we have about 200 MRs some are 42 and most are 33. recently I start receiving calls about users unable to connect to to some MR33. no changes were made and i know other MR 33 in our network are working just fine. the MR in question is showing users with 0.0.0.0 IPs, Radius servers are configured correctly since these MRs were bounded to a template when first deployed. i checked ISE and the NAD is sending incomplete authentication requests often in the same millisecond. I don’t know how ISE is supposed to process them that fast i reboot it couple times, even removed it from ISE and add it back and still unable to figure this out. firmware is up-to-date 27.1.1. any thoughts? thank you in advance.
Cheers.
@ZeeBoussaid : I saw this issue earlier as well. Try to reset and if problem didn’t resolved open a case with Meraki
that's not the same issue, all my MRs have static assigned, the clients who are not getting a valid IP.
Any chance the DHCP scope is full?
What does Meraki Health show?
Is the VLAN that the SSID maps to definitely allowed on the switch port?
@ZeeBoussaid how is the MR33 connected to the MX, via a PoE injector or are you powering it directly? For the SSID you are connecting to, is it in bridged mode and have you set the VLAN to 100?
@cmr the MR is connected to port 4 on the MX, in bridge mode. port 4 on the MX is set to access Vlan100. Meraki is unable to figure this out, and asking to troubleshoot it in real time.
@ZeeBoussaid I'd set the port to trunk native 100 and my question was more have you set the VLAN on the SSID?
@cmr that's actually a good test to assign the port on the MX to truck with native 100. im just confused why out of 200 MRs this one refuses to work. i can use the Vlan tagging and assign Vlan 100 just for the sake of testing. i also get the error below in ISE, looks like a bottleneck somewhere.
@ZeeBoussaid did you get this resolved ? We are also experiencing issues with our MR33 and MR42 but not our MR36 that sound similar to yours. A number of our iPads can connect to the network but at random times normally after being unlocked from sleep they will display as connected but show as having no internet access.
Although our devices show as having an IP address we are getting the same "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session." in the ISE
We also have noticed that we get a "unexpectedly disassociated, but the client had a successful connection to <SSID> SSID 802.11 REASON (CODE 34) Missing Acknowledgements" within Clint Timeline, not sure if you get this ?
We have had a call in with support for few weeks now but haven't got to the bottom of he issue .
@JSalmond I have a ticket open with Meraki Support, they refer it to their Cisco TAC team, Meraki doesn't even know what the error showing in ISE means. the weird thing is, the MR33 that I initially had an issue with is now working, clients are getting IPs and authenticating correctly. yesterday I added a new MR42 in our HQ and I successfully connected to it at the beginning and then it dropped, my laptop won't get an IP. if you have multiple people unable to connect and it's a big deal, try to set the SSID with a PSK and no splash, it will bypass ISE temporarily. share the SSID password with your clients so they can connect while you can troubleshoot this.
I think the problem is ISE itself, check your last patch. we rebooted the 2 ISE radius servers and that seems to fix the issue.
What version of ISE are your PSNs running atm? We're on v2.6.0.156 and have started to experience the same issue only 2 days ago, which seemly only is limited to sites with clients trying to connect to 1 particular SSID via MR46 APs.
Seems like they're ISE Is struggling to respond to clients and is going in a loop with the 5441 & 5405 msgs.
Hi @henleyjj our ISE was running 2.7.0.356 with patches 2,4,5 and it now running patch 7 however the issue for us turned out to be caused by the bonjour service, once this was disabled we no longer experienced issues.
Unsure if the symptoms you are experiencing are the same as ours, I also have a post on the Cisco ISE community regarding our issue with a break down of the symptoms we had.
Hope you get your issue resolved