Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2623
Views
0
Helpful
7
Replies

Cisco ISE 2.6 error message

Go to solution
jm.virtual01
Level 1
Level 1

‎12-26-2019 10:06 AM

I have upgraded the Cisco ISE 2.2 to 2.6 recently, it is distributed deployment. After teh upgradation, i am seeing this alarm from my primary MnT node;

Error Message: 

Alarm Name :

Log Collection Error

 

Details :

Syslog parsing error : String index out of range: -1

 

i am not sure about the reason for this alarm but wanted to make this alarm shuts off.

 

Please reply here of anyone has some suggestion for this issue

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jm.virtual01

‎01-02-2020 10:41 AM

please work through the TAC if not getting resolution for break fix troubleshooting

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2019 09:52 PM

Hi

Here i would suggest to open a tac case. I had an issue on the last when ise saw a username with a sign / but it should be solved now.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
jm.virtual01
Level 1
Level 1
In response to Francesco Molino

‎12-27-2019 05:38 AM

Thank you Sir,

 

DO you know from where i can find the string configuration in ISE?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jm.virtual01

‎12-29-2019 05:27 PM

You can start looking at the file ise-psc.log.
But be aware that some of your logging categories must be in debug mode to have a more verbose log.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
jm.virtual01
Level 1
Level 1
In response to Francesco Molino

‎12-30-2019 10:31 AM

Which logging category need to be set on DEBUG level for these logs?

 

0 Helpful

Go to solution
jm.virtual01
Level 1
Level 1
In response to Francesco Molino

‎12-30-2019 10:37 AM

This is the error message i found form the logs

 

2019-12-15 00:02:07,231 WARN [pool-81918-thread-1][] cisco.epm.cert.validator.CRLCache -::::- Unable to download CRL javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839 ]; remaining name ''

 

Is there any suggestion on this?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jm.virtual01

‎01-02-2020 10:41 AM

please work through the TAC if not getting resolution for break fix troubleshooting
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jm.virtual01

‎01-08-2020 10:10 PM

Hi @jm.virtual01 

 

I have seen this since ISE 2.2 - it's due to ISE's attempt at trying to download a CRL by inspecting the CDP (CRL Distribution Point). If the certificate was created using Microsoft CA (which is very common in the Enterprise), then the default template includes the CA's URL as an LDAP address. But ISE has no credentials to bind to that URL using LDAP - hence, it fails.

 

If I remember correctly, you can fix that error by specifying a manual CRL URL for every trusted CA cert that you have added in ISE. This then causes ISE to ignore the CDP, and use your manual URL instead.

0 Helpful
Customers Also Viewed These Support Documents