Re: https//ise_ip_address/ers/sdk is very slow in ISE 3.0 patch 3

david.tran · ‎08-08-2021

Has anyone run into this issue before?

I build a new 2.7 patch 4 on SNS-3655 and then import the 2.2 patch 17 backup configuration into ISE 2.7 patch-4 SNS-3655. After that, I upgrade the SNS-3655 to ISE 3.0. After the upgrade, I then patch it with patch-3. I have to do it this way because going directly from ISE 2.2 to ISE 3.0 is not supported. It has to go to ISE 2.7 first.

Everything appears to work well, except when I try to use access API via https://ise_ip_address/ers/sdk

it takes 15 seconds to access the API.

In ISE 2.2 patch 17, it takes less than 0.1 second to access the API.

The TAC engineer is able to reproduce this issue with the backup I provided to him. I am waiting for an update from TAC. In the meantime, has anyone seen this before?

balaji.bandi · ‎08-08-2021

Looks for me maybe a Bug CSCvs96560

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/release_notes/b_ise_30_rn.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

david.tran · ‎08-08-2021

@balaji.bandi: How is that bug related to my issue? I have less than 3000 endpoints, 2805 to be exact.

Furthermore, the bug ID stated that the issue fixed in version 3.0. Well, I am running 3.0 patch 3.

balaji.bandi · ‎08-08-2021

Sure i can understand, as I mentioned may be related to a bug, several occasion my experience the bug fixed, it reappeared even though it was resolved.

ISE 3.0 is new so I would suggest and stick your follow-up "I am waiting for an update from TAC." please do post outcome, so we know what was resolution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas · ‎08-10-2021

You said you already have a TAC case and TAC was able to reproduce it.

Please say that first so you don't waste people's time researching and troubleshooting it.

david.tran · ‎08-10-2021

@thomas: did you read my original post?

thomas · ‎08-10-2021

Yes. If you have a TAC case open, please work with TAC.

david.tran · ‎08-12-2021

According to Cisco TAC, this is a bug: CSCvt05942

balaji.bandi · ‎08-12-2021

AS mentioned the bug related you mentioned 2.6, but you are running ISE 3.0, it should be fixed technically isn't it. so some bugs re-occur due to code portability and some testing might have been missed.

what version you go now, you already top of the version ?

any hot fix TAC suggested to fix?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

david.tran · ‎08-19-2021

I am running ISE 3.0 patch-3. I don't want to use ISE 2.7 because version 2.7 was released over two years ago and Cisco has already come out with 3.1 Pretty soon, Cisco will stop putting new features in ISE 2.7, if it already has.

Cisco has changed the way ers_user authenticate. Prior to version 2.2, if you define ers_user as "internal", if will NOT reach out to external authentication server even if you set the Administration to external radius/AD servers. With the ISE 3.0, with the same setup, ers_user will follow whatever you set in Administration--> System --> Admin Access--> Authentication Method. If you set this to external authentication, you will likely run into issues.

hslai · ‎08-18-2021

Same symptom also reported in CSCvx99151.