Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1067
Views
3
Helpful
7
Replies

About "Source Timestamp" and "Received Timestamp" in ISE Live log

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎01-09-2024 08:23 PM

2024-01-10 13 19 36.png

I want to know what equipment Source and Recive refer to in the livelog.

The device is using 1X authentication and ISE is associated with an AD server.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-12-2024 06:53 PM

@MHM Cisco World Standalone ISE also has them.

@JustTakeTheFirstStep I think the source is the ISE PSN performing the authentication and the source timestamp is when this ISE PSN sends out the event to the ISE MNT; the received timestamp is when the ISE MNT records it receives the event. If the clocks of all ISE nodes are properly synchronized and we should see little difference if low latency between ISE PSN and MNT.

View solution in original post

7 Replies 7

Go to solution
Arne Bier
VIP
VIP

‎01-09-2024 09:42 PM

Great question.  I have never thought about what this means.

The RADIUS Access-Request (UDP packets) does not contain any time stamp information. Therefore, I assume these timestamps must refer to some ISE components that are involved in the processing of the RADIUS Access-Request.

I am guessing "Source" refers to the time the RADIUS UDP packet was received from the network stack.

And "Received" refers to some other stage thereafter. But it's a very small time difference. In my lab, the timestamps are identical.  

 

I am hoping someone has the definitive answer.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-09-2024 09:55 PM

Screenshot (79).png

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to MHM Cisco World

‎01-09-2024 11:47 PM

Nice image. Where did this come from?

Do you know what is meant by “The Radius”?

I could not find any timestamp in the RADIUS packet. Maybe I was in a hurry and missed it.

Go to solution
MHM Cisco World
VIP
VIP
In response to Arne Bier

‎01-10-2024 02:15 AM

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3229.pdf

I think this stamp is appear only when we use distribute in which MnT and PSN is separate 

hope I am right 

MHM 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎01-10-2024 03:12 PM

@JustTakeTheFirstStep - what does your setup look like? 

I can't find any examples in any of my ISE 3.1 or ISE 3.2 customers where there is any difference in this timestamp. And all my customers have distributed deployments.

I even checked with one customer who has an SNS server acting as PSN in a remote location over slow comms links - there is no difference there in the LiveLogs Auth Details timestamps.

The plot thickens ...

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-12-2024 06:53 PM

@MHM Cisco World Standalone ISE also has them.

@JustTakeTheFirstStep I think the source is the ISE PSN performing the authentication and the source timestamp is when this ISE PSN sends out the event to the ISE MNT; the received timestamp is when the ISE MNT records it receives the event. If the clocks of all ISE nodes are properly synchronized and we should see little difference if low latency between ISE PSN and MNT.

Go to solution
MHM Cisco World
VIP
VIP

‎01-13-2024 09:03 AM

There is so little offset that why I think about distrubte mode not standalone.

MHM

0 Helpful
Customers Also Viewed These Support Documents