Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE - AD 802.1x Authentication Failure (All of the sudden)

 

 

I have a WLC using ISE to authenticate through AD.  (No certificates - only username & password)

ISE is single node deployment.

 

Its been running fine for the past 6 months, but all of a sudden I get the following errors:

 

Failure Reason:  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist

Resolution:  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.

Root cause:  Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

 

Any Ideas why this would happen ?

 

17 REPLIES
Cisco Employee

Has anything changed in the

Has anything changed in the environment? For example, have you introduced a load-balancer or made changes to an existing one?

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
New Member

No.  NOTHING has changed. I

No.  NOTHING has changed.

 

I had to restart the ISE box this morning, and the problem went away.
 

No I'm worried, what will cause it to come back again.

 

 

New Member

We had a simular issue. TAC

We had a simular issue. TAC had us go to the cli and issue the following on the psn's

applicaton congifuration ise

select 5

answer yes to the next two questions.

This clears the AD cache and resolved our issue.

VIP Purple

HiClearing AD chache is a

Hi

Clearing AD chache (or reboot PSN) is only workarounds & It could occur again. We hit similar issue & ISE 1.2 patch 7 had fix for that. Make sure your ISE environment is updated with latest patch of ISE 1.2.0 or you have 1.2.1.

PS: bug detail is not published by cisco & keep it as internal.

 

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Hi,Thanks for the reply.

Hi,

Thanks for the reply. Running patch 9, also clearing the cache every Monday. Hopefully when we uprade to 1.2.1 this will be resolved.

VIP Purple

HiDo you have multiple PSN &

Hi

Do you have multiple PSN & do you use load balancer (F5,etc) to load balance Auth requests ?

We have that kind of setup (F5 to loadbalance ). In that scenario "Failure Reason:  12953" is not an uncommon.

Generaly we get less than 5% total auth failures every day. Main failure reason is the above.

Thanks for using rating system as well.

HTH

Rasika

New Member

Hello,

Hello,

We're taking this kind of failure. When the failure occurs, the authentication stops. At this point, we have to restart the device for remediate the authentication.

The failure has "anonymous" identity like the attachment.

The Cisco ISE version is 1.4.0.253.

Do you have any recommendation to solve the problem?

Kindly Regards,

Cisco Employee

Can you please share the bug

Can you please share the bug ID that you are referring to?

Thank you for rating helpful posts!
VIP Purple

Hi Neno,We were hitting

Hi Neno,

We were hitting CSCun25815

HTH

Rasika

**** Pls rate all usefull responses ****

 

Cisco Employee

Thank you!!! (+5 from me)

Thank you!!! (+5 from me)

Thank you for rating helpful posts!
New Member

Thanx Guys. I have loaded all

Thanx Guys.

 

I have loaded all the latest patches, and thus far it is quite stable.

 

Jaco

New Member

Hi,have you configured a

Hi,

have you configured a valid NTP server on ISE? Public or private?

 

Maybe something happened with the time configuration, this could explain the behaviour.

 

Best regards,

Matteo

New Member

Yes.  I have a Public NTP

Yes.  I have a Public NTP server configured.

 

 

Cisco Employee

Next time this happens (If it

Next time this happens (If it happens). Check the following:

1. In CLI issue: show clock and verify that the time is correct and it matches your AD

2. In CLI issue: show ntp and verify that it is working and operational

3. In GUI check your AD connection: administration > identity management > external identity stores > active directory

Thank you for rating helpful posts!

The node was not joined to

The node was not joined to the domain which caused the error.

New Member

Salodh. as stated.  It was

Salodh.

 

as stated.  It was working fine for 6 months (hence it WAS joined to the domain).

It suddenly stopped working.  and after I rebooted, it started working again.

 

 

Jaco

New Member

im recevieing this error

im recevieing this error message also 

Failure Reason:  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist

Resolution:  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.

Root cause:  Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

 

but im running ISE 1.3 with patch 1 only noticed this after the upgrade.

 

nad is a 3560v2-24ps-s running c3560-ipservicesk9-mz.122-55.SE10.bin

any ideas anyone?

1307
Views
10
Helpful
17
Replies
CreatePlease to create content