Solved: Cisco ISE 2.3 mac removed from static group

maissiat · ‎08-29-2018

HI Everyone

Since fews days , We noticed that some endpoints who have been assigned to a dedicated static group are automatically removed from the static group and put into unknown group .

This happen evrytime we reassign the mac in the correct group, the day after, MAC is removed again and we can find the mac in the unknown group.

Profiling (DHCP and SNMP) is enabled on one node and IP helpers has been configured on our L3 switches.

We run Cisco ise 2.3.0.298 patch1 version .

Does any one has an idea of what could be the reason ?

This is our standard 802.1x interface configuration :

authentication event fail action next-method
authentication event server dead action authorize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 600
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
dot1x pae authenticator

Thanks a lot

Marc

Damien Miller · ‎08-29-2018

I was going to suggest cscvi737782 bug hslai linked as well. We were losing static identity groups on endpoints, resolved it moving to 2.4 p2 from p1.

We had a low overall hit rate for the issue across the 90k active endpoints, maybe about 20 endpoints that we know of. We are using two ip helpers on svi's pointed to two PSNs in different node groups, it sounds like you have similar.

One noisy user who kept being affected by it lead us to open a case. He would add a device through the my devices portal, a day or two later they would disappear.

TAC was able to confirm it quite easily from the support bundles of the PSN's receiving the dhcp requests. Supplied endpoint mac's we saw the issue with and the NAD ip.

View solution in original post

Cory Peterson · ‎08-29-2018

Do you have any endpoint purge policies setup? Maybe one that deletes endpoints every Day?

Check under:

Administration -> Identity Management --> Settings --> Endpoint Purge

I like to use a general policy that will delete any endpoints that are inactive after 60 days.

But you can also write from policies to exclude an endpoint group from purging also to ensure those endpoints never get removed if that is something you are looking for.

hslai · ‎08-29-2018

You might run into CSCvi73782, which addressed in ISE 2.3 Patch 5.

Damien Miller · ‎08-29-2018

I was going to suggest cscvi737782 bug hslai linked as well. We were losing static identity groups on endpoints, resolved it moving to 2.4 p2 from p1.

We had a low overall hit rate for the issue across the 90k active endpoints, maybe about 20 endpoints that we know of. We are using two ip helpers on svi's pointed to two PSNs in different node groups, it sounds like you have similar.

One noisy user who kept being affected by it lead us to open a case. He would add a device through the my devices portal, a day or two later they would disappear.

TAC was able to confirm it quite easily from the support bundles of the PSN's receiving the dhcp requests. Supplied endpoint mac's we saw the issue with and the NAD ip.