https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688260#M521619 <P>RADIUS accounting will also trigger SNMP poll.</P> <P>&nbsp;</P> <P>Yes, it should fall back to another PSN for polling.</P> Tue, 14 Aug 2018 16:39:19 GMT howon 2018-08-14T16:39:19Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688195#M521526 <P>Hello,</P> <P>&nbsp;</P> <P>Please could someone explain exactly what is meant by the following two fields:</P> <P>&nbsp;</P> <P>- Timeout</P> <P>- EventTimeout</P> <P>&nbsp;</P> <P>In the SNMP query profiling configuration page?&nbsp; Also, are both fields in seconds?</P> <P>&nbsp;</P> <P>This is on ISE 2.2 patch 9. We have a number of 3850 switches with multiple units in a stack and I have a suspicion they're timing out.</P> <P>&nbsp;</P> <P>Thanks,</P> <P><BR />Dave</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 14 Aug 2018 15:39:57 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688195#M521526 Dave Lewis 2018-08-14T15:39:57Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688222#M521559 <P>Timeout: How long ISE waits for network device to respond in milliseconds.</P> <P>EventTimeout: How long ISE waits to perform targeted SNMP poll for specific interface after linkup/new MAC shows up in seconds.</P> <P>&nbsp;</P> <P>What is the symptom you are experiencing? If you suspect delayed response from the 3850, you can try increasing the Timeout value to see if it helps. Also, suggest looking into profiling debug as well.</P> Tue, 14 Aug 2018 16:07:30 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688222#M521559 howon 2018-08-14T16:07:30Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688238#M521575 <P>What is triggering you suspicion?&nbsp; ISE alarms for SNMP profiler?&nbsp; That alarm is mostly useless because ISE doesn't distinguish between an SNMP failure (we would care about this) to a NAD vs. SNMP failure to a client device (which is normal and we don't care about).&nbsp; In all my installs I shut off the SNMP failure alarm.</P> Tue, 14 Aug 2018 16:24:25 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688238#M521575 paul 2018-08-14T16:24:25Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688245#M521591 <P>Perfect, thank you.</P> <P>&nbsp;</P> <P>So is EventTimeout only used if ISE receives an SNMP trap from the NAD?&nbsp;Or do other events also trigger a poll of a particular interface? I don't have SNMP traps being sent to PSNs currently.&nbsp;</P> <P>&nbsp;</P> <P>Symptom is "<SPAN>Profiler SNMP Request Failure : Server= xxxx; NAD Address=10.x.y.z" frequently (around every 5 or 10 minutes) on multiple endpoints. I know the credentials etcetera are correct so I suspect a timeout.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I have disabled the NMAP probe and I no longer see the errors about endpoints but I still receive these NAD failures.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I haven't tried enabling debugs of profiling - would we expect a significant impact on&nbsp;the performance of the ISE nodes if we enable that?</SPAN></P> <P>&nbsp;</P> <P><SPAN>On a related note - in NAD configuration - if I set a 'preferred' SNMP polling PSN what happens if that PSN is out of service (e.g. due to an upgrade or a network issue)? Does it fail-back to&nbsp;using any other PSN or does it just fail?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks,</SPAN></P> <P>&nbsp;</P> <P><SPAN>Dave</SPAN></P> Tue, 14 Aug 2018 16:27:54 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688245#M521591 Dave Lewis 2018-08-14T16:27:54Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688259#M521604 <P>Hi Paul,</P> <P>&nbsp;</P> <P>We are seeing frequent SNMP profiler alarms specifically to NADs. We were previously receiving the alarms about endpoints but since disabling NMAP probe we only get the NAD alarms now.</P> <P>&nbsp;</P> <P>I know the credentials are correct so I suspect a timeout as my experience of 3850's is their&nbsp;control plane performance degrades exponentially the more switches you have in a stack.</P> <P>&nbsp;</P> <P>Thanks,</P> <P><BR />Dave</P> Tue, 14 Aug 2018 16:38:49 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688259#M521604 Dave Lewis 2018-08-14T16:38:49Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688260#M521619 <P>RADIUS accounting will also trigger SNMP poll.</P> <P>&nbsp;</P> <P>Yes, it should fall back to another PSN for polling.</P> Tue, 14 Aug 2018 16:39:19 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688260#M521619 howon 2018-08-14T16:39:19Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688277#M521624 <P>Ah okay thanks, that makes sense then as we're also experiencing an issue where the NADs are sending accounting updates too frequently (despite having the correct update newinfo periodic command). I have a TAC case open on that.</P> <P>&nbsp;</P> <P>Dave</P> Tue, 14 Aug 2018 17:01:22 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688277#M521624 Dave Lewis 2018-08-14T17:01:22Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688281#M521629 I shut off that alarm as well. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR /><BR /> Tue, 14 Aug 2018 17:03:19 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3688281#M521629 paul 2018-08-14T17:03:19Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3717000#M521635 Hi Dave, Did you get a reply from TAC about the accounting updates?<BR /><BR />Thanks Michael Tue, 02 Oct 2018 01:40:21 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3717000#M521635 duncanmj 2018-10-02T01:40:21Z https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3718126#M521640 <P>Hi Michael,</P> <P>&nbsp;</P> <P>I think the accounting updates was in a separate thread but I gave up on that with TAC, partly because it seems cosmetic and not&nbsp;having a significant detrimental impact and partly because I believe the problem (in our case) is caused by printers. Specifically HP printers running old firmware that initiate and respond to dot1x EAPoL frames even when you've disabled the setting. Thus these printers each try and fail to authenticate to ISE once per minute which triggers the ISE alerts, a firmware update on the printers fixes it. I've upgraded all printer firmware in our of our offices and am no longer receiving the 'too frequent accounting updates' message from those switches.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>&nbsp;</P> <P>Dave</P> Wed, 03 Oct 2018 09:51:01 GMT https://community.cisco.com/t5/network-access-control/psn-profiling-snmp-query-timers-question/m-p/3718126#M521640 Dave Lewis 2018-10-03T09:51:01Z