Solved: Re: Cisco ISE 2.4 (Patch 5) - Static Group Assignment: MAB database Entries Dropped

widarsson · ‎07-15-2019

Hi,

I recently experienced a very critical incident within Cisco ISE.

Setup:

Cisco Application Deployment Engine OS Release: 3.0 
ADE-OS Build Version: 3.0.4.070 
ADE-OS System Architecture: x86_64 
  

Copyright (c) 2005-2014 by Cisco Systems, Inc. 
All rights reserved. 
Hostname: ***ISE03  

 
Version information of installed applications 
---------------------------------------------  

Cisco Identity Services Engine 
--------------------------------------------- 
Version      : 2.4.0.357 
Build Date   : Tue Apr 10 19:06:39 2018 
Install Date : Thu Nov  8 14:31:47 2018 

  
Cisco Identity Services Engine Patch 
--------------------------------------------- 
Version      : 5 
Install Date : Mon Dec 10 14:01:51 2018

The problem were just randomly, no change etc were made that day what i know.

A beautiful friday afternoon, all MAB device entries lost it's connection to;

- Static Group Assignment. (unchecked.)

- Identify Group Assignment: Were cleared from specific Identity Groups selections (dropdown menu).

- About 800 Entries affected, the date of the entries were registred as 1970-**-**. Felt like a database issue etc.

I've searched through all patches etc. of Cisco ISE 2.4, i haven't found anything connected to this.

I had to do a import of Devices, luckely i got a three month old backup of the MAB devices.

Does anybody experienced this issue?

If it ever happens again, what should look after and where to find the reason?

Best Regards,

David

Jason Kunst · ‎07-15-2019

Please get a TAC case open to dig deeper and provide guidance

View solution in original post

Surendra · ‎07-15-2019

Have they been deleted or just moved out of the static group ? Static group changes will be logged in profiler log but only at DEBUG level. Deletion is a bit tricky as only bulk delete will be logged in irf.log but not individual endpoint. Profiler may have info but I haven’t checked them myself. All of them getting out of the group on the same day seems odd, were there any changes made in the network which could result in a flood of new types of probes for profiling on the ISE that day?

Damien Miller · ‎07-15-2019

2.4 patch 2 fixed an issue where the static identity group mapping could be dropped when we received two DHCP requests on different PSNs at the same time.

But that was fixed.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi73782

Jason Kunst · ‎07-15-2019

Please get a TAC case open to dig deeper and provide guidance

TTGP · ‎04-06-2020

Did you open the TAC? Were you able to discover what caused this issue? I have had the issue twice now so I am very curious.

R\

George

Greg Gibbs · ‎04-06-2020

The original post was related to Patch 5 which is quite old now.

The issue could be related to the following bug listed as fixed in 2.4 Patch 11 - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq58785

I would suggest updating to the latest patch to see if the issue is resolved. If the issue continues, you may need to open a TAC case.

widarsson · ‎04-07-2020

No 100% acknowledge on the problem, but TAC reffered to patch 9, but we went to patch 11 and haven't experienced the problem. (It was never experienced after backup-restore of MAB on Patch5 also.) But i hope its fixed in patch 11.