cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3277
Views
0
Helpful
9
Replies

ISE 2.4 Patch 8 - cannot delete endpoint identity groups

TC-n_t
Level 1
Level 1

OK this is a strange one - I can't delete any unused endpoint identity groups.

If I try to delete a group that is in use I get the following error message.

good error.JPG

This is good - as the group is in use then I can't delete it.

However this is what I get when I try to delete a group that isn't in use.

bad error.JPG

Checking the policy - by exporting the entire set to an xml file doesn't give me any clues so any ideas as to why this is happening.

 

Thanks

 

Giles

2 Accepted Solutions

Accepted Solutions

If imported from acs then its a known bug because the groups get imported
as system groups you can't delete them.

I don't recall the bug id now but once I connect to my laptop I can look it
up

View solution in original post

Hi, it seems that you are hitting following bug (we have the same problem on our ISE v2.4. with patch 8 deployment):

1) CSCvr30888 - "Unable to delete IdentityGroup - Can't find reference"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr30888

We opened the TAC SR - the TAC engineer went into root and deleted the endpoint identity group from the database, this is currently the only way how to resolve it. After some time we hit the same for other Endpoint IdentityGroup, so I thing it is not problem only of our deployment ;).Unable to delete IdentityGroup.png

So I thing that we are hitting the metioned bug CSCvr30888, I found the bug id after our TAC SR was closed, so the bug wasn't confirmed by our TAC engineer. If you will have some additional information e.g. from TAC, please post it. Thank you!

 

2) The second bug id is the case of migration from ACS to ISE this bug (but this is really very old bug for ISE 1.3 release):

CSCus78576 - "ISE cannot delete identity group when DB migrated from ACS"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus78576/?rfs=iqvred

The error message look different: "Failed to delete the group : Identity group is not user created or contains child groups.", so I think this is not your issue.

 

Jakub

View solution in original post

9 Replies 9

ldanny
Cisco Employee
Cisco Employee

Check the following:

1. Check to make sure it is not being used as a Parent Group to other groups (child groups).

2. Check to see if you there are any endpoints that are registered with the group you are trying to remove.

 

 

1. Check to make sure it is not being used as a Parent Group to other groups (child groups).

No.

2. Check to see if you there are any endpoints that are registered with the group you are trying to remove.

The groups are empty.

 

Arne Bier
VIP
VIP

In this case the error message is giving you a hint. 

 

The NAC Group is referenced in your Policy Set authorization rule ACN-IDC-Stores.  Remove that reference too and then try again.

I know as I used that an example where is blocked me because the group is in use.

It was the second screenshot I couldn't understand

Its not used in policy. It says that you have either endpoints assigned to
this group or this group is a child group to another parent group.

Do you have this group imported from ACS migration.? If so its treated as
system group and can't delete (not sure if cisco fixed it).

The box was migrated from an ACS deployment (badly as in no attempt to clean up before migrating) before I started at this company.

The ise installation was 2.2 until I upgraded it to 2.4 patch 8 a couple of weeks ago.

Would the best thing to do be contact TAC for this issue then?

 

Thanks

 

ldanny
Cisco Employee
Cisco Employee

If none of the suggestions have resolved your issue then yes please contact TAC for further resolution.

If imported from acs then its a known bug because the groups get imported
as system groups you can't delete them.

I don't recall the bug id now but once I connect to my laptop I can look it
up

Hi, it seems that you are hitting following bug (we have the same problem on our ISE v2.4. with patch 8 deployment):

1) CSCvr30888 - "Unable to delete IdentityGroup - Can't find reference"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr30888

We opened the TAC SR - the TAC engineer went into root and deleted the endpoint identity group from the database, this is currently the only way how to resolve it. After some time we hit the same for other Endpoint IdentityGroup, so I thing it is not problem only of our deployment ;).Unable to delete IdentityGroup.png

So I thing that we are hitting the metioned bug CSCvr30888, I found the bug id after our TAC SR was closed, so the bug wasn't confirmed by our TAC engineer. If you will have some additional information e.g. from TAC, please post it. Thank you!

 

2) The second bug id is the case of migration from ACS to ISE this bug (but this is really very old bug for ISE 1.3 release):

CSCus78576 - "ISE cannot delete identity group when DB migrated from ACS"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus78576/?rfs=iqvred

The error message look different: "Failed to delete the group : Identity group is not user created or contains child groups.", so I think this is not your issue.

 

Jakub

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: