Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
0
Helpful
3
Replies

Cisco ISE / CTS switch Issues

Jay233
Level 1
Level 1

‎06-09-2020 01:59 PM

Hi All,

Recently noticed a strange issue with a few switches in our network.

Using SGT/CTS with ISE 2.4.

Switches are 9200 series, working ok until several switches started to show an error with CTS server info list I.E. marking the ISE servers as down?

2 switch outputs below (sw1 not working, sw2 working). The switches have the same config and in the same location, able to refresh env data and also PAC files on both switches without error.

The only difference I can see is info output for TAG 0:Unknown

The working switch shows "status alive" with auto-test=false?

The none working switch shows "status dead" with auto-test=true?

Can anyone explain this auto-test feature please. 

 

Output for sw1 (error switch):

SW1#sh cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
  SGT tag = 2-01:Infrastructure
Server List Info:
Installed list: CTSServerList1-0004, 2 server(s):
 *Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = DEAD
          auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
 *Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = DEAD
          auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
    0-01:Unknown
    2-01:Infrastructure
    3-00:Network_Services
    4-00:Employees
 

Output for sw2 (working switch):

SW2#sh cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
  SGT tag = 2-01:Infrastructure
Server List Info:
Installed list: CTSServerList1-0004, 2 server(s):
  Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = ALIVE
          auto-test = FALSE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
  Server: 10.X.X.X, port 1812, A-ID C5E76EXXXXXXXXXXXX
          Status = ALIVE
          auto-test = FALSE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
    0-03:Unknown
    2-01:Infrastructure
    3-00:Network_Services
    4-00:Employees
Appreciate any help on this, not sure if its a bug or not.
Cheers,

 

0 Helpful
3 Replies 3

Jay233
Level 1
Level 1

‎06-09-2020 02:06 PM

Quick update: After a reboot on sw1# (No config change at all) the switch is now making the ISE servers as "alive" when I do sw1#show cts env data?

What is causing the switch to previously report the severs as "dead"? 

Reboot and the issue disappears but for how long is the question. 

Could this be an auth time type loop issue?

If anyone has a working CTS config and willing to post that would be great. 

Thanks,

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Jay233

‎06-12-2020 03:49 PM

Sounds like a switch bug since a reboot fixed it.

0 Helpful
Customers Also Viewed These Support Documents