MnT Node not receiving logs from PSN

GRANT3779 — Mon, 17 Jan 2022 16:36:12 GMT

Hi CSC,

I have a 2 Node deployment -

Node A - Admin (Pri) MnT (Sec), PSN

Node B - Admin (Sec) MnT (Pri), PSN

When using Node A for TACACs - all logs visible within ISE

When using Node B for TACACs - Authentication etc.. is all good but logs are not being sent to the primary MnT node.

Using self signed certificates for messaging service. Does each node require the others Messaging Service Certificate to be exported and installed to each other?

I'm assuming it is indeed the messaging service responsible for this logging element that isn't working?

Also have the following checked -

"Use "ISE Messaging Service" for UDP Syslogs delivery to MnT"

Thanks

Re: MnT Node not receiving logs from PSN

thomas — Sat, 22 Jan 2022 20:07:16 GMT

Yes, each ISE node needs to trust the others so the other nodes' self-signed certificate(s) and must be in the other node's Trusted Certificates store. This is one of the many reasons why you should never use self-signed certificates in a production deployment. When you joined the Secondary node to the primary, you had to accept the following ⚠ Warning:

The node you are trying to register uses a self-signed certificate which is not trusted.
Are you sure you want to trust this certificate and proceed with registration?
If you are unsure, please click 'Cancel Registration'. Manually import relevant certificate chain of Node that is being registered into 'Trusted Certificates' and ensure 'Trust within ISE' checkbox is selected.
Please note that this certificate will by default be trusted only for authentication within ISE. If the same certificate needs to be used for other purposes (e.g. client authentication and syslog), please enable those options by editing the certificate under the 'Trusted Certificates' page.

Additionally, I don't know what your datacenter colocation or distribution setup is but in the ISE Admin Guide, Syslog over Cisco ISE Messaging Service provides guidance for which ports are used to communicate :

Syslog over Cisco ISE Messaging Service

Cisco ISE, Release 2.6, offers MnT WAN survivability for the default, built-in UDP syslog collection targets, LogCollector and LogCollector2. This survivability can be enabled by the option Use "ISE Messaging Service" for UDP Syslogs delivery to MnT (In the Cisco ISE GUI, click the Menu icon (𑁔) and choose System > Logging > Log Settings). After you enable this option, the UDP syslogs are protected by Transport Layer Security (TLS).

The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE, Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE, Release 2.6, Cumulative Patch 2 and later releases.

Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN survivability period is approximately 2 hours and 30 mins.

This service uses TCP port 8671. Configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in the Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue. .

You may also refer to the Cisco ISE Ports Reference for other required ports.

topic Re: MnT Node not receiving logs from PSN in Network Access Control

MnT Node not receiving logs from PSN

Re: MnT Node not receiving logs from PSN

Syslog over Cisco ISE Messaging Service