Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1805
Views
10
Helpful
6
Replies

Cisco ISE 2.7 Messaging Service Not Running

Go to solution
O_H
Level 1
Level 1

‎02-21-2023 05:41 AM

We have 2 ISE nodes. We upgraded from 2.4 to 2.7 P9.

After the upgrade i noticed that the (ISE Messaging Service) is not running on Node 2. It keeps flapping between Initializing and not running. I applied patch 9 but that didn't change the situation.

I'm not sure of what is the actual impact. And how to solve this. I tried to regenrate CSR for this service, but didn't help. Also restarting the services or rebooting didn't help.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎02-21-2023 06:03 AM

  1. To fix this you need to generate new deployment-wide signed certificates.  This is a simple process that can be done by navigating to Administration > System > Certificates and choosing Certificate Signing Requests from the left menu
  2. Click the button for Generate Certificate Signing Requests (CSR)

CharlieMoreton_0-1676988065577.png

  1. In the Usage field, select that the Certificate(s) will be used for ISE Messaging Service

CharlieMoreton_1-1676988065580.png

 

  1. Since this is an upgrade, ISE Messaging may not have been enabled previously, you need to select Generate CSR for ISE Messaging Service
  2. Select ALL the ISE Nodes and fill out the certificate fields

CharlieMoreton_2-1676988065585.png

 

  1. Of course, you should follow any guidance and troubleshooting from the Cisco Identity Services Engine Upgrade Guide, Release 2.7
  2.   If you have already tried this and do not see any entries in the RADIUS Live Logs, navigate to Administration > System > Logging.  You should see that Use ISE Messaging Service for UDP Syslogs delivery to MnT is enabled.  This is a new feature that was released in ISE 2.6, disable this and call TAC for troubleshooting and assistance.

View solution in original post

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to O_H

‎02-21-2023 06:17 AM

From the 2.6 Release Notes:

Syslog over ISE Messaging

From Cisco ISE, Release 2.6, Monitoring and Troubleshooting (MnT) WAN Survivability is available for UDP syslog collection. Syslogs are recorded using ISE Messaging Service. The Remote Logging Targets, where the syslogs are collected and stored uses port TCP 8671 and the Secure Advanced Message Queuing Protocols (AMQPs) for sending syslogs to MnT.

By default, the ISE Messaging Service option is disabled until Cisco ISE, Release 2.6 Patch 1.

From Cisco ISE, Release 2.6 Patch 2 onwards, by default, the ISE Messaging Service option is enabled.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6

Business Outcome: Operational data will be retained for a finite duration even when the MnT node is unreachable.

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎02-21-2023 06:03 AM

  1. To fix this you need to generate new deployment-wide signed certificates.  This is a simple process that can be done by navigating to Administration > System > Certificates and choosing Certificate Signing Requests from the left menu
  2. Click the button for Generate Certificate Signing Requests (CSR)

CharlieMoreton_0-1676988065577.png

  1. In the Usage field, select that the Certificate(s) will be used for ISE Messaging Service

CharlieMoreton_1-1676988065580.png

 

  1. Since this is an upgrade, ISE Messaging may not have been enabled previously, you need to select Generate CSR for ISE Messaging Service
  2. Select ALL the ISE Nodes and fill out the certificate fields

CharlieMoreton_2-1676988065585.png

 

  1. Of course, you should follow any guidance and troubleshooting from the Cisco Identity Services Engine Upgrade Guide, Release 2.7
  2.   If you have already tried this and do not see any entries in the RADIUS Live Logs, navigate to Administration > System > Logging.  You should see that Use ISE Messaging Service for UDP Syslogs delivery to MnT is enabled.  This is a new feature that was released in ISE 2.6, disable this and call TAC for troubleshooting and assistance.

Go to solution
O_H
Level 1
Level 1
In response to Charlie Moreton

‎02-21-2023 06:21 AM

Thanks for your response. I also noticed something... when i regenerate the CSR, i don't see the certificate in the Certificate Authority Certificates page. No matter how long i wait, it just doesn't show up. Not sure if this is normal. I tried multiple times already.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to O_H

‎02-21-2023 06:36 AM

You wouldn't see it under the certificate authority section, depending on which certs you will regenerate, you would see the new generated certs under the trusted and system certs sections.

Go to solution
O_H
Level 1
Level 1
In response to Charlie Moreton

‎02-22-2023 11:48 PM

If i regenerate the ISE Root CA certificate first as explained here... is it confirmed that it doesn't have any whatsoever impact?
https://www.adamhollifield.com/2022/09/fix-cisco-ise-messaging-service.html

0 Helpful

Go to solution
O_H
Level 1
Level 1

‎02-21-2023 06:11 AM

Hello. Thanks for the reply. As i stated that i tried to regenerate the CSR for this service but it didn't help. What is the impact of disabling (Use ISE Messaging Service for UDP Syslogs delivery to MnT)? And if this is disabled, should it fix it?

Also, i see Radius Live Logs already. This service is not running on the secondary node. It is already running on the primary node.

What is the impact of this service not running?

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to O_H

‎02-21-2023 06:17 AM

From the 2.6 Release Notes:

Syslog over ISE Messaging

From Cisco ISE, Release 2.6, Monitoring and Troubleshooting (MnT) WAN Survivability is available for UDP syslog collection. Syslogs are recorded using ISE Messaging Service. The Remote Logging Targets, where the syslogs are collected and stored uses port TCP 8671 and the Secure Advanced Message Queuing Protocols (AMQPs) for sending syslogs to MnT.

By default, the ISE Messaging Service option is disabled until Cisco ISE, Release 2.6 Patch 1.

From Cisco ISE, Release 2.6 Patch 2 onwards, by default, the ISE Messaging Service option is enabled.

For more information, see the Cisco Identity Services Engine Administrator Guide, Release 2.6

Business Outcome: Operational data will be retained for a finite duration even when the MnT node is unreachable.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents