topic Re: Cisco ISE 2.7 Messaging Service Not Running in Network Access Control

Cisco ISE 2.7 Messaging Service Not Running

O_H — Tue, 21 Feb 2023 13:41:57 GMT

We have 2 ISE nodes. We upgraded from 2.4 to 2.7 P9.

After the upgrade i noticed that the (ISE Messaging Service) is not running on Node 2. It keeps flapping between Initializing and not running. I applied patch 9 but that didn't change the situation.

I'm not sure of what is the actual impact. And how to solve this. I tried to regenrate CSR for this service, but didn't help. Also restarting the services or rebooting didn't help.

Re: Cisco ISE 2.7 Messaging Service Not Running

Charlie Moreton — Tue, 21 Feb 2023 14:03:46 GMT

To fix this you need to generate new deployment-wide signed certificates. This is a simple process that can be done by navigating to Administration > System > Certificates and choosing Certificate Signing Requests from the left menu
Click the button for Generate Certificate Signing Requests (CSR)

In the Usage field, select that the Certificate(s) will be used for ISE Messaging Service

Since this is an upgrade, ISE Messaging may not have been enabled previously, you need to select Generate CSR for ISE Messaging Service
Select ALL the ISE Nodes and fill out the certificate fields

Of course, you should follow any guidance and troubleshooting from the Cisco Identity Services Engine Upgrade Guide, Release 2.7
If you have already tried this and do not see any entries in the RADIUS Live Logs, navigate to Administration > System > Logging. You should see that Use ISE Messaging Service for UDP Syslogs delivery to MnT is enabled. This is a new feature that was released in ISE 2.6, disable this and call TAC for troubleshooting and assistance.

Re: Cisco ISE 2.7 Messaging Service Not Running

O_H — Tue, 21 Feb 2023 14:11:09 GMT

Hello. Thanks for the reply. As i stated that i tried to regenerate the CSR for this service but it didn't help. What is the impact of disabling (Use ISE Messaging Service for UDP Syslogs delivery to MnT)? And if this is disabled, should it fix it?

Also, i see Radius Live Logs already. This service is not running on the secondary node. It is already running on the primary node.

What is the impact of this service not running?

Re: Cisco ISE 2.7 Messaging Service Not Running

Charlie Moreton — Tue, 21 Feb 2023 14:17:50 GMT

From the 2.6 Release Notes:

Syslog over ISE Messaging

From Cisco ISE, Release 2.6, Monitoring and Troubleshooting (MnT) WAN Survivability is available for UDP syslog collection. Syslogs are recorded using ISE Messaging Service. The Remote Logging Targets, where the syslogs are collected and stored uses port TCP 8671 and the Secure Advanced Message Queuing Protocols (AMQPs) for sending syslogs to MnT.

By default, the ISE Messaging Service option is disabled until Cisco ISE, Release 2.6 Patch 1.

From Cisco ISE, Release 2.6 Patch 2 onwards, by default, the ISE Messaging Service option is enabled.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6

Business Outcome: Operational data will be retained for a finite duration even when the MnT node is unreachable.

Re: Cisco ISE 2.7 Messaging Service Not Running

O_H — Tue, 21 Feb 2023 14:21:48 GMT

Thanks for your response. I also noticed something... when i regenerate the CSR, i don't see the certificate in the Certificate Authority Certificates page. No matter how long i wait, it just doesn't show up. Not sure if this is normal. I tried multiple times already.

Re: Cisco ISE 2.7 Messaging Service Not Running

Aref Alsouqi — Tue, 21 Feb 2023 14:36:26 GMT

You wouldn't see it under the certificate authority section, depending on which certs you will regenerate, you would see the new generated certs under the trusted and system certs sections.

Re: Cisco ISE 2.7 Messaging Service Not Running

O_H — Thu, 23 Feb 2023 07:48:13 GMT

If i regenerate the ISE Root CA certificate first as explained here... is it confirmed that it doesn't have any whatsoever impact?
https://www.adamhollifield.com/2022/09/fix-cisco-ise-messaging-service.html