Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
11424
Views
25
Helpful
5
Replies

ISE 2.7 Node shows no data available in System Summary

Go to solution
Tinman-E
Level 1
Level 1

‎09-08-2020 09:17 AM

Hello,

     I applied patch 2 on my deployment 17 days ago.  Best of my recollection the System Summary page showed data for all 8 of my nodes.  This AM as I was checking my PAN shows no data available for itself but other 7 nodes show data.  Shows green and good in deployment screen and appears all proper processes are running.  Any thoughts what to check?  -Thx.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tinman-E
Level 1
Level 1

‎02-03-2021 04:35 AM

Hello All,

    I opened a TAC  case on this a  while back.   The fix.  Administration-->System-->Logging-->Log Settings.   Uncheck the box "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT".   That resolved the problem of my PAN not showing the stats.   Below is the write up the TAC engineer provided as to reason.

Cisco ISE Release 2.6 offers MnT WAN Survivability for the default, built-in UDP syslog collection targets, LogCollector and LogCollector2. This survivability is enabled by the option Use "ISE Messaging Service" for UDP Syslogs delivery to MnT (In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Logging > Log Settings). When you enable this option, the UDP syslogs are protected by Transport Layer Security (TLS).

The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE Release 2.6 Cumulative Patch 2 and later releases.

Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN Survivability period is approximately 2 hours and 30 mins.

This service uses TCP port 8671. Please configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue.

As described in the ISE 2.7 admin guide: hxxps://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html

Based on previous cases, this service may cause some issues like the one you were experiencing. If this option is disabled the functionality remains same as the earlier releases.

 

View solution in original post

5 Replies 5

Go to solution
Ruben Cocheno
Spotlight

‎09-09-2020 04:23 PM

@Tinman-E 

 

it happened to me a while ago, but after a reboot worked like a charm. Something under the "hood", if doesn't come up, just ring TAC so they are proable your next best person to go with.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Go to solution
Xividar
Level 1
Level 1

‎02-03-2021 01:37 AM

I have this issue + my Live Logs is not displaying any RADIUS requests. ISE 2.7, Patch 2. Is there a fix for this ?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Xividar

‎02-03-2021 04:15 AM

Hi @Xividar 

 are you receiving a Queue Link Error alarm ?

 

 Try to generate a new Root CA:

Administration > System > Certificates > Certificate Authority > Internal CA Settings > Enable Certificate Authority.
Administration > System > Certificates > Certificate Management > Certificate Signing Request (CSR).
 Certificate(s) will be used for: ISE Root CA

Hope this helps !!!

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-03-2021 04:10 AM

I had a similar issue back in October when I moved a cluster to 2.7.  Not sure if we have the same issue, but mine was related to the following bug: Radius/T+ live logs blank and queue link error alarm bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred

HTH!

0 Helpful

Go to solution
Tinman-E
Level 1
Level 1

‎02-03-2021 04:35 AM

Hello All,

    I opened a TAC  case on this a  while back.   The fix.  Administration-->System-->Logging-->Log Settings.   Uncheck the box "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT".   That resolved the problem of my PAN not showing the stats.   Below is the write up the TAC engineer provided as to reason.

Cisco ISE Release 2.6 offers MnT WAN Survivability for the default, built-in UDP syslog collection targets, LogCollector and LogCollector2. This survivability is enabled by the option Use "ISE Messaging Service" for UDP Syslogs delivery to MnT (In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Logging > Log Settings). When you enable this option, the UDP syslogs are protected by Transport Layer Security (TLS).

The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE Release 2.6 Cumulative Patch 2 and later releases.

Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN Survivability period is approximately 2 hours and 30 mins.

This service uses TCP port 8671. Please configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue.

As described in the ISE 2.7 admin guide: hxxps://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html

Based on previous cases, this service may cause some issues like the one you were experiencing. If this option is disabled the functionality remains same as the earlier releases.

 

Top