OPERATIONAL DEFECT DATABASE
...
...
802.1x EAP-TLS failing on IOS-XE 16.12.5 and 17.3.3 Switch log: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (5c85.7e31.9b61) with reason (AAA Server Down) on Interface Fi1/0/14 AuditSessionID 5A02000A00000114F7057DAF Username: host/SD-Access1.sdap1.lab %DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: sessmgrd: Authentication result overridden for client (5c85.7e31.9b61) on Interface Fi1/0/14 AuditSessionID 5A02000A00000114F7057DAF ISE event: 5440 Endpoint abandoned EAP session and started new
- Upgrading from 16.12.4 to 17.3.3 or 16.12.5 - System MTU is set to 9100 - Network device between NAD and the RADIUS server does not support jumbo MTU - on the device with the lower MTU interface, "show interface" shows ingress giant frame drops
Traditional Networks: Resolve MTU miss matches on any links in the path between the NAD and the RADIUS server for example modify the interface L3 MTU on the device with the higher MTU interface interface xxx ip mtu 1500 ip tcp adjust-mss 1460 Note: If jumbo MTU is enabled across the entire path, there's a chance that packets will be dropped ingress on the radius server interface. SD-Access: Normally the MTU miss match is on the link between the fusion router and border node. Modify the MTU on the Border node underlay SVI\interface to the Fusion router to 1500 or less example: interface Vlan xxx ip mtu 1500 ip tcp adjust-mss 1460
The behavior change is due to CSCvv56712 CSCvv56712
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
