Re: ISE deployment stability - Page 2

arane0001 · ‎12-03-2024

We are currently experiencing ongoing instability issues during the deployment of Cisco Identity Services Engine (ISE) across multiple environments, including both new and previous deployments. These issues appear to be recurring and are impacting our ability to ensure smooth operations.

Given that similar instability was experienced with previous deployments, we suspect the underlying cause may be systemic, possibly related to resource limits, database synchronization, or network configuration issues. However, further investigation is required to identify the exact root cause.

critical issues so far we had in the past >>>

ise not backing up , PAN /opt folder suddenly crossing threshold above 75%, queue link error, queue memory high, log collection error, application services stuck in initializing, SAN server crash, not able to see live logs

I have faced these issues in ISE 2.2, 2.7 and 3.2. We have gone through multiple VM changes across different vlans, the above issues still remain.

I would also appreciate any best practices or configuration recommendations to help mitigate such issues moving forward.

arane0001 · ‎01-29-2025

Currently my issue is I am importing CSV file using the template and I have done this thousand times but somehow for past week whenever I import CSV for the endpoints for static group assignment the endpoint is not getting the profile and identity group. I am working with TAC if they can duplicate the issue.

Marcelo Morais · ‎01-30-2025

Hi @arane0001 ,

if my understanding is correct ... in other words,

In Context Visibility > Endpoints > Import > Import From File :

when you Select the File and hit the Import button, what kind of error do you get ?

Example:

Note: please also take a look at

CSCwn84705 Import of guest users fails with CSV template in Firefox
CSCwm29900 Imported endpoints given incorrect Endpoint IDs causing data mismatch

Hope this helps !!!

arane0001 · ‎01-30-2025

no error while importing, the problem is once I import the statically assigned endpoints with identity groups don't show as static even after they have been assigned static groups. They show the original profile of the endpoint instead of the customized assigned to it.

Scott Fella · ‎01-30-2025

I had similar issues a year ago. Have you tried to "Reset Context Visibility" and then "Synchronize Context Visibility With Database" using the application configure ise? I had sooooo many stale endpoints that when I did a restore to a new ISE instance, there were issues with my endpoint data. I do backup my endpoints and test out restores and all my custom variable are in place. I just have to make sure the Groups are all there in the instance i'm testing with.

-Scott
*** Please rate helpful posts ***

arane0001 · ‎01-30-2025

yes that's what we tried with TAC but it didn't work. The other thing I am noticing is the endpoint purge is not working as it should. I see lot of inactive unknown endpoints but I don't see them getting purged as per the rule.

Scott Fella · ‎01-30-2025

I too ran into that and I had to create new rules to purge any endpoints: ENDPOINTPURGE InactivityDays Less Than xxx
That rule help purge endpoints that were not being caught in the other rules. I had to first create a "Never Purge rule for items I need to keep, then I created a Purge rule using the less than xxx. That cleared almost half of the endpoints that was stuck:)

-Scott
*** Please rate helpful posts ***

arane0001 · ‎01-31-2025

i think both of these issues are somehow related.

Scott Fella · ‎02-01-2025

@Marcelo Morais I ran into that error too and was told of this CSCwk16266. If there was a '$' anywhere is the endpoint data, it would fail because of the $ and this is expected and not going to be fixed. We had to use the APi to add, update or modify existing endpoints with the $.

-Scott
*** Please rate helpful posts ***