Cisco ISE / CTS switch Issues

Jay233 — Tue, 09 Jun 2020 20:59:48 GMT

Hi All,

Recently noticed a strange issue with a few switches in our network.

Using SGT/CTS with ISE 2.4.

Switches are 9200 series, working ok until several switches started to show an error with CTS server info list I.E. marking the ISE servers as down?

2 switch outputs below (sw1 not working, sw2 working). The switches have the same config and in the same location, able to refresh env data and also PAC files on both switches without error.

The only difference I can see is info output for TAG 0:Unknown

The working switch shows "status alive" with auto-test=false?

The none working switch shows "status dead" with auto-test=true?

Can anyone explain this auto-test feature please.

Output for sw1 (error switch):

SW1#sh cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
  SGT tag = 2-01:Infrastructure
Server List Info:
Installed list: CTSServerList1-0004, 2 server(s):
*Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = DEAD
          auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
*Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = DEAD
          auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
    0-01:Unknown
    2-01:Infrastructure
    3-00:Network_Services
    4-00:Employees

Output for sw2 (working switch):

SW2#sh cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
  SGT tag = 2-01:Infrastructure
Server List Info:
Installed list: CTSServerList1-0004, 2 server(s):
  Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = ALIVE
          auto-test = FALSE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
  Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = ALIVE
          auto-test = FALSE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
    0-03:Unknown
    2-01:Infrastructure
    3-00:Network_Services
    4-00:Employees

Appreciate any help on this, not sure if its a bug or not.

Cheers,

Re: Cisco ISE / CTS switch Issues

Jay233 — Tue, 09 Jun 2020 21:06:32 GMT

Quick update: After a reboot on sw1# (No config change at all) the switch is now making the ISE servers as "alive" when I do sw1#show cts env data?

What is causing the switch to previously report the severs as "dead"?

Reboot and the issue disappears but for how long is the question.

Could this be an auth time type loop issue?

If anyone has a working CTS config and willing to post that would be great.

Thanks,

Re: Cisco ISE / CTS switch Issues

thomas — Fri, 12 Jun 2020 22:49:14 GMT

Sounds like a switch bug since a reboot fixed it.

Re: Cisco ISE / CTS switch Issues

Greg Gibbs — Sun, 14 Jun 2020 23:13:11 GMT

See this duplicate post:

https://community.cisco.com/t5/network-access-control/cisco-ise-cts-switch-issues/m-p/4101462

topic Re: Cisco ISE / CTS switch Issues in Network Access Control

Cisco ISE / CTS switch Issues

Re: Cisco ISE / CTS switch Issues

Re: Cisco ISE / CTS switch Issues

Re: Cisco ISE / CTS switch Issues