cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3222
Views
5
Helpful
5
Replies
jan.nielsen
Rising star

ISE 2.2 Context Visibility and Endpoint Groups numbers differ

Hi Everyone,

 

I am having some issues when trying to export a list of mac adresses from Context Visibility (since the endpoints list has been removed now), when i look at the Endpoint Groups menu in Administration/Identity Management, it lists a number of mac addresses in some endpoint groups that i created, in Context Visibility that number of mac addresses do not match for that group, there seem to be more mac addresses than listed in the group. Since Context Visibility is the only place to export mac addresses now, i am a little concerned that these number don't match. Also i am seeing groups were there is mac adresses in the group, but context visibility lists it as empty.

 

Anyone found this issue as well ? I have tried Chrome, FireFox and IE, so not a browser issue.

Jan

5 REPLIES 5
Arne Bier
VIP Advisor

I have not looked that closely to see if the numbers match, but I have quite a few questions around this topic and I have asked Cisco numerous times to please explain the Endpoints lifecyle inside of ISE.  No replies so far.

I can crash my ISE 2.3p1 PAN if I select more than 100 endpoints in the GUI. And I keep seeing endpoints that have a 'blank' Endpoint Identity Group.

 

Have you tried exporting the Endpoint database from the PAN, using the command

application configure ise

I don't know if that will be much different to what the Context Visibility export shows you.  But there is a lot of information in that PAN export.

 

 

I would suggest to ask your question over at the ISE Community forum because it seems that more Cisco engineers lurk there.

Failing that, open a TAC case

Thanks for the suggestion, i tried this already and the problem is that with 1.4Mill endpoints this takes a very long time, as you cannot sort which endpoints you want. What i actually ended up doing was using the REST API, to pick endpoints from specific endpoint groups, that is used for MAB in the ISE, ands then i created a csv file for importing via the GUI, which i will do after deleting all mac addresses from ise. I also have around 8-900.000 mac adresses with just "blank" identity group...these also are not able to be purged either via endpoint purging rules.

Hi Jan

 

I have the same issue with the many identities with blank endpoint identity group.  I have raised this with TAC and the best they could come up with was to save a custom filter in the Context Visibility page that filters on that group being 'EMPTY'.  That works manually.  But would be nice to have a purge rule for this as you mentioned. I raised an enhancement request CSCvg46494 and this is supposed to be in ISE 2.4.  I have not checked whether the latest 2.4beta has this fix or not.

I am still waiting for a Cisco TME to explain how all this stuff works - because that would maybe help.

The REST API approach sounds interesting.  I would like to know more about how you did that (view the script etc.)

I actually just used curl from a command line, and called the api call that gives me all endpoint groups and their id's. Then i used the filter function on the get all endpoints api call, to get the mac adresses from each group that i wanted to re-import after deleting all mac adresses. https://ise:9060/ers/config/endpointgroup https://ise:9060/ers/config/endpoint?filter=groupId.EQ.id-number-of-the-group
ajc
Rising star
Rising star

Those numbers are not the same because Context Visibility DB (CV DB) sometimes has problems synchronizing with the Oracle DB (the actual DB on ISE). I have seen that on 2.2 patch 4. One option available is Reset ContextV DB option 19 as was mentioned before, and wait a few hours (we have seen more than 3 hours in our 400K+ DB). But looks like the API approach you found is much better.

 

ISE/admin# application configure ise

 

Selection ISE configuration option

[1]Reset M&T Session Database

[2]Rebuild M&T Unusable Indexes

[3]Purge M&T Operational Data

[4]Reset M&T Database

[5]Refresh Database Statistics

[6]Display Profiler Statistics

[7]Export Internal CA Store

[8]Import Internal CA Store

[9]Create Missing Config Indexes

[10]Create Missing M&T Indexes

[11]Enable/Disable ACS Migration

[12]Generate Daily KPM Stats

[13]Generate KPM Stats for last 8 Weeks

[14]Enable/Disable Counter Attribute Collection

[15]View Admin Users

[16]Get all Endpoints

[17]Enable/Disable Wifi Setup

[18]Reset Config Wifi Setup

[19]Reset Context Visibility

[20]Synchronize Context Visibility With Database

[21]Exit

 

There are another issues with the export CSV File Option in the ContextV so the numbers do not match the Oracle DB. I have also seen duplicated entries in that exported CSV File. No solution available yet.

 

There is another identified issue. If the authentication fails for any reason, the enduser device is still added to the ContextV DB with an endpoint group value equal to blank, unknown or profiled. So, if you try to manually add that entry assuming it does not exist, it will not work. You have to search for the entry first and then modify manually the MAC parameters like Endpoint Group profile to make it work if you are using MAB authentication. I always use the import CSV file in the ContextV tab.

 

All the authenticated devices are automatically profiled no matter if you have the profiling DISABLED on each PSN. That means, anything being authenticated or not have an Endpoint Group Empty (blank), profiled or unknown. Check particularly for the UNKNOWN and you probably will see a huge number of entries in your case.

 

I suspect you will have to repeat the manual process multiple times using the API approach. The PURGE policy expected only allows you to remove 10K entries x hour so at the end is not an option for deployments with hundred thousands of entries in the DB.

 

 

 

As you said, nothing to do with browsers.

 

Content for Community-Ad