cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30371
Views
46
Helpful
41
Replies

ISE Internal error suddenly appear

M.Jallad
Level 1
Level 1

 

I started to see this error message suddenly 

"

[500] Internal Error

Please contact system administrator. If you are the System Administrator please consult the logs.

"

ISE deployment consists of two nodes one carrying Administration persona (primary) , and monitoring (secondary) and the other carrying Administration persona (secondary) , and monitoring (primary) persona, the setup was running smoothly without any issues. ISE version was 1.2; and after this issue appeared we did the required troubleshooting with no luck ; so we upgraded  both units to 1.3 and still facing the same issue.

We noticed a strange behavior on agent redirection ACL , when trying to reach basic services such as domain,DNS,.. (which are denied from redirection on the ACL) it appears to be redirected to ISE ( last permit ACE in redirection ACL counters increases contineously ) which shouldn't be the case in the posturing stage.

Anyone did face this issue , and what does this mean or have any ideas appreciate to share with us...

41 Replies 41

I think Cisco worked closely with the switch(authenticator) to identify the root cause and eventually release the patch. So I would incline to think its on the ISE.

Sure , the issue was caused by ISE (exactly version 1.3) ; and not related to authenticator device (as the same authenticator was working normally on version 1.2.1).

Hi all,

it turned out (well 99% likeliness) that we were struck by a different issue:

 

If you see error 500 in a wireless situation with mobility groups, esp. an anchor controller, consider this document: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11 (I assume cco login is required).

 

In short: enable accounting ONLY on the (single; maybe active/standby) foreign controller, or disable it completely.

Otherwise all controllers send different session ids in their accounting messages to ISE confusing the latter. This is a long outstanding WLC bug CSCuo56780.

Regards,

Michael.

 

awesome! fixed my problem even 2 years later. guess this bug will last forever!

Excuse me ,Sir,can I ask you a question .Before this .we use ACS to manage the Network Device. And define user access the device's level  Example some user only use "show  some user can use "config" .i want to know How to use ISE achieve it .

Unfortunately it's not as easy as it used to be in ACS. However, it can be done; You will have to use "parser views" feature (each view with specific command authorizations ) along with exec authorization on each IOS device and then define the corresponding authorization profile on ISE to allocate the specific "cli view name" Radius AV pair, and finally assign the profile to authorization policy that is matching a specific user or group condition (a local identity or an  external identity user).

 

 

“Parser Views”? i can not find in the ISE . And how to config the  Authorization profile . Can you give me a Link or Website to help me .Thank you very much.

Wency, maybe you should start a new thread, this is not error 500 related.

 

That said, you seem to refer to Tacacs functionality. This protocol is not yet supported in ISE. (will be in 2.0; no, I don't know when this will be out).

One can manage CLI access to devices with Radius too, but rather than being able to check each command on ISE, the user gets a certain 'privilege' at login. How the devices enforces that depens on the device. Parser views are a cool feature on IOS devices (routers), but several devices (switches and old routers) support only 15 privilege levels (and you can change the preset levels of commands). Yet other devices (WLC and Prime) use user Roles. Which Radius attributes are to be send depends on the device. You'll have to look it up in the switch/router/etc. manual. Look for aaa and radius attributes.

 

On Ise, you just add the proper Radius attributes to the authz profile, like this.

 

To assign a level of 15 (enable mode) for example.

 

 

Hi All,

 

Just an update to the current bug that we are facing, the bug CSCur94336 was fixed in 1.3 patch 1. However the issue was not resolved and a new bug has been opened CSCus89119. This bug does not clearly mention though that if its the authenticator thats triggering the session id removal or the ISE. For all the wireless used cases where the error 500 is seen, it might be worthwhile to get a detailed debugging to find out if its an authenticator trigger or the way ISE handles the session id management.

The patch for CSCus89119 is expected to be released in April.

Ok so, good information to know, but I have a hard time seeing how this is a solution.

A D
Level 1
Level 1

 Installed primary and secondary node, running version 1.3.0.876. Both are configured to authenticate guests via the guest portal. Whenever the secondary node gets the (re-)authentication-query error 500 internal error gets displayed, never on the primary node though.

ibrahim_hassan
Level 1
Level 1

I installed ISE 1.3 patch 2 , but I am still get the error 500.

we have one WLC with 2 SSID , and the issue not happened with all devices even with the same SSID.