Solved: ISE 2.7 Node shows no data available in System Summary

Tinman-E · ‎09-08-2020

Hello,

I applied patch 2 on my deployment 17 days ago. Best of my recollection the System Summary page showed data for all 8 of my nodes. This AM as I was checking my PAN shows no data available for itself but other 7 nodes show data. Shows green and good in deployment screen and appears all proper processes are running. Any thoughts what to check? -Thx.

Tinman-E · ‎02-03-2021

Hello All,

I opened a TAC case on this a while back. The fix. Administration-->System-->Logging-->Log Settings. Uncheck the box "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT". That resolved the problem of my PAN not showing the stats. Below is the write up the TAC engineer provided as to reason.

Cisco ISE Release 2.6 offers MnT WAN Survivability for the default, built-in UDP syslog collection targets, LogCollector and LogCollector2. This survivability is enabled by the option Use "ISE Messaging Service" for UDP Syslogs delivery to MnT (In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Logging > Log Settings). When you enable this option, the UDP syslogs are protected by Transport Layer Security (TLS).

The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE Release 2.6 Cumulative Patch 2 and later releases.

Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN Survivability period is approximately 2 hours and 30 mins.

This service uses TCP port 8671. Please configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue.

As described in the ISE 2.7 admin guide: hxxps://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html

Based on previous cases, this service may cause some issues like the one you were experiencing. If this option is disabled the functionality remains same as the earlier releases.

View solution in original post

Ruben Cocheno · ‎09-09-2020

@Tinman-E

it happened to me a while ago, but after a reboot worked like a charm. Something under the "hood", if doesn't come up, just ring TAC so they are proable your next best person to go with.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Xividar · ‎02-03-2021

I have this issue + my Live Logs is not displaying any RADIUS requests. ISE 2.7, Patch 2. Is there a fix for this ?

Marcelo Morais · ‎02-03-2021

Hi @Xividar

are you receiving a Queue Link Error alarm ?

Try to generate a new Root CA:

Administration > System > Certificates > Certificate Authority > Internal CA Settings > Enable Certificate Authority.
Administration > System > Certificates > Certificate Management > Certificate Signing Request (CSR).
 Certificate(s) will be used for: ISE Root CA

Hope this helps !!!

Mike.Cifelli · ‎02-03-2021

I had a similar issue back in October when I moved a cluster to 2.7. Not sure if we have the same issue, but mine was related to the following bug: Radius/T+ live logs blank and queue link error alarm bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred

HTH!

Tinman-E · ‎02-03-2021