Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2184
Views
5
Helpful
5
Replies

ISE Health Checks

Go to solution
Matthew Martin
Level 5
Level 5

ā€Ž12-05-2022 08:45 AM

Hello All,

ISE v2.7 patch 3

I am looking to install the latest Patch for v2.7. I noticed under Administration > System > Upgrade there's a message that says "Deployment is not healthy. Check the health in HealthChecks page . Click continue to go to the upgrade page."

I know the patch install is done through Administration > System > Maintenance > Patch Management, and not the Upgrade page. But, I'm thinking it might be a good idea to run the Health Checks prior to installing the patch...

Can the Health Checks be run during business hours without impacting endpoints/clients on the network?

Thanks in Advance,
Matt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

ā€Ž12-05-2022 09:01 AM

Running ISE health check does not cause any interruption for your deployment. What ISE basically does with the health check is running a list of tasks, and based on the outcome it will judge if your deployment is healthy or not. That process won't have any auto-remediation or changes to your environment, hence, it is not disruptive.

View solution in original post

5 Replies 5

Go to solution
Aref Alsouqi
VIP
VIP

ā€Ž12-05-2022 09:01 AM

Running ISE health check does not cause any interruption for your deployment. What ISE basically does with the health check is running a list of tasks, and based on the outcome it will judge if your deployment is healthy or not. That process won't have any auto-remediation or changes to your environment, hence, it is not disruptive.

Go to solution
Matthew Martin
Level 5
Level 5

ā€Ž12-05-2022 09:14 AM

Great, thank you!

Ran the checks after I got your reply... Only took about a minute for the checks to complete.

Question. The Trust Store Certificate Validation has an exclamation point and shows "0/2"... I checked the Trusted Certificates page and don't see an expired Certs on that page or anything expiring anytime soon. Could that message mean something else?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Matthew Martin

ā€Ž12-05-2022 10:20 AM

You welcome. Does it show you the Trust Store Certificate Validation as failed or passed the health check? Usually you would see 0/x if the health check task fails, in that case you will see it flagged in red, but if you see it in green with 0/2 I would ignore it.

0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Aref Alsouqi

ā€Ž12-05-2022 11:18 AM

MatthewMartin_0-1670267297531.png

I think I found the certs it was warning about under Certificates > Certificate Authority Certificates. There's 2 for each of our 2 nodes. One shows for OCSP Responder and the other says "...Endpoint Sub CA...". See below:

MatthewMartin_1-1670267593321.png

I do see valid OCSP Responder and Endpoint Sub CA certs that are still valid. But, when I clicked to Delete one of these expired Certs I get the following message, which sounded a little scary so I clicked Cancel:

MatthewMartin_2-1670267824523.png

Thanks Again,
Matt

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

ā€Ž12-06-2022 01:35 AM

Hi Matt, you can renew those certs by going into the Certificate Signing Requests section. Once you click on generate the request, you can select the usage from the usage drop down menu, alternatively you can remove them if they are not in use. One thing to keep in mind is that an upgrade process will fail if you have any expired certificate on ISE, however, I don't believe this would be the case with applying the patches.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents