cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3464
Views
10
Helpful
10
Replies

ISE BASE License 2.2 Count not decreasing after endpoint disconnects

chrisvanwyk
Level 1
Level 1

Hi

 

Base license count does not decrease if if the endpoints are not longer connected. Please advise on how to fix?

1 Accepted Solution

Accepted Solutions

Also, you might want to check this out to see the total active sessions and the active sessions by a switch on which you have removed the commands to see if there are any sessions and get additional details.

 

Login into your Primary MnT node first and then use these urls in a different tab to get the details and you might end up finding the cause then and there itself from the output/results of the API queries.

 

https://<Primary MnT node hostname>/admin/API/mnt/Session/ActiveCount

https://<Primary MnT node hostname>/admin/API/mnt/Session/IPAddress/<IP address of the switch>

 

More info on the APIs here :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ch2.html

 

View solution in original post

10 Replies 10

Arne Bier
VIP
VIP

Sounds bizarre.  How long have you waited? 

 

Is/are your NAS(s) sending Radius Accounting?  What kind of NAS do you have? 

 

Are you 100% sure that there are no live sessions being kept alive via the NAS Radius Accounting?  As long as ISE receives an Interim Update once in a while, it would keep the session alive.  I don't know how long ISE keeps the session alive after receiving the initial Accounting Start, but not the Accounting Stop (when session terminates). 

 

What patch are you  on?

Hi

 

Yes all configuration removed from the switches. 

Licensing in ISE is just a black box to use users.  If you haven't already tried to " application stop ise" and then start again, then I guess the TAC would have to check it out.  There is logic in ISE that should always release licenses back especially since not all customers can enable Accounting to perform licensing based on real session monitoring.

 

 

aaa accounting update newinfo periodic 2880 was set before configuration was removed. 

aaa accounting dot1x default start-stop group ISE

It is hard to say what the issue since there is no mention of patch used with ISE 2.2.

Please check the release notes to see if you see a fix in the patches that is relevant to the problem. Patch 10 is the latest.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html#pgfId-794220

 

In any case if you are still having issues please call TAC.

 

-Krishnan

Latest patch loaded. 

packetplumber9
Level 1
Level 1

Stale sessions that did not signal they are disconnecting are automatically purged after they are 5 days old.  

 

On 2.2 we hit a licensing bug at one point where the license count started increasing while the active endpoints stayed the same, even after waiting for the 5 day purge job.  At one point we had double the licenses consumed than active endpoints.  

One of my client deployments has had the opposite issue for the past year.  Active endpoints is accurate but there is zero license usage counted.  Free ISE! 

Also, you might want to check this out to see the total active sessions and the active sessions by a switch on which you have removed the commands to see if there are any sessions and get additional details.

 

Login into your Primary MnT node first and then use these urls in a different tab to get the details and you might end up finding the cause then and there itself from the output/results of the API queries.

 

https://<Primary MnT node hostname>/admin/API/mnt/Session/ActiveCount

https://<Primary MnT node hostname>/admin/API/mnt/Session/IPAddress/<IP address of the switch>

 

More info on the APIs here :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ch2.html