Thanks Raffy.

Very strange. I had started and stopped ISE service, but the trust mappings in the root and intermediate certificate didn't take effect until the servers had been rebooted.

Installing the certificate and rebooting isn't enough. You must check the box for "Trust for certificate based admin authentication" for each root and intermediate certificate before rebooting.

Well If any Cisco Employees read this please note that ISE is affected of the same bug as mentioned in CSCvp75207.

As I understand in release 2.4 a patch 9 is scheduled, and I really hope for a third patch for 2.6 release.

Mapping all these certificate trusts seems to be a strange security implementation...

If anyone is still follows this thread.

I rebooted the servers last week and everything seemed OK, but suddenly I noticed that the Radius live log and Live sesions are stating "No data found"

I have rebooted all servers again, and all gueest authenication and CoA is working properly.but still the Radius Live log is not displaying ANY data!

Deployment status is still OK

Somehow these logging windows are not presenting any data, but authentication details can be obtained from the Metrics window at the Home screen.

Hi mate, 

that should be a bug right there.

I had similar experience with no live logs back when i was running 2.2

Cisco TAC contacted developers and they had to do root access to ISE vault and somehow cleared the database.

They will provide you the steps on how to generate key for that root access to ISE.

Just raise a high priority case with TAC.

cheers,

Raffy

Hi mate,

Btw, i remembered they asked me to clear cache on browser.

Relaunch the browser after that.

Also, ISE works best only on mozilla.

See if this works for you.

If not, then try to raise with TAC as I mentioned on my prev post.

cheers,

Raffy

Hi Raffy.

Thanks for your advise, but clearing the cache didn't help a bit.

Actually the page is blank in the data fields until the output "no data available" is shown.

Also I tried anothe browser and another station. Same issue.

- I found this bug on 2.6: CSCvo80516 - ISE 2.6 LiveLogs not seen and false Health Status is Unavailable alarm

I have opened a TAC case for the initial error, but have also found another bug - "Queue Link Error" (CSCvp45528)

I'll post whatever outcome of this TAC case. (opened on monday, but no action yet)

Regards

Hi @Mats Nilson 

I was about to advise a customer to patch their new ISE 2.6 deployment and looks like patch 2 is a bad idea?  What I don't understand is why a reboot fixes this issue, since applying a patch will result in a reboot anyway.  So it's a reboot after a reboot?

Queue Link error is present in the vanilla version of ISE 2.6 - I regenerated the internal CA store in ISE to try stop that error. I have not checked in recently to see whether it's fixed.

Hi Arne.

I must clarify.

The portal certificate complete with the chain was installed before the both patch 1 and 2.

Reboot didn't solve this issue alone.

I had to mark trust for authentication within ISE for both root and intermediate certificate AND then reboot.

Stopping ISE service didn't help. Only Reboot efter changing trust.

You say regenerating internal CA store should fix the Queue Link Error?

Haven't done that before - do you have any guidelines?

I don't wast to mess up this installation any more than today... ;-)

Sincere Regards

Hi @Mats Nilson 

The Queue Link Error was caused due to a bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred

Relating to the internal CA cert. The recommended fix was to re-generate the internal CA structure. Non service impacting, assuming that the ISE does not use internal CA (for BYOD)

It seems to have fixed the issue in my customer's ISE 2.6 (no patch applied).

regards

Arne

Hi RaffyLingodan,which version of ISE you were using?