topic Re: Cannot do Endpoint purge on ISE 3.1 P6 in Network Access Control

Cannot do Endpoint purge on ISE 3.1 P6

Da ICS16 — Thu, 30 May 2024 04:08:48 GMT

Dear Community,

There are lots of total endpoints amount on ISE dashboard.

As per reviews around 70% of endpoint are unknown.

We try to perform purge but cannot reduce above unknown devices.

Is it spice CPU issue regarding on ISE 3.1 P6?

In case we still cannot purge, does ISE become slow performance or leak another unavailable options/services?

Kindly share / advise how we can reduce the unknown device by do endpoint purge or else.

Thanks for your update and supporting.

Re: Cannot do Endpoint purge on ISE 3.1 P6

Arne Bier — Thu, 30 May 2024 23:20:40 GMT

There is no harm in leaving unknown endpoints lying around in ISE. it does not make ISE slower. If you were to reach 2 million or more endpoints though, you would be reaching the maximum tested limit by Cisco. Don't let it get to that stage!

You can delete endpoints in Context Visibility - up to 500 at a time. Filter on the ones you want to delete and select the maximum (e.g. 500) from the Rows/Page drop-down. Then tick the very first checkbox that selects all 500. Click Delete. Deletion can take a few minutes. Be patient - the GUI will return to normal.

But if you have thousands to delete, then a purge job would be the way to go.

Purge Rule

If Unknown AND ENDPOINTPURGE ElapsedDays GREATERTHAN 0

The only trick with that purge rule is that you cannot use the Endpoint Identity Group "Unknown" in another purge rule - ISE will complain.

Be very certain that you are OK deleting endpoints that land in the Unknown Endpoint Identity Group. If you are running a Gust Wi-Fi solution in ISE, then you are probably collecting many Unknowns, because of MAC address privacy settings in devices. These MAC addresses will not have a MAC OUI vendor prefix and therefore are genuine unknowns.

Re: Cannot do Endpoint purge on ISE 3.1 P6

Da ICS16 — Thu, 01 Aug 2024 09:53:45 GMT

Dear @Arne Bier ,

Endpoint Purge

we need to purge all UNKNOWN device with below condition.

- Unknown AND ENDPOINTPURGR InactiveDays GREATERTHAN 30

- ENDPOINTPURGE InactiveDays GRATHERTHAN 90

Which condtion we can perform purge?

To ensure no impact to other Active Endpoint PCs and MAB profiling.

Best Regards,

Re: Cannot do Endpoint purge on ISE 3.1 P6

Arne Bier — Thu, 01 Aug 2024 20:47:12 GMT

If I understand correctly, you want to purge inactive < 90 days endpoints that are in ANY Endpoint Identity Group - this is not possible because ISE expects you to select from the list of available Endpoint Identity Groups (or Profiling policies) - maybe select the Profiled Endpoints Identity Group, since you already took care of the Unknown ones.

Re: Cannot do Endpoint purge on ISE 3.1 P6

Da ICS16 — Fri, 02 Aug 2024 01:34:40 GMT

Yes, you are right.

Is it possible extend scope to this purge condition " Unknown AND ENDPOINTPURGR InactiveDays GREATERTHAN 30"?

Thanks,

Re: Cannot do Endpoint purge on ISE 3.1 P6

Arne Bier — Fri, 09 Aug 2024 00:13:47 GMT

what do you mean by "extend scope" ?

Re: Cannot do Endpoint purge on ISE 3.1 P6

rakeshdalvi — Tue, 13 Aug 2024 04:13:53 GMT

@Arne Bier

Is there any way to delete Older ""Disconnected"" endpoints ? we can delete endpoints in Context Visibility - up to 500 at a time but manually it is an time consuming as we have multiple older disconnected endpoints.

Regards

Rakesh

Re: Cannot do Endpoint purge on ISE 3.1 P6

Arne Bier — Thu, 15 Aug 2024 20:52:17 GMT

The purge rules don't have a limit on how many endpoints they will process. The purge rule will be processed against every endpoint, and if the rule is True, then the endpoint is deleted. That's why you must think carefully about what you're deleting - I always ensure that I never delete any endpoint that I have statically assigned to an endpoint (other than, say, ones for PXE Boot). There is a section above the purge rule that says "Never Purge" and I add those rules there - that protects them.

You've reminded me to look at my own rules now to see if they are working well - I reckon in most customer ISE deployments there are more stale/dead endpoints than necessary and could use a bit of housekeeping.