Symptom

When a larger number of authentications are trying to happen at the same time in an environment that has high latency or high latency variability (jitter), the ADRT logic backs up the requests and then the clients (wireless), abandon and retry because they were in queue too long. This retry behavior which is normal exacerbates the problem during a period of larger wait times on the ADRT logic for responses from AD.

Conditions

High latency, high TPS for authentications, large # AD user groups.

Workaround

deploy more ISN PNS's to be able to create more SMB2 channels so that the queue can still drain even though a single packet could be waiting for a response and be latent. THis is seen on 3.0p3

Further Problem Description

PSIRT Evaluation

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html