Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
4
Replies

ISE 1.4 running in VM has issues

rys
Level 1
Level 1

‎09-22-2015 11:20 PM - edited ‎03-10-2019 11:05 PM

Dear friends,

We have an ISE1.4 patch 3 running in VM for our guest access to internet.

It has 4 nodes, 1 Admin, 1 Mon, and 2 Policy nodes.

each has 32 GB RAM and 600GB HDD.

Our wireless infra is foreign-anchor setup and running on ver 7.6.

The main issue we encountering is users are getting IP while connecting to guest SSID, but not able to access internet.

This issue is seeing intermittent, and sometimes the user has to reboot and reset their devices a few times to get connected.

Is there any limitaion in ISE running in VM, we sized up the VM as per Cisco ?

Please advice what all things we can do to resolve this issue.

 

Thanks

rYs

 

 

Labels:
0 Helpful
4 Replies 4

Tim Steele
Level 1
Level 1

‎09-23-2015 06:26 AM

Lots of customers use VMs so that is not an issue in and of itself.  Did you deploy the OVA and not edit the resources?  The CPU and RAM needs to be dedicated and the storage should to be thick provision - lazy zeroed.

Anyway, that's not related to your guest problem.  When you look on the WLC at Monitor > Clients and click on your guest endpoint's MAC address, does it show the client in the RUN state during the time it is having this issue?

You mention that the guest can't get to the internet but you didn't mention anything about the guest portal.  I assume they are getting to the guest portal successfully?  In ISE Live Authentications, are you seeing what you expect?  Is the guest endpoint getting your CWA authz profile for the guest portal and then getting your Internet-only authz profile for guest access? 

Make sure you have RFC3576 enabled on your radius authentication server config on the WLC.  Also, do you have AAA Override enabled and Radius NAC enabled in the WLAN Advanced tab?

As a side note, also make sure you don't have radius accounting configured in the WLAN on the anchor WLC.

Tim

0 Helpful

rys
Level 1
Level 1
In response to Tim Steele

‎09-23-2015 07:26 PM

HI Tim,

I am not sure of hows the VM spec are dedicated or not.

While checking the mac address of the client having the issue, it showing as 'RUN' in the WLC and in ISE also showing authentication succeeded.

 

We using the guest hotspot with ACL redirect feature in ISE, where users will able to see the AUP once they connected to guest SSID and open any browser.

The issue mainly is users able to connect, but getting the AUP in their browser, for Apple users they getting an error like "cannot verify <psn ip>" while connecting to guest SSID.

We have enabled RFC3576, AAA override and Radius. and accounting is disabled at Anchor WLC.

The more confusing is same users not getting these issues at all time. Seems like intermittent.

We have 2 PSN node, the second one showing memory utilization to 60% even though its configured as the second PSN in WLC. 

Thanks

Riyas Rasheed

0 Helpful

Tim Steele
Level 1
Level 1
In response to rys

‎09-24-2015 05:51 AM

Riyas,

I should have been more specific, sorry about that. Take a look at Monitor > Clients on the anchor WLC, not the foreign.  If the endpoint is not able to reach the Guest Portal, the Policy Manager State should say CENTRAL_WEB_AUTH (as should the Radius NAC State).  You should also see your AAA Override ACL NAME listed, and the Redirect URL too.  You might also look at the Msg Log found at Management > Logs > Message logs to see if there are any clues. 

When the issue occurs, have you happened to notice if the endpoint still has its IP address?

You could also go for a client debug on the WLC while you reproduce the issue.  You do that by opening an SSH session to the WLC (anchor again) and issue this command with your endpoint's MAC address: "debug client 00:11:22:33:44:55".

If this is truly intermittent on the same endpoints, it sounds more like a WLC code issue.  You  are running 7.6.130.0 I presume?  That code has been deferred, and there is quite a bit of discussion about issues on that version of code - lots of engineering releases after 7.6.130.0 hit CCO.  The current recommended code level is 8.0.120.0.  I'm not one for upgrading as a troubleshooting step, but you might review the release notes of all the bugs detailed for that train of code.  Take a look at this thread:

https://supportforums.cisco.com/document/12481821/tac-recommended-aireos

And, maybe review this post:

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-TAC-Recommended-AireOS.html?cachemode=refresh

Tim

0 Helpful

rys
Level 1
Level 1
In response to Tim Steele

‎09-30-2015 05:18 AM

Hi Tim,

Thanks for your valuable comments, 

Yes we have noticed in Anchor WLC, the user having issue, mac address in not in "RUN" in the policy server state. But what confusing is the mac address of those users reported issue able to see as "RUN" in the policy server state. In both cases after clearing the mac address from mac address and try, they able to connect.

User are getting ip address while connecting to the guest SSID, but not getting AUP page while opening in a browser. Also the user complaints are more frequent while the users accessing guest SSID goes above 500+.

Most of them able to connect after clearing their mac address from the WLC and ISE.

But users are not happy to ask to do this all time.

Yes, it seems like we need to consider of upgrading the ios from 7.6 to 8 for resolving most of the issues.

Thanks

 

0 Helpful
Customers Also Viewed These Support Documents