Solved: Re: Cisco ISE License Consumption

dm2020 · ‎01-26-2019

Hi All,

I'm currently running ISE 2.4 and I have a question regarding base license consumption.

From my understanding, the licenses are consumed and released based on Radius Accounting Start/Stop messages, however, this doesn't reflect in my deployment.

The ISE summary screen is currently showing 124 active endpoints which is correct from the number of connected devices. This number increments/decrements correctly based on active sessions so Radius accounting appears to be working correctly. However under licensing, I'm seeing 2020 base licenses consumed. Should this not reflect the number of active sessions? As I missing something here or am I not understanding the process correctly?

Thanks

Damien Miller · ‎01-26-2019

My experience with 2.4 has had the opposite results. Double the active sessions count and half the expect licenses usage. Certainly a nice position to be in if it remained "broken", not having to buy all those licenses. Licensing usage is tied to live sessions, If you run the live sessions report what does it spit out? Do only only expect 124 endpoints to be online or is 2,000 more appropriate?

There is an outstanding bug affecting 2.4, to be fixed in an upcoming patch. Not many details on it but it could be related.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj50257

Opening a TAC case would be a suggested step if you haven't already.

View solution in original post

Damien Miller · ‎01-26-2019

My experience with 2.4 has had the opposite results. Double the active sessions count and half the expect licenses usage. Certainly a nice position to be in if it remained "broken", not having to buy all those licenses. Licensing usage is tied to live sessions, If you run the live sessions report what does it spit out? Do only only expect 124 endpoints to be online or is 2,000 more appropriate?

There is an outstanding bug affecting 2.4, to be fixed in an upcoming patch. Not many details on it but it could be related.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj50257

Opening a TAC case would be a suggested step if you haven't already.

dm2020 · ‎01-27-2019

Hi Damien,

Thanks for the response.

Live sessions is now reporting 125 endpoints. ISE is providing dot1x/mab authentication for a couple of Meraki wireless networks so its very easy to cross reference the number of active sessions reported in ISE and the number of active wireless clients reported on the Meraki Dashboard. There is a small difference between numbers (10-20) which I believe are stale sessions but I dont expect 2000 endpoints to be on the network today. I will see the active client count rise tomorrow when users are back in the office.

Licensing is currently showing 2058 base licenses consumed.

See attached screenshots

I have not opened a TAC case yet as I want to check if was missing something fundamental before doing so

thanks

marco.merlo · ‎01-21-2020

Hi,

I have doubts about active endpoints, active sessions and base license consumption

On a 2.4 patch 9 deployment I used to see that at license count sampling time license count was about 10-15% lower than active endpoint counts.

We are not using profiler service but I saw that a number of active endpoints where there because of default device sensors configuration, that is there were endpoints (typically router or switches interfaces o real endpoint with no supplicant) that did not undergo authentication but for which ISE got accounting packets from switches. The number of such endpoints was roughly equal to the difference between licence count and active endpoints.

After installing patch 11 that difference disappeared. Is Cisco asking money for endpoints that do no perform dot1x or mab authentication?

Another doubt: while querying management API for active sessions at license sampling time count I got a value equal to license count from primary MNT but a considerably lower value from secondary MNT (about 12000 vs 11000 active sessions).

Is this normal?

Regards

MM