topic Re: Passive Identity Agent error in Network Access Control

Passive Identity Agent error

tkiel — Mon, 26 Sep 2022 10:34:55 GMT

ISE PIC Agent does not return any user/IP to ISE, keeps getting this error in CiscoISEPICAgent file:
022-09-26 01:10:29,053 ERROR - Rest Client, Error sending mapping {user=dummyMapping, ip=192.168.12.32} to https://S-CISCOISE02.domain.local:9095 : String was not recognized as a valid DateTime.

anyone got a hint?

Regards
Thomas

Re: Passive Identity Agent error

barrykaauamo — Tue, 27 Sep 2022 05:25:00 GMT

@tkiel wrote:
ISE PIC Agent does not return any user/IP to ISE, keeps getting this error in CiscoISEPICAgent file:
022-09-26 01:10:29,053 ERROR - Rest Client, Error sending mapping {user=dummyMapping, ip=192.168.12.32} to https://S-CISCOISE02.domain.local:9095 : String was not recognized as a valid DateTime.
United Airlines Flying Together
anyone got a hint?
Regards
Thomas

Thankful for the little by little useful exercise. Has conclusively the ordinary impact.

Re: Passive Identity Agent error

thomas — Sat, 01 Oct 2022 22:13:35 GMT

Call TAC to troubleshoot since you did not offer any details, logs, etc.

See for more details to provide next time.

Re: Passive Identity Agent error

tkiel — Sun, 02 Oct 2022 18:35:43 GMT

Hi Thomas

Which logs would you expect?
On the Domain Controller, the line is repeated constantly within the file: CiscoISEPICAgent.

Regards
Thomas

Re: Passive Identity Agent error

m.trautes — Thu, 24 Nov 2022 16:36:06 GMT

Hello Thomas,

do you have a solution for the problem. We have the same error on a ISE-PIC.

Regards

Michael

Re: Passive Identity Agent error

tkiel — Fri, 25 Nov 2022 07:25:45 GMT

Hi Michael

Unfortunately not yet, it is on my todo list 🙂
The documentation for troubleshooting ISE-PIC is very limited and this issue is not the connection to domain controller but more likely permissions on the domain controller.

Best luck
Thomas

Re: Passive Identity Agent error

AugustoS.Nunes — Thu, 26 Jan 2023 21:23:37 GMT

Hello Thomas,

I have the same issue here, and it's giving me this log on every user authentication, any updates so far?

Even TAC seems to be having an issue figuring this one out, at least on the case i opened.

Re: Passive Identity Agent error

stephane.merl — Wed, 15 Mar 2023 16:47:28 GMT

Hello AugustoS.Nunes,

Did you get any news from TAC ?
I currently facing the same issue.

CiscoISEPICAgent.log

2023-03-15 16:07:03,782 DEBUG - Continuing forward event : , Verified it is not a machine account... with username batman
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT ***** Reading Event *******
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT TimeGenerated in DC UTC = 03/15/2023 16:07:02
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT user = batman
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT domain = DCOMICS
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT ip = 192.168.10.212
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT latency = 1,0109357 seconds
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT agentTimeUTC , 03/15/2023 16:07:03
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT Received Time:15/03/2023 16:07:02, Latency:1,0109357, Computer:ad01.dcomics.lan, User:batman, Domain:DCOMICS, IP:192.168.10.212
2023-03-15 16:07:03,782 DEBUG - Rest Client, Sending mapping to https://isepic.dcomics.lan:9095: user=batman, ip=192.168.10.212
2023-03-15 16:07:03,829 ERROR - Rest Client, Error sending mapping {user=batman, ip=192.168.10.212} to https://isepic.dcomics.lan:9095 : String was not recognized as a valid DateTime.

passiveid-agent.log
2023-03-15 16:07:03,787 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- REST request arrived from client with hostname: ad01.dcomics.lan, ip: 192.168.10.211
2023-03-15 16:07:03,787 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Looking for Agent in configuration, with ip 192.168.10.211 or hostname ad01.dcomics.lan.
2023-03-15 16:07:03,788 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Current Agent hostname/ip in config: ad01.dcomics.lan
2023-03-15 16:07:03,792 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Received login event. Identity Mapping.probe = Agent , dc-host = /192.168.10.211 , Identity Mapping.server = isepic , event-operation-type = ADD ,
2023-03-15 16:07:03,792 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Validating incoming loging event...
2023-03-15 16:07:03,792 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- AgentTime 1678896423 DCTime 1678896422 ISETime 1678896423
2023-03-15 16:07:03,792 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Building login event to be published to session directory.
2023-03-15 16:07:03,792 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- retrieving user's additional informaion from Active Directory.
2023-03-15 16:07:03,833 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- recording login event into local log.
2023-03-15 16:07:03,836 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Forwarded login event to session directory. Identity Mapping.id-src-first-port = -1 , Identity Mapping.dc-domainname = dcomics.lan , Identity Mapping.id-src-port-start = -1 , Identity Mapping.probe = Agent , Identity Mapping.id-src-port-end = -1 , Identity Mapping.event-user-name = batman , Identity Mapping.dc-host = /192.168.10.211 , Identity Mapping.agentId = , Identity Mapping.server = isepic , Identity Mapping.event-ip-address = 192.168.10.212 ,
2023-03-15 16:07:03,836 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Publishing identity mapping event. Identity Mapping.id-src-first-port = -1 , Identity Mapping.dc-domainname = dcomics.lan , Identity Mapping.id-src-port-start = -1 , Identity Mapping.probe = Agent , Identity Mapping.id-src-port-end = -1 , Identity Mapping.event-user-name = batman , Identity Mapping.dc-host = /192.168.10.211 , Identity Mapping.agentId = , Identity Mapping.server = isepic , event-operation-type = ADD , Identity Mapping.event-ip-address = 192.168.10.212 ,
2023-03-15 16:07:03,836 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Details 192.168.10.212
2023-03-15 16:07:03,836 DEBUG [Grizzly-worker(3)][[]] com.cisco.idc.agent-probe- Going to publish login event...

On ISE-PIC, live Sessions stays empty...

Thank you !

[Edit]Added passiveid-agent.log from ISE-PIC

Re: Passive Identity Agent error

ASN — Wed, 15 Mar 2023 17:24:09 GMT

Hello Stephane,

I am on my personal account right now, but yes!

The issue seems to be with the Endpoint Check on ISE-PIC and FMC 7.2 which started dealing with "Unreachable" endpoints sent by ISE, basically ISE check's if the endpoint is active with this feature enabled (by default) through WMI and if isn't able to get a response comes back as "Unreachable" and starting on FMC 7.2, it "discards" this users and don't add them to the Active Sessions database.

The only two ways to resolve this seams to be from disabling the Endpoint Check on ISE-PIC (Providers>Endpoint Check) or let ISE-PIC connect through WMI on the workstations. We disabled the endpoint check and everything in fine now!

Also in regards to this log on the ISE Agent, a patch has to by applied to fix this since seems to be a bug, haven't try it yet but it's on our roadmap to do!
2023-03-15 16:07:03,829 ERROR - Rest Client, Error sending mapping {user=batman, ip=192.168.10.212} to https://isepic.dcomics.lan:9095 : String was not recognized as a valid DateTime.
CSCwd45843 > https://software.cisco.com/download/home/283801620/type/283802505/release/HP-CSCwd45843
Confirmed by TAC that can by applied on ISE-PIC even if it's an ISE download.

Re: Passive Identity Agent error

ronei.amorim — Thu, 01 Aug 2024 20:00:14 GMT

Hello stephane.merl

I hope you doing well.

Could you tell me how you enable this output logs in CiscoISEPICAgent.log?

2023-03-15 16:07:03,782 DEBUG - Continuing forward event : , Verified it is not a machine account... with username batman
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT ***** Reading Event *******
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT TimeGenerated in DC UTC = 03/15/2023 16:07:02
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT user = batman
2023-03-15 16:07:03,782 DEBUG - Domain Controller 192.168.10.211, EVT domain = DCOMICS

best regards!!

Ronei