cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

289
Views
0
Helpful
5
Replies
Highlighted
Beginner

After migration from 5.8 patch 8 ISE policy sets won't work

Recently migrated ACS 5.8 patch 8 to ISE 2.3 patch 3. Migration was a successful, picture attached but none of my policy sets work. All requests are using default deny rule for some reason, however same rules work perfectly n ACS 5.8. I pointed few radius supported a TACACS supported devices to ISE but they are all hitting the default rule. Not sure what is wrong. I audited usually id stores other parameters related to service selection policy they were are migrated just fine, not sure what is wrong.

5 REPLIES 5
Highlighted
Contributor

There’s not enough here to help troubleshoot this. Have you opened a TAC case yet?

Highlighted

Thanks, George, I have opened up the case. I thought it may be a known issue. I was expecting it to work without any interventions.

Highlighted
Cisco Employee

If possible, please engage Cisco TAC support on this. We would not be able to help unless we have a copy of your ACS backup and perform a recreate to check it out.

If you are using AD, it could be due to a known issue -- CSCvj31243

Highlighted

Thanks, I have Opened the case. however, I am using an LDAP  connection to the AD for users.

Highlighted

I can't tell you your exact issue from the description, however here are a couple things to check. 

I found that the migration tool does not always duplicate logic correctly.  The location tree logic was the main issue I found.  I have to modify location "in" to "contains".

Another thing to check, does your ldap connection work?  You can test the connection from the GUI.  If you are using secure LDAP then ensure the "ldap server root CA" certificate is valid on all configured connections.  I ran in to an issue where following a reload post acs - ise migration that the ldap connections were failing to load.  The ldap root ca certificate on unsued connections was not valid.  Broken all connections. 

Content for Community-Ad