Solved: Re: ISE 2.6 patch 2 not logging AAA authentication and AAA accounting log

cciesec2011 · ‎09-25-2019

Just recently migrated from ACS 5.7 to ISE 2.6 patch 2. What I found is that while I can successfully authenticate to Cisco routers and switches via TACACS+ but the ISE log does not show any records of either tacacs authentication or tacacs accounting. I have a case opened with Cisco TAC but wonder if anyone has seen this issue. ISE 2.6 is definitely not worth the upgrade. I wish I stay with ISE 2.4 patch 9.

hslai · ‎09-26-2019

One thing new in 2.6 Patch 2 is that it enables ISE Messaging Services. If your deployment has not open the additional port (TCP/8671) for the inter-node communication for this service or any issue with the system certificates for ISE Messaging, it might not work.

You might want to try turning it off.

View solution in original post

hslai · ‎09-26-2019

One thing new in 2.6 Patch 2 is that it enables ISE Messaging Services. If your deployment has not open the additional port (TCP/8671) for the inter-node communication for this service or any issue with the system certificates for ISE Messaging, it might not work.

You might want to try turning it off.

cciesec2011 · ‎09-30-2019

@hslai wrote:
One thing new in 2.6 Patch 2 is that it enables ISE Messaging Services. If your deployment has not open the additional port (TCP/8671) for the inter-node communication for this service or any issue with the system certificates for ISE Messaging, it might not work.
You might want to try turning it off.

1- The ISE service is running on both the Primary and Secondary node because I see this with "show application status ise":

ISE1/admin# show application status ise | include Messaging
ISE Messaging Service running 10608
ISE1/admin#

ISE2/admin# show application status ise | include Messaging
ISE Messaging Service running 10686
ISE2/admin#

2- I have firewall rule to allow bi-directional between primary and secondary node on TCP/8671.

What else could be the issue?

paul · ‎09-30-2019

Did you try disabling the logging function to use the messaging service? I have had to do that in some of my 2.6 deployments to get logs to flow correctly.

cciesec2011 · ‎09-30-2019

@paul wrote:
Did you try disabling the logging function to use the messaging service? I have had to do that in some of my 2.6 deployments to get logs to flow correctly.

Yes I did and it starts working but it does not explain why it is not working.

paul · ‎09-30-2019

Because the ISE messaging service while a great in theory is flaky at best. :)

Was this a fresh build of ISE or an upgrade? On the certificate screen you see certificates from ISE internal CA assigned to the messaging service? There should be one on each node.

cciesec2011 · ‎10-01-2019

@paul wrote:
Because the ISE messaging service while a great in theory is flaky at best. :)

Was this a fresh build of ISE or an upgrade? On the certificate screen you see certificates from ISE internal CA assigned to the messaging service? There should be one on each node.

It was a fresh build ISE. Yes, that's what I am seeing "ertificates from ISE internal CA assigned to the messaging service? There should be one on each node." in the UI. I have a case opened with TAC.

You're right about ISE 2.6. It is definitely flaky at best.