Symptom
802.1x EAP-TLS failing on IOS-XE 16.12.5 and 17.3.3
Switch log:
%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (5c85.7e31.9b61) with reason (AAA Server Down) on Interface Fi1/0/14 AuditSessionID 5A02000A00000114F7057DAF Username: host/SD-Access1.sdap1.lab
%DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: sessmgrd: Authentication result overridden for client (5c85.7e31.9b61) on Interface Fi1/0/14 AuditSessionID 5A02000A00000114F7057DAF
ISE event:
5440 Endpoint abandoned EAP session and started new
Conditions
- Upgrading from 16.12.4 to 17.3.3 or 16.12.5
- System MTU is set to 9100
- Network device between NAD and the RADIUS server does not support jumbo MTU
- on the device with the lower MTU interface, "show interface" shows ingress giant frame drops
Workaround
Traditional Networks:
Resolve MTU miss matches on any links in the path between the NAD and the RADIUS server
for example modify the interface L3 MTU on the device with the higher MTU interface
interface xxx
ip mtu 1500
ip tcp adjust-mss 1460
Note: If jumbo MTU is enabled across the entire path, there's a chance that packets will be dropped ingress on the radius server interface.
SD-Access: Normally the MTU miss match is on the link between the fusion router and border node.
Modify the MTU on the Border node underlay SVI\interface to the Fusion router to 1500 or less
example:
interface Vlan xxx
ip mtu 1500
ip tcp adjust-mss 1460
Further Problem Description
The behavior change is due to CSCvv56712 CSCvv56712
