Re: ISE 3.1 Clarification on InactiveDays endpoint attriubute

marco.merlo · ‎03-07-2023

Hi to all,

as far as I understood when profiler service is not enabled InactiveDays attribute is useless in endpoint purge rules since its value is the same of ElapseDays, that is it does not store information about when the endopint has been "last seen".
Now We are running a 3.1 deployment with profiler service enabled, but witouth any policy rule that leverage on profiling. After enabling profiler service I did notice that much of the endpoints had been placed in the "Profiled" group. Anyway looking at an endpoint that is listed as "connected" I see that InactiveDays is not 0 but 14 (that should be the number of days from the last session id change).
Is anyone been able to use InactiveDays to understand I long an endpoint has been disconnected?
Regards
M

Arne Bier · ‎03-07-2023

I would have expected a "connected" endpoint to have InactiveDays set to 0 - at least, that's what I see in my ISE 3.1 - and ElapsedDays is set to the number of days when the endpoint was first added into ISE.

I also checked an endpoint that has been disconnected physically (I can confirm this) and ISE shows that the session is disconnected. Inactive days is 42 and elapsed days is 205. Those numbers are correct.

I am still searching for a detailed, engineering document that explains the life of an ISE endpoint, and internal session management in detail. And especially how to get things working again when there is a mismatch between the internal ISE database and the context visibility (which is a copy of the database).

You could try and re-sync the context visibility on the PAN:

application configure ise

[21] Synchronize Context Visibility With Database

It would be extremely useful to us all to have a flow chart of some sort that explains the logic behind it all. I think I understand it for a day and then I realise I missed some subtle point.

marco.merlo · ‎03-08-2023

Thanks Arne,

I tried and synch DB and context visibility but with no luck even after resetting the interface to which the endpoint was connected.

Now I disconnected the endpoint , deleted it from the DB and reconnected it.

Of course now both elapsed and inactive counters are set to 0.

Let's see what happens in the next days.

Regards

M

marco.merlo · ‎03-09-2023

Hi,

after 1 day the "new seen" endpoint has InactiveDays=Elapseddays=1.

It should be InactiveDays=0 ElapsedDays=1. I am definitely missing something...

Regards

M

hslai · ‎03-11-2023

@marco.merlo InactiveDays is based on Last Activity and ElapsedDays is based on Create Time.

NB: If your ISE 3.1 has not yet patched with Patch 5, please do that or apply the hotpatch for CSCwd45843

marco.merlo · ‎03-13-2023

Hi @hslai we installed patch 5 as soon as it was released becuase of

CSCwd30994

and installed the hp for

CSCwd97582

as well

Regards

M

robertwilkinson1 · ‎08-14-2023

I have been having a problem of inactive days not updating correctly for a few years from 2.6-3.1 now with multiple TAC opened. They have never figured out why. Also it's random, endpoint 1 will be accurate, but then endpoint 2 on same switch will be incorrect.