cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
284
Views
2
Helpful
3
Replies

Cisco ISE 3.3 and Cisco ASA (VPN Authorisation only)

Jay233
Level 1
Level 1

Hi All,

We have Cisco ISE 3.3 (6 nodes with 2 PSNs) and 2 ASAs used for authorising VPN users, recently the VPNs have been making the Cisco ISE severs as dead.

The ASAs are using depletion method with the default settings of10mins and 3 max tries.

Question is, am I right to assume that the ASAs will try to contact the PSNs for 30 mins then mark them to disabled?

I don't suspect that comms to the PSNs was down from both ASAs, any helpful advise on what else could cause this issue? 

Also, if we changed the ASAs AAA method from depletion to timed would this be recommended to help address this.

Note: We have moved from appliances to VMs, would this have any bearing on this AAA server marked as DEAD/DISABLED?

Appreciate any replies 

1 Accepted Solution

Accepted Solutions

You are welcome. Please make sure that you have assigned the required resources to ISE VMs and you reserved them so no other VM would eat up those resources when ISE needs them, otherwise this could degrade ISE performance and potentially could also affect the comms with the firewalls.

Cisco Identity Services Engine Installation Guide, Release 3.3 - Cisco Secured Network Server Series Appliances and Virtual Machine Requirements [Cisco Identity Services Engine] - Cisco

View solution in original post

3 Replies 3

I personally would recommend "timed" option as that will try to reactivate the failed server after a few seconds. The "deadtime" is the time that will be taken for the firewall to try to reactivate all the servers from the last failed one. You mentioned you moved the appliances to hypervisor, are referring to the firewalls or ISE? one thing could affect the communication between the firewalls and ISE would be latency, I would try to check the logs on the firewalls and see if they provide any clue, if not, I would turn on AAA debugs and check the logs.

ArefAlsouqi_0-1730891450197.png

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.8 - TACACS+ Servers for AAA [Cisco ASA 5500-X Series Firewalls] - Cisco

Hi Aref,

Many thanks for the speedy reply, yes its the ISE cube that's moved to VM as our appliances went EoL/EoS. Checked on ISE dashboard nothing untoward being reported back. 

I'll check on the ASAs and see if I can pin point the logs at the time the AAA servers got marked as dead.

Cheers,

You are welcome. Please make sure that you have assigned the required resources to ISE VMs and you reserved them so no other VM would eat up those resources when ISE needs them, otherwise this could degrade ISE performance and potentially could also affect the comms with the firewalls.

Cisco Identity Services Engine Installation Guide, Release 3.3 - Cisco Secured Network Server Series Appliances and Virtual Machine Requirements [Cisco Identity Services Engine] - Cisco