topic Re: Cisco ISE 2.6 error message in Network Access Control

Cisco ISE 2.6 error message

jm.virtual01 — Thu, 26 Dec 2019 18:06:59 GMT

I have upgraded the Cisco ISE 2.2 to 2.6 recently, it is distributed deployment. After teh upgradation, i am seeing this alarm from my primary MnT node;

Error Message:

Alarm Name :

Log Collection Error

Details :

Syslog parsing error : String index out of range: -1

i am not sure about the reason for this alarm but wanted to make this alarm shuts off.

Please reply here of anyone has some suggestion for this issue

Re: Cisco ISE 2.6 error message

Francesco Molino — Fri, 27 Dec 2019 05:52:45 GMT

Hi

Here i would suggest to open a tac case. I had an issue on the last when ise saw a username with a sign / but it should be solved now.

Re: Cisco ISE 2.6 error message

jm.virtual01 — Fri, 27 Dec 2019 13:38:10 GMT

Thank you Sir,

DO you know from where i can find the string configuration in ISE?

Re: Cisco ISE 2.6 error message

Francesco Molino — Mon, 30 Dec 2019 01:27:32 GMT

You can start looking at the file ise-psc.log.
But be aware that some of your logging categories must be in debug mode to have a more verbose log.

Re: Cisco ISE 2.6 error message

jm.virtual01 — Mon, 30 Dec 2019 18:31:30 GMT

Which logging category need to be set on DEBUG level for these logs?

Re: Cisco ISE 2.6 error message

jm.virtual01 — Mon, 30 Dec 2019 18:37:44 GMT

This is the error message i found form the logs

2019-12-15 00:02:07,231 WARN [pool-81918-thread-1][] cisco.epm.cert.validator.CRLCache -::::- Unable to download CRL javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839 ]; remaining name ''

Is there any suggestion on this?

Re: Cisco ISE 2.6 error message

Jason Kunst — Thu, 02 Jan 2020 18:41:50 GMT

please work through the TAC if not getting resolution for break fix troubleshooting

Re: Cisco ISE 2.6 error message

Arne Bier — Thu, 09 Jan 2020 06:10:08 GMT

Hi @jm.virtual01

I have seen this since ISE 2.2 - it's due to ISE's attempt at trying to download a CRL by inspecting the CDP (CRL Distribution Point). If the certificate was created using Microsoft CA (which is very common in the Enterprise), then the default template includes the CA's URL as an LDAP address. But ISE has no credentials to bind to that URL using LDAP - hence, it fails.

If I remember correctly, you can fix that error by specifying a manual CRL URL for every trusted CA cert that you have added in ISE. This then causes ISE to ignore the CDP, and use your manual URL instead.