Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
16
Helpful
4
Replies

ISE - advise on monitoring and alert switches with SXP TrustSec issues

Go to solution
SergGu
Level 1
Level 1

‎09-29-2022 03:45 PM

Hello Cisco ISE Experts,

The customer is concerned about Switches with broken SXP or incomplete TrustSec configuration etc. What are the strategies for checking 500+ switches for health? The core is configured for SXP and distribution and edgefor inline propagation.

"WorkCenters > TrustSec > Overview > Dashboard" provides really off-the-scale information, so I decided to scalp actual network devices for stats/errors. I was hoping ISE will give some reports, but so far, it does not look like ISE reports will be enough. "SXP Connections" is completely empty. "SXP Devices" only lists devices with SXP peering.

TrustSec Troubleshooting Guide contains a variety of commands, but perhaps you can recommend the killer ones. Or some unorthodox strategies

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎10-03-2022 07:32 AM

The 'Verify Deploy' function found at the top of the ISE policy matrix is useful. It logs into devices (needs credentials under the Network Device entry), retrieves IP:SGT mappings and policies and checks if the correct policies are downloaded. Result shown at Operations > Reports > TrustSec > Trustsec Deployment Verification. Doesn't check SXP connections or inline tagging but gets to the heart of policy and enforcement.

View solution in original post

4 Replies 4

Go to solution
SergGu
Level 1
Level 1

‎09-29-2022 04:31 PM

BRKSEC-3690 Advanced Security Group Tags (SGT) The Detailed Walk Through recommends the following main commands:

SGACL Download Errors
 Validate AAA is reachable with “show aaa servers”
 Validate the device has a PAC with “show cts pac all”
 Validate the device can communicate with ISE by checking environmental data “show cts environmental-data”
 Check ISE to make sure the SGACL is formatted properly
 No IP/SGT on switch because of an error in device tracking
 TrustSec communities Troubleshooting Guide https://communities.cisco.com/docs/DOC-69479

Go to solution
andrewswanson
Level 7
Level 7
In response to SergGu

‎09-30-2022 04:08 AM

I find the following useful on ISE 2.6 patch 7

To check on NADs successfully updating CTS environment data on ISE:

Go to Operations > Reports > Endpoints and Users > RADIUS Authentications

In the "Identity" search box enter #CTSREQUEST#

To check on ISE SXP peerings:

Go to Work Centers > Trustsec > SXP > SXP Devices

SXP device status for each device is shown as ON or OFF

hth
Andy

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎10-03-2022 07:32 AM

The 'Verify Deploy' function found at the top of the ISE policy matrix is useful. It logs into devices (needs credentials under the Network Device entry), retrieves IP:SGT mappings and policies and checks if the correct policies are downloaded. Result shown at Operations > Reports > TrustSec > Trustsec Deployment Verification. Doesn't check SXP connections or inline tagging but gets to the heart of policy and enforcement.

Go to solution
SergGu
Level 1
Level 1
In response to jeaves@cisco.com

‎10-17-2022 05:05 AM

Verify Deploy generates "61031: TrustSec deploy verification failed to reach NAD" for each device (without exception). From your experience, what are the pre-requirements?

 

Do I need to provide SSH credentials for each NAD/device? I tried to check the documentation but was not able to see the list of commands ISE will use on Cisco Switches (in case one is willing to create a limited AAA set). I can see PAC status and "Send configuration changes to device Using > CoA" ticked, but no SSH credentials defind.

SergGu_0-1666008106147.png

Your help is highly appreciated. Thanks!

0 Helpful
Customers Also Viewed These Support Documents