12-07-2018 12:44 AM
Hello everyone ,
We have an ISE implementation with 2 PAN nodes that are also and PSN and MnT nodes .
The last 2 days we receive alerts for one of the nodes with message "Alarms: Health Status Unavailable" .
The issue is that we are not losing the node and all the services seems to work/running fine .
The alert comes every hour but we never lost the node .
I want to refer that the specific node is a VM not physical appliance .
Is there any way to find the reason of these alerts and fix the issue .
Thank You ,
Palaiologos .
Solved! Go to Solution.
12-07-2018 01:06 AM
12-12-2018 12:03 AM
Hello Everyone ,
We performed a reload on the virtual machine and the issue and alarms stopped .
Thank You,
Palaiologos
12-12-2018 12:37 AM
If the issue comes up again, keep in mind that the health status is sent from each node to the MnT nodes. If you're not receiving a health status summary from an ISE node to the active MnT, that could many a few things.
1) It could mean that your resources are very high on either MnT or the syslog client, although that would be noticeable in other ways such as show commands and VM summary within your hypervisor.
2) Maybe you're using Secure Syslog between the two, and have CRL's enabled for their trusted certificate, that one of the nodes can't download the CRL and therefore the Secure Syslog isn't trusted after initial setup. This can be seen within the localstore.log file on both MnT and syslog client.
3) Maybe you have a firewall between the two nodes and due to the long-lived TCP connection, the connection is being dropped ungracefully by the firewall so that the flow is dropped.
12-07-2018 01:06 AM
12-07-2018 02:06 AM
Its seems the last 2 days i have the problem i did not receice
NOTICE System-Stats: ISE Process Health messages but i get
NOTICE System-Stats: ISE Process Health Unavailable messages .
I get them every 5 minutes .
Also i noticed
2018-12-07 08:24:25.787 +02:00 0066061587 34140 WARN System-Management: ISE failed secure syslog connection because of unknown certificate in syslog server certificate chain, ConfigVersionId=78, DestinationPort=6514, LoggerName=SecureSyslogCollector,
These messages but i get the same messages when the alarm was not triggered and all works normally without alarms .
So any idea ?
Thank You,
Palaiologos
12-12-2018 12:03 AM
Hello Everyone ,
We performed a reload on the virtual machine and the issue and alarms stopped .
Thank You,
Palaiologos
12-12-2018 12:37 AM
If the issue comes up again, keep in mind that the health status is sent from each node to the MnT nodes. If you're not receiving a health status summary from an ISE node to the active MnT, that could many a few things.
1) It could mean that your resources are very high on either MnT or the syslog client, although that would be noticeable in other ways such as show commands and VM summary within your hypervisor.
2) Maybe you're using Secure Syslog between the two, and have CRL's enabled for their trusted certificate, that one of the nodes can't download the CRL and therefore the Secure Syslog isn't trusted after initial setup. This can be seen within the localstore.log file on both MnT and syslog client.
3) Maybe you have a firewall between the two nodes and due to the long-lived TCP connection, the connection is being dropped ungracefully by the firewall so that the flow is dropped.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: