cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2695
Views
14
Helpful
8
Replies

ISE 2.0 Live Log Slowness

paul
Level 10
Level 10

I am working on a 30-40k node deployment that is running ISE 2.0 patch 3.  The customer has arrived at ISE 2.0 patch 3 through various ISE upgrades over the past few years.  The customer is using 3495 appliances with dedicate M&T nodes.

The live log is extremely slow and the M&T nodes are running high CPU.  As we start to get more aggressive with our purging the performance gets better, but I have an suspicion that database in general just needs to be completed rebuilt to get a fresh start, but not exactly sure the process to do that.  I don't want to preserve any data in the database.  I just want a clean ISE 2.0 structured M&T database.

I am working on other ISE 2.0 deployments with similar or larger endpoints and I have no issues with Live Logs or reports and we haven't had to change the default purging policy.

We do have a TAC case open this but it has gone nowhere.

Any thoughts would be appreciated.

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Since the MnT nodes are dedicated, the customer can deregister MnT node, reset configuration and then add it back to the deployment. Assuming the customer is not interested in the old logs:

1. Deregister secondary MnT

2. Run 'application reset-config ise' (Or reinstall ISE from ISO + any patches to match the deployment)

3. Register secondary MnT back to the deployment

4. Repeat #1-3 for primary MnT

Hosuk

View solution in original post

8 Replies 8

howon
Cisco Employee
Cisco Employee

Paul, 33xx h/w does not support 2.0 and above. See:

Release Notes for Cisco Identity Services Engine, Release 2.0 - Cisco

paul
Level 10
Level 10

Sorry my fault I meant 3495 appliances.  I have modified the original question.

Thanks.

howon
Cisco Employee
Cisco Employee

Since the MnT nodes are dedicated, the customer can deregister MnT node, reset configuration and then add it back to the deployment. Assuming the customer is not interested in the old logs:

1. Deregister secondary MnT

2. Run 'application reset-config ise' (Or reinstall ISE from ISO + any patches to match the deployment)

3. Register secondary MnT back to the deployment

4. Repeat #1-3 for primary MnT

Hosuk

Hosuk,

Thanks for the quick response!

For some reason I thought when I added the 2nd MnT back into the deployment it would sync data from the primary and would defeat the purpose of the reset.  Is that not true?

I have never really looked at what is sync'd between the primary and secondary M&T nodes.

Thanks again for the responses.

howon
Cisco Employee
Cisco Employee

Like Hsing-Tsu mentioned, I would advise continue working with the TAC. But to answer your question, in the case of MnT, both primary and secondary gets copy of the logs individually without relying on synchronization.

hslai
Cisco Employee
Cisco Employee

If the current assigned TAC not helpful, you may either ask for re-queue or request escalating it to our escalation team. It might hit some known issue. For example, the continuous refresh at TrustSec dashboard has shown to be a problem.

henrikj
Level 1
Level 1

Hi

do you by any chance have a tac case number, i have same issue.

regards henrik

Please keep in mind this community is more for technical, design, and product feature inquires

Its not for troubleshooting break fix which should be designated to the tac and their community