topic Re: ISE: issue about connected endpoints, active sessions and Inactive in Network Access Control

ISE: issue about connected endpoints, active sessions and InactiveDays

marco.merlo — Mon, 20 Jan 2025 09:17:00 GMT

Hi to all,

We know that we can get information about the number of connected endpoints to a ISE deployment we have 3 ways:

1)Filtering on "connected status" on Total Endpoints

2)Looking at the "active session" and licence counters

3)Looking for endpoints with InactiveDays 0 in the Full Report from "application configure ISE" if profiler services are active on PSNs

Of course the 3 counters can't be exactly the same but should be very similar and in our deployment they used to be so at least until April 2024. Then counter 1 and 2 began to differ but this is due to a well known bug ( https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj16540 "
Cisco ISE 3.2 Patch 4 Context Visibility does not match Live Logs or Sessions."). Lat week I performed a full report when the gui was listing about 17000 Active session and 9000 connected endpoints but the number of enpoinds with elapsed days to 0 was just about 1500!

I expected a value near 9000 or 17000 not 1500!
Has anyone experienced a similar issue?

Regards
M

Re: ISE: issue about connected endpoints, active sessions and Inactive

Arne Bier — Mon, 20 Jan 2025 21:51:22 GMT

I have not seen such a huge disparity, but your analysis is correct - there is no single point of truth in ISE about active sessions. Which is concerning, since licensing depends on it, and we don't want to purchase more licenses than is necessary - but we need accurate information to make a clear purchase decision.

Have you tried the Context Visibility Resync exercise? I have done that in the past and it can often clean out a lot of junk ... at least for a while.

And we must also remember, that we should check and validate that every NAD is sending at least Accounting Start/Interim/Stop to ISE - if there are no Accounting Interim requests sent to ISE, then ISE will consider a session 'dead' after 5 days of receiving the Start (and not having received a Stop yet). On IOS, best practice is to send Interims every 2880 minutes (48 hours) or sooner, if Device Sensor is used and detects a change.

It's useful having a look at ISE Operational Reports to see if these Accounting Requests are being received by ISE. In the past I have found gaps/config mistakes on devices and also buggy IOS code that didn't always send Accounting - in that case, it's not ISE's fault. Check the state of your NADs, and then also resync the Context Visibility. That might do the trick.

Re: ISE: issue about connected endpoints, active sessions and Inactive

marco.merlo — Tue, 21 Jan 2025 08:34:45 GMT

Hi Arne,

thank you for the replay: at least for one endpoint I checked deeper it's not a NAD misconfiguration issue. I even forced a re-authentication and in context visibility I still have the correct information but performing a query exploiting dbconnect feature I saw that update time was not changed for that point and the full report still reports a InactiveDays > 0. Something happened on ISE at Jun 2024 . I saw that dbconnect retrieves data from secondary MNT but an API query showed me that both mnts report the same number of active sessions. I gave a though about context visibility resync but I have to say that context visibility seems to have the correct information so I am afraid syncing db to context would make things worse.
Anyway I opened case hoping that this time TAC will be more efficient: the last case I opened took 8 months to make Cisco admit it was a bug. I think the issue is related to the profiler feature that is in charge to update InactiveDays counter because active sessions are correct on both MNT. Unfortunately I have no idea of which is the data sourve Fullreport uses.

Marco

Re: ISE: issue about connected endpoints, active sessions and Inactive

marco.merlo — Tue, 21 Jan 2025 09:20:18 GMT

Hi,

I run fullreport on different nodes and each report is diffrent. On primary MNT there are thousands of missing endpoinds and not endpoint has elapsed day set to 0 . What a mess ....

Re: ISE: issue about connected endpoints, active sessions and Inactive

Marcelo Morais — Wed, 22 Jan 2025 01:22:52 GMT

Hi @marco.merlo

in addition to the excellent point already made by @Arne Bier , I would like to bring some numbers:

ISE version 3.3 P2.

ISE Dashboard (Total Endpoints: 258,337 - Active Endpoints: 128,398) :

ISE Context Visibility Endpoint (258,337 Total Rows)

ISE Licensing ... Total Consumption of 127,281.

ISE FullReport ... InactiveDays = 0 with 121,074 of 258,353 records.

Using @Arne Bier words " ... I have not seen such a huge disparity ... " !!!

Please take a look at:

CSCwj80616 EP details in ISE Context Visibility does not match with Radius Live Logs / Sessions during MDM flow.

also remember that:

The Total Endpoints (Home > Dashboard) are the Endpoints seen by the system since the last Purge (Administration > Identity Management > Settings > Endpoint Purge). The Total Endpoints count should be the same as the Context Visibility - Endpoints Total Rows (that represents the ISE Internal Endpoint Store). Total Endpoints do NOT use License. License Consumption is actually based on the Data in MnT and Total Endpoints/Context Visibility is a PAN Data.

The Operations > Reports > Reports > Endpoints and Users > Current Active Sessions is more accurate than Home > Active Endpoints Dashboard, the 1st gets the info from MnT (License consumption is based on the MnT Data), the 2nd from Context Visibility (PAN Data).

Hope this helps !!!

Re: ISE: issue about connected endpoints, active sessions and Inactive

marco.merlo — Wed, 22 Jan 2025 08:07:55 GMT

Thanks, you are right: In a Full Report run on Jun 2024 TotalEndpoint with inactive count 0 was compatible with the active sessions count. Yesterday I run a full report on each node at the same time: all PSNs and PANS reports the same number lines but the the two PSNs reports about 30% fewer lines, but a dbconnect sql query for endpoints_data view reports the same count of PAN/PSNs full report and the dbcpnnect featue connects to secondary MNT Oracle Database... Maybe there is just a bug on the ruotine providing full report ....

I'll try to install patch 7...

Re: ISE: issue about connected endpoints, active sessions and Inactive

Marcelo Morais — Wed, 22 Jan 2025 09:20:01 GMT

Hi @marco.merlo ,

excellent ... ISE 3.2 P7 is a very good release.

Regards