cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3438
Views
1
Helpful
5
Replies

Endpoint purge policy for 'blank' Identity Group

Arne Bier
VIP
VIP

Dear experts

I am seeing an increasing count of Endpoints and I am unable to create a Purge Policy to delete them.

ISE 2.2 patch 2 - only base license installed (no Plus or Apex).

The reason is that this massive amount of Endpoints is in an <undefined> Endpoint Group.  Not to be confused with the defined Endpoint Group called 'Unknown'.  I see Endpoints popping in and out of that Group when I delete Sponsored Guests.  No idea why that is, but I see it all the time.

These are the Groups I currently see in the GUI

I have Purge Policies as follows - they seem to work well, based on the above Groups

However, I have 800 Endpoints that I cannot delete because there is no Identity Group that I can reference!  I exported all the Endpoints from the Context Visibility GUI and filtered them in Excel.

I would like to understand what is happening and perhaps I never fully grasped how ISE handles 'endpoints'.  But how can so many MAC addresses be in limbo?

How do I delete these zombies?

And can anyone share a detailed explanation or schedule a webinar on the day in the life of an Endpoint in ISE?  It's probably quite complex and worth while understanding, because I keep seeing weird behaviour.

1 Accepted Solution

Accepted Solutions

I believe the issue is related to a difference in what is stored in Context Visibility as opposed to what is stored in the ISE endpoint database.  This could be related to CSCvf22318 or simply the fact that you learned endpoints which are displayed in Redis but not persisted in ISE endpoint database due to lack of Plus license with Profiling support.  To see what is in the Endpoint DB, you can run the "Get All Endpoints" command from "application configure ise" menu, or else leverage the Endpoint Analysis Tool available at iseeat.cisco.com (be sure to register with company email, not personal -- the email is not used for marketing, but to verify valid customer).

Unknown and Profiled are placeholder ID groups for endpoints which have not been assigned an explicit Endpoint Identity Group.  

/Craig

View solution in original post

5 Replies 5

ognyan.totev
Level 5
Level 5

Hi there , check some of this endpoints what kind of probes use ,like radius,snmp,dhcp,dns, and etc.

To understand what kind of probe ISE use to indentify them . Also , are u use feed  function in ISE ??

And as is see most of mac address are from :

MAC Address/OUIVendor {Company}
00:08:22InPro Comm

You can create  new Profiling policy that contain exactly MAC OUI  . And all of them will be put there automatic. After u can create a new purge policy.

I believe the issue is related to a difference in what is stored in Context Visibility as opposed to what is stored in the ISE endpoint database.  This could be related to CSCvf22318 or simply the fact that you learned endpoints which are displayed in Redis but not persisted in ISE endpoint database due to lack of Plus license with Profiling support.  To see what is in the Endpoint DB, you can run the "Get All Endpoints" command from "application configure ise" menu, or else leverage the Endpoint Analysis Tool available at iseeat.cisco.com (be sure to register with company email, not personal -- the email is not used for marketing, but to verify valid customer).

Unknown and Profiled are placeholder ID groups for endpoints which have not been assigned an explicit Endpoint Identity Group.  

/Craig

Hi @ognyan_sabev  - I don't use Profiling because we don't have the requirement or the licenses.  Perhaps in future.  For now I just want to be able to know how to manage all the endpoints that my ISE deployment is collecting.  I would think that most of these endpoints are due to users connecting to the Guest SSID out of curiosity/ignorance and then ISE keeps them forever more.  If they ended up in the Unknown Group, then I could clean out the garbage once a day and be happy.

To chyps  - the answer was useful but also somewhat troubling, since there are a number of factors, all of which seem out of my control.  I have done the GetAllEndpoints and then downloaded the  FullReport from the PAN.   I can see a lot of endpoints and it raises a lot of questions about how they got there.

This goes back to my question/request for Cisco to create a webinar that goes into the lifecycle of the Endpoint to give engineers like myself an appreciation of how Endpoints are treated in ISE.  I don't need to have a profiling session (profiling is a conscious effort and there is enough doco on that) - I want to know what ISE does when I don't enable profiling.

I have also registered for the EAT Tool - awaiting registration email.  Keen to see what that can tell me.

Probably will need to open a TAC case to take out the garbage entries.  No idea.  I really love this forum, but I often ask myself why do I even need to be spending my cycles on this kind of stuff (as much as it excites the techy in me )?

It certainly doesn't add any business value to me or my customers.

Hi Arne,

 

I had over 700K entries in the unknown endpoint group and I was able to make it 170K using the purge policy. Did you find any solution to the blank endpoint entries?. I have another 150K+ entries in that "group" I would like to remove. Wondering if ISE 2.7 has the permanent fix for that issue.

 

thanks

 

 

Hi @ajc  - I have not touched this stuff in years - I can't really comment - perhaps it has a bug and now fixed.