cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3817
Views
25
Helpful
12
Replies
JulienCl
Beginner

CoA issue after profiling on ISE 2.6 Patch 3

Hello,

 

Since I apply Patch 3 on ISE version 2.6, ISE does't send CoA (reauth) after profiling an endpoint (working with Patch 2).

 

I notice a problem of timestamp on accounting log (see picture), it may be a link.

 

Does someone had the same problem ?

Is there a trick or a workaround ?

Thank 

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

I have the same issue with 2.4p10, where P9 appeared to work fine.

Possible that this also applies to 2.6 but the bug hasn't been updated or no one has opened a case on it yet.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs05437/?rfs=iqvred

View solution in original post

12 REPLIES 12
Damien Miller
VIP Advisor

I have the same issue with 2.4p10, where P9 appeared to work fine.

Possible that this also applies to 2.6 but the bug hasn't been updated or no one has opened a case on it yet.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs05437/?rfs=iqvred


@Damien Miller wrote:
I have the same issue with 2.4p10, where P9 appeared to work fine.

Possible that this also applies to 2.6 but the bug hasn't been updated or no one has opened a case on it yet.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs05437/?rfs=iqvred

Please do open a tac case and attach

So far, 13 service cases have been opened for the Lack of CoA issue after applying PB#3 to 2.6 so does anybody know if this is being worked by Cisco? 

 

I have 3 servers that I need to upgrade to 2.6, but if keeping current for IAVA's and such is going to break CoA (dACLs and dynamic VLANs) which we rely on, then I will stay at 2.2 for now since it is stable.

 

Cisco, please do a better job of testing these patch bundles!!!  I know lab testing cannot cover everything, but having to pull multiple (2-3) patch bundles off your website last year because too many deployments were breaking, that should be caught beforehand, lab or no lab.  Do these patches get moved to Cisco's production ISE servers or are we the guinea pigs?

 

anyone have any similar problems on 2.3 after applying patch 7?

 

i had almost identical scenario and had to roll back to patch 6

Please open a TAC case and likely you need TAC to request a hot patch because Cisco Identity Services Engine Software Version 2.3 Product Bulletin says,

Starting June 17th 2019 only sev1 and security vulnerability issues will be addressed.

 

Hello,

The problem with CoA on ISE 2.6 Patch 3 persist, on Patch 2 profiling is ok but we have a test failure for "DNS A/AAAA record low level API query".

 

So, now we are up to 21 reported cases (bug write up) of the 2.6 PB#3 breaking CoA on ISE.  I'm sure many more cases exist out there.  The other ISE versions had the same issue at the same time it appears when their respective patch bundles were released.  The only Cisco recommendation so far is to call TAC and ask for a HOT FIX. 

 

How about pulling down the affected PATCH BUNDLES from the Cisco site and uploading the corrected PATCH BUNDLES that incorporates the HOT FIX to save everyone a LOT of time and effort, especially if you have to do a bare metal rebuild and you forget about that little hot fix.

 

CoA is a core element of ISE....this should be given more attention, priority, and resources than it appears to have been.  It looks like v2.4 may be fixed so when can we expect 2.6 to be resolved?

 

Hi,

 

ISE 2.6 Patch4 is out! It should resolve the issue.

Later edit: it was withdrawn by Cisco from the download page due to some profiling bug...

 

Thanks,

Octavian