06-12-2019 05:44 AM
OK this is a strange one - I can't delete any unused endpoint identity groups.
If I try to delete a group that is in use I get the following error message.
This is good - as the group is in use then I can't delete it.
However this is what I get when I try to delete a group that isn't in use.
Checking the policy - by exporting the entire set to an xml file doesn't give me any clues so any ideas as to why this is happening.
Thanks
Giles
Solved! Go to Solution.
06-13-2019 11:03 AM
09-29-2019 03:26 AM - edited 09-29-2019 09:28 PM
Hi, it seems that you are hitting following bug (we have the same problem on our ISE v2.4. with patch 8 deployment):
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr30888
We opened the TAC SR - the TAC engineer went into root and deleted the endpoint identity group from the database, this is currently the only way how to resolve it. After some time we hit the same for other Endpoint IdentityGroup, so I thing it is not problem only of our deployment ;).
So I thing that we are hitting the metioned bug CSCvr30888, I found the bug id after our TAC SR was closed, so the bug wasn't confirmed by our TAC engineer. If you will have some additional information e.g. from TAC, please post it. Thank you!
2) The second bug id is the case of migration from ACS to ISE this bug (but this is really very old bug for ISE 1.3 release):
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus78576/?rfs=iqvred
The error message look different: "Failed to delete the group : Identity group is not user created or contains child groups.", so I think this is not your issue.
Jakub
06-12-2019 10:57 PM
Check the following:
1. Check to make sure it is not being used as a Parent Group to other groups (child groups).
2. Check to see if you there are any endpoints that are registered with the group you are trying to remove.
06-13-2019 05:11 AM
1. Check to make sure it is not being used as a Parent Group to other groups (child groups).
No.
2. Check to see if you there are any endpoints that are registered with the group you are trying to remove.
The groups are empty.
06-12-2019 11:18 PM
In this case the error message is giving you a hint.
The NAC Group is referenced in your Policy Set authorization rule ACN-IDC-Stores. Remove that reference too and then try again.
06-13-2019 05:12 AM
I know as I used that an example where is blocked me because the group is in use.
It was the second screenshot I couldn't understand
06-12-2019 11:25 PM
06-13-2019 05:10 AM
The box was migrated from an ACS deployment (badly as in no attempt to clean up before migrating) before I started at this company.
The ise installation was 2.2 until I upgraded it to 2.4 patch 8 a couple of weeks ago.
Would the best thing to do be contact TAC for this issue then?
Thanks
06-13-2019 07:04 AM
If none of the suggestions have resolved your issue then yes please contact TAC for further resolution.
06-13-2019 11:03 AM
09-29-2019 03:26 AM - edited 09-29-2019 09:28 PM
Hi, it seems that you are hitting following bug (we have the same problem on our ISE v2.4. with patch 8 deployment):
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr30888
We opened the TAC SR - the TAC engineer went into root and deleted the endpoint identity group from the database, this is currently the only way how to resolve it. After some time we hit the same for other Endpoint IdentityGroup, so I thing it is not problem only of our deployment ;).
So I thing that we are hitting the metioned bug CSCvr30888, I found the bug id after our TAC SR was closed, so the bug wasn't confirmed by our TAC engineer. If you will have some additional information e.g. from TAC, please post it. Thank you!
2) The second bug id is the case of migration from ACS to ISE this bug (but this is really very old bug for ISE 1.3 release):
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus78576/?rfs=iqvred
The error message look different: "Failed to delete the group : Identity group is not user created or contains child groups.", so I think this is not your issue.
Jakub
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: