Solved: ISE is not advertising TACACS port port 49

robad · ‎10-06-2021

Hi,

I've installed ISE 3.0.0.458

When trying to telnet ISE IP's from a network devices with port 49, I'm getting connection refused.

I have an old ISE that is working well, and when running on CLI show ports I can see this :

tcp: 169.254.0.228:49, 25.57.32.34:49 [it's a fake IP]

But, In the new ISE, I can't see it. and I think that's what make my devices to not work with the new ISE..

How can I make it work please ?

Thanks in advance

Rob Ingram · ‎10-06-2021

@robad the Device Admin service maybe configured, but is the ISE node(s) activated for Device Administration? See screenshot below, either select "All Policy Service Nodes" or "Specific Nodes" and select the node(s).

View solution in original post

balaji.bandi · ‎10-06-2021

check is the ISE Service running as expected :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/cli_guide/b_ise_CLIReferenceGuide_23/b_ise_CLIReferenceGuide_23_chapter_010.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

robad · ‎10-06-2021

Thanks for your reply

I think it's working well

ntn01-ise/admin# sh app status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 23001
Database Server running 117 PROCESSES
Application Server running 2685
Profiler Database running 31244
ISE Indexing Engine running 4719
AD Connector running 8770
M&T Session Database running 31031
M&T Log Processor running 2884
Certificate Authority Service running 8627
EST Service running 24649
SXP Engine Service disabled
Docker Daemon running 25420
TC-NAC Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE Messaging Service running 27903
ISE API Gateway Database Service running 30195
ISE API Gateway Service running 1045
Segmentation Policy Service disabled
REST Auth Service disabled
SSE Connector disabled

balaji.bandi · ‎10-06-2021

does that mean problem resolved ? what was the resolution ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

robad · ‎10-06-2021

ah no no

It means that all services seems to be up, but still, the port 49 is still not showing on show ports .

balaji.bandi · ‎10-06-2021

Not have live environment of 3.0 to give you steps :

check below

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_device_admin.html#concept_9B1DD5A7AD9C445AAC764722E6E7D32A

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-06-2021

@robad the Device Admin service maybe configured, but is the ISE node(s) activated for Device Administration? See screenshot below, either select "All Policy Service Nodes" or "Specific Nodes" and select the node(s).

robad · ‎10-07-2021

Hi Ron, yes it was that.

But little bit different on the new ISE.

I've checkbox the bottom checkbox before, but it didn't worked.

Only after checking the "Enable SXP Service" and choose the Gig 0 it started to work .

Thanks !