Solved: ISE Base License Exceeded - is it a bug?

colossus1611 · ‎02-05-2020

Hi Team,

Have been receiving this error/notification message suggesting I should get in touch with a Cisco Sales representative for more licenses but having read through some of the other posts here it seems like it is not a license exhaust issue. However, from Cisco's own explanation as below, it seems to be a genuine license exhaustion issue:

Traditional License Consumption

You purchase licensesfor the number of concurrent users on the system with Traditional Licensing. A Cisco ISE user consumes alicense during an active session (always a Base; and a Plus and an Apexlicense, if you use the functionality covered by these licenses). Once thesession ends, the license is released for reuse by other users.

Restriction

Cisco ISE license architecture consumption logic relies onauthorization policy constructs. Cisco ISE uses the dictionaries and attributeswithin authorization rules to determine the license to use.

The Cisco ISE license iscounted as follows:

•A Base license is consumedfor every active session. The same endpoint also consumes Plus and Apexlicenses depending on the features that it is using.

•The endpointconsumes the Base license before it consumes a Plus and Apex license.

•The endpointconsumes the Plus license before it consumes an Apex license.

•One Plus licenseis consumed per endpoint for any assortment of the license's features.Likewise, one Apex license is consumed per endpoint for any assortment of itsfeatures.

•Licenses are counted againstconcurrent, active sessions.

•Licenses arereleased for all features when the endpoint's session ends.

•pxGrid is used toshare context collected by ISE with other products. A Plus license is requiredto enable pxGrid functionality. There is no session count decrement whencontext for session is shared. However, to use pxGrid, the number of Plussessions licensed must be equal to the number of Base sessions licensed. Formore information, see Cisco ISE Licenses and Services section in Cisco Identity Services EngineOrdering Guide.

•One AnyConnectApex user license is consumed by each user who uses AnyConnect regardless ofthe number of devices that the user owns and whether or not the user has anactive connection to the network.

•You can enable the TACACS+ service by adding a Device Administration license on top of an existing Base or Mobility license.

To avoid service disruption,Cisco ISE continues to provide services to endpoints that exceed licenseentitlement. Cisco ISE instead relies on RADIUS accounting functions to trackconcurrent endpoints on the network and generates an alarm when the endpointcount of the previous day exceeded the amount of licenses. You can viewlicense consumption clearly from the LicenseUsage area in the Licensing screen, where licenses that are consumedbeyond the permitted quantity appear in red in the line graph.

d So I am really not sure what to make of it. Do I need to take some action and get more licenses or should I wait and evaluate for another few weeks.

Thanks.

Damien Miller · ‎02-06-2020

Lets clarify something here that is very important. Sessions and endpoints(and endpoint purge) are two unrelated pieces within ISE.

You can have millions of endpoints in the ISE context visibility database, and they alone do not consume a single license.

Licenses are consumed by active sessions and a session starts with a radius accounting start message. ISE will maintain a session as active for 5 days unless one of three things happens.
1. An interim accounting packet is sent by the switch/wlc telling ISE that the endpoint is still connected and active.
2. A reauthentication of the endpoint happens, this results in a new accounting start, and the 5 day timer resets.
3. A radius accounting stop message is received by ISE, the session is no longer active and the license will be released.

Licenses are based on active endpoint sessions, not total known endpoints. You consume licenses when an endpoint authenticates, and not because ISE knows about it. If license usage counts differ significantly from the active endpoint count shown on the dashboard, then there is an issue that TAC should help the customer look at. If the active endpoints and licence counts are relatively close to the active sessions, then the number is accurate.

If active sessions is higher than expected, leading to higher than expected license usage, then the most common cause is radius accounting not being set up correctly on network devices.

Endpoint purging will not fix this issue. We certainly recommend setting up endpoint purge rules to maintain a relevant database, but there is no one size fits all approach.

ISE automatically purges stale active sessions after 5 days passes, and it purges an individual active session anytime an accounting stop is received.

If you believe you should be uses fewer licenses than you are, work with TAC. On the recommended releases and patches there are no open licensing bugs that would cause this. That's not ruling out that this could be a new bug unique to your deployment, but working with TAC would confirm either way.

View solution in original post

Muhammad Awais Khan · ‎02-05-2020

Hi,

Its not a bug, actually it is telling that you still have lot of active connections that exceeded your Base license limit. It look like some sessions are not closed even after user terminate.

You can schedule a maintenance window to clear all the active sessions. You might need to restart the ISE PAN's during that window and if using wireless, then disable/enable the SSID's. Whole idea is to clear all the active sessions.

But still if you see that ISE licenses consumption getting exceeded then it adding ISE Base licenses would be a way around.

colossus1611 · ‎02-06-2020

Thanks Muhammad.

I am really surprised that ISE doesn't auto purge stale sessions in that case. So ignore my lack of knowledge here please, but how do I go about clearing these sessions. Doesn't look like I can do it on GUI?

Have a deadline to abide by now it seems:

Muhammad Awais Khan · ‎02-06-2020

Hi,

Well, ISE really do purge by default. I am pasting the default conditions that applied for the purge conditions. The scenario i mentioned above is for a situation where end points are not purged as expected even after 30 days and to be honest that should not be done unless it is last option :)

Have a look on below data.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01100.html#concept_0776B37A2C3542189950F5DFB1961FA2

"

Endpoints Purge Settings

You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.

You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary PAN.

Endpoint purge deletes 5000 endpoints every three minutes.

The following are some of the conditions with examples you can use for purging the endpoints:

InactivityDays— Number of days since last profiling activity or update on endpoint.
- This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.
- When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.
ElapsedDays—Numbers days since object is created.
- This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.
PurgeDate—Date to purge the endpoint.
- This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months."

Although i have never change default conditions for purge but I beleive PurgeDate condition might be helpful for your scenario, explore that. Review all the options that might be helpful for you.

colossus1611 · ‎02-06-2020

Hmm, interesting. So ISE is meant to purge by default but in some case it may not. So next bit would be try and find out whether or not the license exceed issue I have is due to such user sessions which have not been purged for some reason by ISE. How do we find that?

I looked at the EndPoint Purge setting on my ISE device and it definitely has rules therein to clean up. So if I need to manually clean up, firstly I need to find out if there are genuine entries which are not being cleared by ISE though they are due for purging, and why.

Muhammad Awais Khan · ‎02-06-2020

How about creating new purge rules for unknown, registered and Guest devices which are inactive for more than 10 days ? See attached sample rule

Damien Miller · ‎02-06-2020

Lets clarify something here that is very important. Sessions and endpoints(and endpoint purge) are two unrelated pieces within ISE.

You can have millions of endpoints in the ISE context visibility database, and they alone do not consume a single license.

Licenses are consumed by active sessions and a session starts with a radius accounting start message. ISE will maintain a session as active for 5 days unless one of three things happens.
1. An interim accounting packet is sent by the switch/wlc telling ISE that the endpoint is still connected and active.
2. A reauthentication of the endpoint happens, this results in a new accounting start, and the 5 day timer resets.
3. A radius accounting stop message is received by ISE, the session is no longer active and the license will be released.

Licenses are based on active endpoint sessions, not total known endpoints. You consume licenses when an endpoint authenticates, and not because ISE knows about it. If license usage counts differ significantly from the active endpoint count shown on the dashboard, then there is an issue that TAC should help the customer look at. If the active endpoints and licence counts are relatively close to the active sessions, then the number is accurate.

If active sessions is higher than expected, leading to higher than expected license usage, then the most common cause is radius accounting not being set up correctly on network devices.

Endpoint purging will not fix this issue. We certainly recommend setting up endpoint purge rules to maintain a relevant database, but there is no one size fits all approach.

ISE automatically purges stale active sessions after 5 days passes, and it purges an individual active session anytime an accounting stop is received.

If you believe you should be uses fewer licenses than you are, work with TAC. On the recommended releases and patches there are no open licensing bugs that would cause this. That's not ruling out that this could be a new bug unique to your deployment, but working with TAC would confirm either way.

Muhammad Awais Khan · ‎02-06-2020

@Damien Miller Thank you for your comprehensive reply. Make my doubts also clear about purge. My concern about purge and active session is that if purge can help to get rid of those active sessions that are actually not active because either NAD did not send accounting stop message. So it means purge policies will work only for inactive sessions ?

stayd · ‎11-30-2022

Hi Muhammad, so how did it finish this issue at the end ?

colossus1611 · ‎02-07-2020

Thanks Damien for the detailed explanation. That makes sense and adds to what Muhammad already explained.

I was trying to check for active sessions count then, but couldn't find any. How do I go about finding out the no. of active sessions? I can see the Active Endpoints on the Dashboard, but not the sessions. I can see Active Sessions under Radius Logs, but cannot see the count.

Thanks.

colossus1611 · ‎02-10-2020

When i try and check for Current Active Sessions, it gives me no data found.

robert.p.goeke2 · ‎12-14-2022

This is an old thread, but to anyone searching and finding this, Cisco TAC recommended the following fix.

I had ISE 2.6, the Licensed Sessions was reading 8300 but only 1000 Active sessions. The fix was log into the CLI, "application configure ise", option 1 "Reset M&T Session Database".

This will cause a restart, so beware service interruption.