This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am having some issues when trying to export a list of mac adresses from Context Visibility (since the endpoints list has been removed now), when i look at the Endpoint Groups menu in Administration/Identity Management, it lists a number of mac addresses in some endpoint groups that i created, in Context Visibility that number of mac addresses do not match for that group, there seem to be more mac addresses than listed in the group. Since Context Visibility is the only place to export mac addresses now, i am a little concerned that these number don't match. Also i am seeing groups were there is mac adresses in the group, but context visibility lists it as empty.
Anyone found this issue as well ? I have tried Chrome, FireFox and IE, so not a browser issue.
I have not looked that closely to see if the numbers match, but I have quite a few questions around this topic and I have asked Cisco numerous times to please explain the Endpoints lifecyle inside of ISE. No replies so far.
I can crash my ISE 2.3p1 PAN if I select more than 100 endpoints in the GUI. And I keep seeing endpoints that have a 'blank' Endpoint Identity Group.
Have you tried exporting the Endpoint database from the PAN, using the command
application configure ise
I don't know if that will be much different to what the Context Visibility export shows you. But there is a lot of information in that PAN export.
I would suggest to ask your question over at the ISE Community forum because it seems that more Cisco engineers lurk there.
Failing that, open a TAC case
I have the same issue with the many identities with blank endpoint identity group. I have raised this with TAC and the best they could come up with was to save a custom filter in the Context Visibility page that filters on that group being 'EMPTY'. That works manually. But would be nice to have a purge rule for this as you mentioned. I raised an enhancement request CSCvg46494 and this is supposed to be in ISE 2.4. I have not checked whether the latest 2.4beta has this fix or not.
I am still waiting for a Cisco TME to explain how all this stuff works - because that would maybe help.
The REST API approach sounds interesting. I would like to know more about how you did that (view the script etc.)
Those numbers are not the same because Context Visibility DB (CV DB) sometimes has problems synchronizing with the Oracle DB (the actual DB on ISE). I have seen that on 2.2 patch 4. One option available is Reset ContextV DB option 19 as was mentioned before, and wait a few hours (we have seen more than 3 hours in our 400K+ DB). But looks like the API approach you found is much better.
ISE/admin# application configure ise
Selection ISE configuration option
Reset M&T Session Database
Rebuild M&T Unusable Indexes
Purge M&T Operational Data
Reset M&T Database
Refresh Database Statistics
Display Profiler Statistics
Export Internal CA Store
Import Internal CA Store
Create Missing Config Indexes
Create Missing M&T Indexes
Enable/Disable ACS Migration
Generate Daily KPM Stats
Generate KPM Stats for last 8 Weeks
Enable/Disable Counter Attribute Collection
View Admin Users
Get all Endpoints
Enable/Disable Wifi Setup
Reset Config Wifi Setup
Reset Context Visibility
Synchronize Context Visibility With Database
There are another issues with the export CSV File Option in the ContextV so the numbers do not match the Oracle DB. I have also seen duplicated entries in that exported CSV File. No solution available yet.
There is another identified issue. If the authentication fails for any reason, the enduser device is still added to the ContextV DB with an endpoint group value equal to blank, unknown or profiled. So, if you try to manually add that entry assuming it does not exist, it will not work. You have to search for the entry first and then modify manually the MAC parameters like Endpoint Group profile to make it work if you are using MAB authentication. I always use the import CSV file in the ContextV tab.
All the authenticated devices are automatically profiled no matter if you have the profiling DISABLED on each PSN. That means, anything being authenticated or not have an Endpoint Group Empty (blank), profiled or unknown. Check particularly for the UNKNOWN and you probably will see a huge number of entries in your case.
I suspect you will have to repeat the manual process multiple times using the API approach. The PURGE policy expected only allows you to remove 10K entries x hour so at the end is not an option for deployments with hundred thousands of entries in the DB.
As you said, nothing to do with browsers.