Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vWLC occasionally losing connection to ISE

Hi guys

Weird problem.

I have a vWLC (7.5.102.0) set up with a ISE 1.2 cu3 as a RADIUS server. Both running on VMware 5.1 with Nexus 1000v.

I'm running 802.1x with a machine certificate.

Now the ISE and WLC is on the same subnet. No FW between.

Everything is working as planned, but every hour/hour-and-a-half I get this in my WLC log.

129Mon Nov 25 20:50:36 2013RADIUS auth-server 10.47.100.199:1812 available
130Mon Nov 25 20:50:28 2013RADIUS  server 10.47.100.199:1812 failed to respond to request (ID 234) for  client 6c:88:14:b9:72:fc / user 'host/PFPCNOLAP0131.protector.local'
131Mon Nov 25 20:50:21 2013RADIUS  server 10.47.100.199:1812 failed to respond to request (ID 233) for  client 6c:88:14:b9:72:fc / user 'host/PFPCNOLAP0131.protector.local'
132Mon Nov 25 20:49:51 2013RADIUS auth-server 10.47.100.199:1812 unavailable

This trigger a bucketload of problems and no clients are able to authenticate/re-authenticate.

vWLC is on a std Trunk port.

ISE on a access port.

I've tried downgrading the WLC, but nogo.

Any idea where I should start looking?

Regards

Kristian

8 REPLIES
New Member

I have the same situation

I have the same situation with a 5508 on 7.5.102 and ISE VM running 1.2 patch 6.  (both devices mgmt IP is on same VLAN)

Did you get anywhere troubleshooting this?

 

All I could do is disable and enable the RADIUS server in the WLC to get it working.  I dont know if it is a WLC problem and/or an ISE problem.

New Member

I'm seeing the same issue

I'm seeing the same issue with my setup - virtual ISE + vWLC in the same subnet

Have you found a cause for this behaviour?

New Member

Hi guysAs of now the solution

Hi guys

As of now the solution is stable (except for the guest network running through the ISE, dunno if it's due to the same thing).

So what "solved" it for us is as follows.

Now, I'm not a ISE guy so go gentile on me...

The ISE on VMware has 2 NICs, 1 mgmt and 1 virtual (dummy) card. Now no traffic goes through the dummy one.

However, if the dummy nic was online, we had the issues. Then he disabled it, the problem stopped.

Why? No idea...

I'm now running the latest vWLC and ISE path 5, but will be upgrading to latest patch next week.

As for the guest network, guest are disconnected and reconnected avery 3-5 minutes. If anyone hade the same issues, please let me know.

 

Kristian

 

New Member

Hi, First off don't upgrade

Hi,

 

First off don't upgrade to patch 7 just yet, there are some bugs with the sponsor/guest portal right now.

For the guest user disconnection, you should check the session timeout (per-wlan) and the idle timeout (global setting) on the WLC. Unless the guest account expires, ISE shouldn't send a CoA to the controller.

New Member

The 7.5 code can be quite

The 7.5 code can be quite problematic in general, I would suggest moving to 7.6 if you can. 

 What is your server timeout set to under the RADIUS server on ISE? (Default is 2 seconds, but i have seen cases like this when TAC had advised to jump that to 10)

New Member

I am running version 7.4.121,

I am running version 7.4.121, should be the most stable right now. Putting ISE and the vWLC into separate subnets seems to solve the issue completely.

I have tried various server timeout values up to 20 seconds, I usually get the same result. The loss of communication occurs when an endpoint errors out with "5434 Endpoint conducted several failed authentications of the same scenario" - this only happens when the two are in the same subnet.

New Member

Using a vWLC  - experiencing

Using a vWLC  - experiencing the same problem with RADIUS authentication.  Have upgraded in stages to version  7.6.130.0.   I think we need to concentrate on WLC configuration and possible code problems. The symptoms are the same "available - unavailable messages" between a RADIUS pair (not ISE systems).  It is like the WLC shuns both RADIUS boxes.

It would not be unreasonable to suggest that this is a new problem introduced in the vWLC code as these servers are working just fine with two physical 5508 WLCs during periods when the virtual WLC starts flipping.  This is a pretty serious problem when it happens. The 7.6 line of code so far - has the same problem.

 

New Member

It looks like there is an

It looks like there is an Open Caveat (BUG) in 7.6.130.0. 

CSCun62368: RADIUS NAC Client auth issues for 7.6. 

"RADIUS NAC Client auth issues for 7.6"

***************************************************************************************************************

And another: CCSCun18315

"RADIUS server anomalies with controller. When the primary RADIUS server fails, the secondary or tertiary controllers fail within 2 seconds."

 

277
Views
0
Helpful
8
Replies
CreatePlease login to create content