Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
8
Replies

vWLC occasionally losing connection to ISE

Kristian Aasen
Level 1
Level 1

‎11-25-2013 01:51 PM - edited ‎07-04-2021 01:19 AM

Hi guys

Weird problem.

I have a vWLC (7.5.102.0) set up with a ISE 1.2 cu3 as a RADIUS server. Both running on VMware 5.1 with Nexus 1000v.

I'm running 802.1x with a machine certificate.

Now the ISE and WLC is on the same subnet. No FW between.

Everything is working as planned, but every hour/hour-and-a-half I get this in my WLC log.

129Mon Nov 25 20:50:36 2013RADIUS auth-server 10.47.100.199:1812 available
130Mon Nov 25 20:50:28 2013RADIUS  server 10.47.100.199:1812 failed to respond to request (ID 234) for  client 6c:88:14:b9:72:fc / user 'host/PFPCNOLAP0131.protector.local'
131Mon Nov 25 20:50:21 2013RADIUS  server 10.47.100.199:1812 failed to respond to request (ID 233) for  client 6c:88:14:b9:72:fc / user 'host/PFPCNOLAP0131.protector.local'
132Mon Nov 25 20:49:51 2013RADIUS auth-server 10.47.100.199:1812 unavailable

This trigger a bucketload of problems and no clients are able to authenticate/re-authenticate.

vWLC is on a std Trunk port.

ISE on a access port.

I've tried downgrading the WLC, but nogo.

Any idea where I should start looking?

Regards

Kristian

2 people had this problem
Labels:
0 Helpful
8 Replies 8

Nicholas Poole
Level 1
Level 1

‎03-12-2014 11:23 AM

I have the same situation with a 5508 on 7.5.102 and ISE VM running 1.2 patch 6.  (both devices mgmt IP is on same VLAN)

Did you get anywhere troubleshooting this?

 

All I could do is disable and enable the RADIUS server in the WLC to get it working.  I dont know if it is a WLC problem and/or an ISE problem.

0 Helpful

radu.ioncu
Level 1
Level 1
In response to Nicholas Poole

‎04-17-2014 06:13 AM

I'm seeing the same issue with my setup - virtual ISE + vWLC in the same subnet

Have you found a cause for this behaviour?

0 Helpful

Kristian Aasen
Level 1
Level 1
In response to radu.ioncu

‎04-20-2014 11:49 AM

Hi guys

As of now the solution is stable (except for the guest network running through the ISE, dunno if it's due to the same thing).

So what "solved" it for us is as follows.

Now, I'm not a ISE guy so go gentile on me...

The ISE on VMware has 2 NICs, 1 mgmt and 1 virtual (dummy) card. Now no traffic goes through the dummy one.

However, if the dummy nic was online, we had the issues. Then he disabled it, the problem stopped.

Why? No idea...

I'm now running the latest vWLC and ISE path 5, but will be upgrading to latest patch next week.

As for the guest network, guest are disconnected and reconnected avery 3-5 minutes. If anyone hade the same issues, please let me know.

 

Kristian

 

0 Helpful

radu.ioncu
Level 1
Level 1
In response to Kristian Aasen

‎04-20-2014 12:58 PM

Hi,

 

First off don't upgrade to patch 7 just yet, there are some bugs with the sponsor/guest portal right now.

For the guest user disconnection, you should check the session timeout (per-wlan) and the idle timeout (global setting) on the WLC. Unless the guest account expires, ISE shouldn't send a CoA to the controller.

0 Helpful

Kyle Nielsen
Level 4
Level 4

‎04-18-2014 11:36 AM

The 7.5 code can be quite problematic in general, I would suggest moving to 7.6 if you can. 

 What is your server timeout set to under the RADIUS server on ISE? (Default is 2 seconds, but i have seen cases like this when TAC had advised to jump that to 10)

0 Helpful

radu.ioncu
Level 1
Level 1
In response to Kyle Nielsen

‎04-18-2014 02:36 PM

I am running version 7.4.121, should be the most stable right now. Putting ISE and the vWLC into separate subnets seems to solve the issue completely.

I have tried various server timeout values up to 20 seconds, I usually get the same result. The loss of communication occurs when an endpoint errors out with "5434 Endpoint conducted several failed authentications of the same scenario" - this only happens when the two are in the same subnet.

0 Helpful

routerhand99
Level 1
Level 1

‎09-10-2014 11:54 AM

Using a vWLC  - experiencing the same problem with RADIUS authentication.  Have upgraded in stages to version  7.6.130.0.   I think we need to concentrate on WLC configuration and possible code problems. The symptoms are the same "available - unavailable messages" between a RADIUS pair (not ISE systems).  It is like the WLC shuns both RADIUS boxes.

It would not be unreasonable to suggest that this is a new problem introduced in the vWLC code as these servers are working just fine with two physical 5508 WLCs during periods when the virtual WLC starts flipping.  This is a pretty serious problem when it happens. The 7.6 line of code so far - has the same problem.

 

0 Helpful

routerhand99
Level 1
Level 1
In response to routerhand99

‎09-10-2014 01:40 PM

It looks like there is an Open Caveat (BUG) in 7.6.130.0. 

CSCun62368: RADIUS NAC Client auth issues for 7.6. 

"RADIUS NAC Client auth issues for 7.6"

***************************************************************************************************************

And another: CCSCun18315

"RADIUS server anomalies with controller. When the primary RADIUS server fails, the secondary or tertiary controllers fail within 2 seconds."

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card