Have been receiving this error/notification message suggesting I should get in touch with a Cisco Sales representative for more licenses but having read through some of the other posts here it seems like it is not a license exhaust issue. However, from Cisco's own explanation as below, it seems to be a genuine license exhaustion issue:
Traditional License Consumption
You purchase licensesfor the number of concurrent users on the system with Traditional Licensing. A Cisco ISE user consumes alicense during an active session (always a Base; and a Plus and an Apexlicense, if you use the functionality covered by these licenses). Once thesession ends, the license is released for reuse by other users.
Cisco ISE license architecture consumption logic relies onauthorization policy constructs. Cisco ISE uses the dictionaries and attributeswithin authorization rules to determine the license to use.
The Cisco ISE license iscounted as follows:
•A Base license is consumedfor every active session. The same endpoint also consumes Plus and Apexlicenses depending on the features that it is using.
•The endpointconsumes the Base license before it consumes a Plus and Apex license.
•The endpointconsumes the Plus license before it consumes an Apex license.
•One Plus licenseis consumed per endpoint for any assortment of the license's features.Likewise, one Apex license is consumed per endpoint for any assortment of itsfeatures.
•Licenses are counted againstconcurrent, active sessions.
•Licenses arereleased for all features when the endpoint's session ends.
•pxGrid is used toshare context collected by ISE with other products. A Plus license is requiredto enable pxGrid functionality. There is no session count decrement whencontext for session is shared. However, to use pxGrid, the number of Plussessions licensed must be equal to the number of Base sessions licensed. Formore information, see Cisco ISE Licenses and Services section in Cisco Identity Services EngineOrdering Guide.
•One AnyConnectApex user license is consumed by each user who uses AnyConnect regardless ofthe number of devices that the user owns and whether or not the user has anactive connection to the network.
•You can enable the TACACS+ service by adding a Device Administration license on top of an existing Base or Mobility license.
To avoid service disruption,Cisco ISE continues to provide services to endpoints that exceed licenseentitlement. Cisco ISE instead relies on RADIUS accounting functions to trackconcurrent endpoints on the network and generates an alarm when the endpointcount of the previous day exceeded the amount of licenses. You can viewlicense consumption clearly from the LicenseUsage area in the Licensing screen, where licenses that are consumedbeyond the permitted quantity appear in red in the line graph.
d So I am really not sure what to make of it. Do I need to take some action and get more licenses or should I wait and evaluate for another few weeks.
Solved! Go to Solution.
Its not a bug, actually it is telling that you still have lot of active connections that exceeded your Base license limit. It look like some sessions are not closed even after user terminate.
You can schedule a maintenance window to clear all the active sessions. You might need to restart the ISE PAN's during that window and if using wireless, then disable/enable the SSID's. Whole idea is to clear all the active sessions.
But still if you see that ISE licenses consumption getting exceeded then it adding ISE Base licenses would be a way around.
Well, ISE really do purge by default. I am pasting the default conditions that applied for the purge conditions. The scenario i mentioned above is for a situation where end points are not purged as expected even after 30 days and to be honest that should not be done unless it is last option :)
Have a look on below data.
You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.
You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary PAN.
Endpoint purge deletes 5000 endpoints every three minutes.
The following are some of the conditions with examples you can use for purging the endpoints:
InactivityDays— Number of days since last profiling activity or update on endpoint.
This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.
When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.
ElapsedDays—Numbers days since object is created.
This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.
PurgeDate—Date to purge the endpoint.
This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months."
Although i have never change default conditions for purge but I beleive PurgeDate condition might be helpful for your scenario, explore that. Review all the options that might be helpful for you.
Hmm, interesting. So ISE is meant to purge by default but in some case it may not. So next bit would be try and find out whether or not the license exceed issue I have is due to such user sessions which have not been purged for some reason by ISE. How do we find that?
I looked at the EndPoint Purge setting on my ISE device and it definitely has rules therein to clean up. So if I need to manually clean up, firstly I need to find out if there are genuine entries which are not being cleared by ISE though they are due for purging, and why.
@Damien Miller Thank you for your comprehensive reply. Make my doubts also clear about purge. My concern about purge and active session is that if purge can help to get rid of those active sessions that are actually not active because either NAD did not send accounting stop message. So it means purge policies will work only for inactive sessions ?
Thanks Damien for the detailed explanation. That makes sense and adds to what Muhammad already explained.
I was trying to check for active sessions count then, but couldn't find any. How do I go about finding out the no. of active sessions? I can see the Active Endpoints on the Dashboard, but not the sessions. I can see Active Sessions under Radius Logs, but cannot see the count.
This is an old thread, but to anyone searching and finding this, Cisco TAC recommended the following fix.
I had ISE 2.6, the Licensed Sessions was reading 8300 but only 1000 Active sessions. The fix was log into the CLI, "application configure ise", option 1 "Reset M&T Session Database".
This will cause a restart, so beware service interruption.