to the PSN. 

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

New Member

I faced the same problem on

I faced the same problem on multiple PC's during deployment on fresh install 1.3. Bug CSCur94336. The trigger might not be the same, but may be you are going through the same issue.

Primary issue is that when the ISE sends a redirect, there is a session id assigned to it. Both switch and ISE are aware of it during the policy enforcement duration(redirect duration). For some reason I guess the switch or ISE was deleting the session id. So the ISE returns the error saying it isnt aware of the session. With what I read on this thread so far, didn't look like a configuration issue to me. But I think experts can throw more light on this.

Patch for this will be released in January.

New Member

Hi,Actually the bug was

Hi,

Actually the bug was raised after we opened the case with cisco TAC ad they decided to release patches for 1.2 (already released) and 1.3 which will be released soon. however, we are working normally on 1.2.1 , so you can try it if you have urgent issues now.

Regards,

Muayad,

New Member

Hi, I think I have a similar

Hi, I think I have a similar or maybe the very same issue. However, it applies to wireless and to guest / onboarding services only.

We do not do any posturing, but we get similar internal errors when redirected to the guest portal. Sometimes it also shows errors about unknown radius session.

TAC ticket regarding the issue is open, but we did not yet get a final analysis. This is a multiple WLC deployment using anchors for guest services. It seems that the choice of WLC in the mobility group/anchor to which the access point is actually registered somehow affects the frequency of this error but we are not sure about it.

I understand from the other posts, that it is clear, that this is an issue with 1.3. and latest 1.2 releases and not a Radius authenticator issue, right? (which would be helpful in our situtation since we can update ISE easier than WLC).

 

Regards,

Michael.

6240
Views
41
Helpful
40
Replies