topic Re: ISE Health Checks in Network Access Control

ISE Health Checks

Matthew Martin — Mon, 05 Dec 2022 16:45:41 GMT

Hello All,

ISE v2.7 patch 3

I am looking to install the latest Patch for v2.7. I noticed under Administration > System > Upgrade there's a message that says "Deployment is not healthy. Check the health in HealthChecks page . Click continue to go to the upgrade page."

I know the patch install is done through Administration > System > Maintenance > Patch Management, and not the Upgrade page. But, I'm thinking it might be a good idea to run the Health Checks prior to installing the patch...

Can the Health Checks be run during business hours without impacting endpoints/clients on the network?

Thanks in Advance,
Matt

Re: ISE Health Checks

Aref Alsouqi — Mon, 05 Dec 2022 17:01:12 GMT

Running ISE health check does not cause any interruption for your deployment. What ISE basically does with the health check is running a list of tasks, and based on the outcome it will judge if your deployment is healthy or not. That process won't have any auto-remediation or changes to your environment, hence, it is not disruptive.

Re: ISE Health Checks

Matthew Martin — Mon, 05 Dec 2022 17:14:14 GMT

Great, thank you!

Ran the checks after I got your reply... Only took about a minute for the checks to complete.

Question. The Trust Store Certificate Validation has an exclamation point and shows "0/2"... I checked the Trusted Certificates page and don't see an expired Certs on that page or anything expiring anytime soon. Could that message mean something else?

Re: ISE Health Checks

Aref Alsouqi — Mon, 05 Dec 2022 18:20:38 GMT

You welcome. Does it show you the Trust Store Certificate Validation as failed or passed the health check? Usually you would see 0/x if the health check task fails, in that case you will see it flagged in red, but if you see it in green with 0/2 I would ignore it.

Re: ISE Health Checks

Matthew Martin — Mon, 05 Dec 2022 19:18:35 GMT

I think I found the certs it was warning about under Certificates > Certificate Authority Certificates. There's 2 for each of our 2 nodes. One shows for OCSP Responder and the other says "...Endpoint Sub CA...". See below:

I do see valid OCSP Responder and Endpoint Sub CA certs that are still valid. But, when I clicked to Delete one of these expired Certs I get the following message, which sounded a little scary so I clicked Cancel:

Thanks Again,
Matt

Re: ISE Health Checks

Aref Alsouqi — Tue, 06 Dec 2022 09:35:30 GMT

Hi Matt, you can renew those certs by going into the Certificate Signing Requests section. Once you click on generate the request, you can select the usage from the usage drop down menu, alternatively you can remove them if they are not in use. One thing to keep in mind is that an upgrade process will fail if you have any expired certificate on ISE, however, I don't believe this would be the case with applying the patches.