Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2825
Views
0
Helpful
4
Replies

Cisco ISE 2.3 Patch 5 - Alarms: Health Status Unavailable

Go to solution
pgiouvanellis
Level 1
Level 1

‎12-07-2018 12:44 AM

Hello everyone ,

 

We have an ISE implementation with 2 PAN nodes that are also and PSN and MnT nodes .

The last 2 days we receive alerts for one of the nodes with message "Alarms: Health Status Unavailable" .

 

The issue is that we are not losing the node and all the services seems to work/running fine .

The alert comes every hour but we never lost the node .

I want to refer that the specific node is a VM not physical appliance .

 

Is there any way to find the reason of these alerts and fix the issue .

 

Thank You ,

Palaiologos .

1 person had this problem
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-07-2018 01:06 AM

Check iseLocalStore.log from Operations > Troubleshoot > Download Logs > [Choose the node for which the alarms are thrown for] > Debug Logs.

Search for logs similar to “NOTICE System-Stats: ISE Process Health” and see the time difference between these logs. They are supposed to be generated every 5 minutes. If the delay is more than say 10 minutes, your MnT node will throw the error that it did not receive the health status. There is a bug CSCvh17334 for this issue as well which is fixed in 2.4.

Another reason why this could happen is if there is high load on the MnT nodes and that the logs are not processed enough. If you see any latency in the live logs or anything then this could be it, if not then it is most likely not a problem with MnT node.

View solution in original post

0 Helpful

Go to solution
pgiouvanellis
Level 1
Level 1
In response to pgiouvanellis

‎12-12-2018 12:03 AM

Hello Everyone ,

 

We performed a reload on the virtual machine and the issue and alarms stopped .

 

Thank You,

Palaiologos

View solution in original post

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to pgiouvanellis

‎12-12-2018 12:37 AM

If the issue comes up again, keep in mind that the health status is sent from each node to the MnT nodes. If you're not receiving a health status summary from an ISE node to the active MnT, that could many a few things. 

 

1) It could mean that your resources are very high on either MnT or the syslog client, although that would be noticeable in other ways such as show commands and VM summary within your hypervisor.

2) Maybe you're using Secure Syslog between the two, and have CRL's enabled for their trusted certificate, that one of the nodes can't download the CRL and therefore the Secure Syslog isn't trusted after initial setup. This can be seen within the localstore.log file on both MnT and syslog client. 

3) Maybe you have a firewall between the two nodes and due to the long-lived TCP connection, the connection is being dropped ungracefully by the firewall so that the flow is dropped. 

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-07-2018 01:06 AM

Check iseLocalStore.log from Operations > Troubleshoot > Download Logs > [Choose the node for which the alarms are thrown for] > Debug Logs.

Search for logs similar to “NOTICE System-Stats: ISE Process Health” and see the time difference between these logs. They are supposed to be generated every 5 minutes. If the delay is more than say 10 minutes, your MnT node will throw the error that it did not receive the health status. There is a bug CSCvh17334 for this issue as well which is fixed in 2.4.

Another reason why this could happen is if there is high load on the MnT nodes and that the logs are not processed enough. If you see any latency in the live logs or anything then this could be it, if not then it is most likely not a problem with MnT node.
0 Helpful

Go to solution
pgiouvanellis
Level 1
Level 1
In response to Surendra

‎12-07-2018 02:06 AM

Its seems the last 2 days i have the problem i did not receice 

 

NOTICE System-Stats: ISE Process Health messages but i get 

NOTICE System-Stats: ISE Process Health Unavailable messages .

 

I get them every 5 minutes .

 

Also i noticed 

 

2018-12-07 08:24:25.787 +02:00 0066061587 34140 WARN  System-Management: ISE failed secure syslog connection because of unknown certificate in syslog server certificate chain, ConfigVersionId=78, DestinationPort=6514, LoggerName=SecureSyslogCollector, 

 

These messages but i get the same messages when the alarm was not triggered and all works normally without alarms .

 

So any idea ? 

 

Thank You,

Palaiologos

0 Helpful

Go to solution
pgiouvanellis
Level 1
Level 1
In response to pgiouvanellis

‎12-12-2018 12:03 AM

Hello Everyone ,

 

We performed a reload on the virtual machine and the issue and alarms stopped .

 

Thank You,

Palaiologos

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to pgiouvanellis

‎12-12-2018 12:37 AM

If the issue comes up again, keep in mind that the health status is sent from each node to the MnT nodes. If you're not receiving a health status summary from an ISE node to the active MnT, that could many a few things. 

 

1) It could mean that your resources are very high on either MnT or the syslog client, although that would be noticeable in other ways such as show commands and VM summary within your hypervisor.

2) Maybe you're using Secure Syslog between the two, and have CRL's enabled for their trusted certificate, that one of the nodes can't download the CRL and therefore the Secure Syslog isn't trusted after initial setup. This can be seen within the localstore.log file on both MnT and syslog client. 

3) Maybe you have a firewall between the two nodes and due to the long-lived TCP connection, the connection is being dropped ungracefully by the firewall so that the flow is dropped. 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents