Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1314
Views
15
Helpful
5
Replies

ISE: No more logs after having replaced PSN

jds5
Level 1
Level 1

‎12-12-2022 02:53 AM

Hello,

Following the reset of the /opt partition which was full (100%) on MNT, we no longer have Splunk logs on 2 new PSN 3695

while the other 4 PSN(3595) continue to work correctly.

There are collection log Errors:

The ISE MNT collector process is unable to persist the audit logs generated from the Policy Service nodes.

The current version is: 2.7.0.356 P5

BR,

 

 

 

Labels:
0 Helpful
5 Replies 5

jds5
Level 1
Level 1

‎12-12-2022 03:00 AM

I found this bug  CSCvv08466 which seems to correspond but it's already fixed in patch 3 

marce1000
Hall of Fame
Hall of Fame

‎12-12-2022 03:02 AM

 

 - Probably a bug as these reports seem indicative https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=The%20ISE%20MNT%20collector%20process%20is%20unable%20to%20persist%20the%20audit%20logs%20generated%20from%20the%20Policy%20Service%20nodes&bt=custV&sb=anfr , also take care with 2.7P5 because of https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa00729  , consider stepping up (installing higher patch) as soon as possible , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jds5
Level 1
Level 1

‎12-12-2022 05:37 AM

Thanks for this feedback.

Another point which must also be taken into account:

We could not reimport the ISE Messaging Service certificate on the new equipments.

Can this have an impact on the logs knowing that the option [Use "ISE Messaging Service" for UDP Syslogs delivery to MnT ] is disabled?

 

0 Helpful

jds5
Level 1
Level 1
In response to jds5

‎12-12-2022 05:40 AM

this could not be done because on the new PSN, the ISE Messaging Service certificate used has a different domain name

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to jds5

‎12-12-2022 05:50 AM

  1. Navigate to Administration > System > Logging.  You should see that Use ISE Messaging Service for UDP Syslogs delivery to MnT is enabled.  This is a new feature that was released in ISE 2.6 and I have run in to this issue.  You may need to regenerate these certificates after an upgrade.
  2. To fix this you need to generate new deployment-wide signed certificates.  This is a simple process that can be done by navigating to Administration > System > Certificates and choosing Certificate Signing Requests from the left menu
  3. Click the button for Generate Certificate Signing Requests (CSR)

CharlieMoreton_0-1670852751126.png

  1. In the Usage field, select that the Certificate(s) will be used for ISE Messaging Service

 

IMS.png

  1. Since this is an upgrade, ISE Messaging may not have been enabled previously, you need to select Generate CSR for ISE Messaging Service
  2. Select ALL the ISE Nodes and fill out the certificate fields

CharlieMoreton_2-1670852751135.png

 

  1. Of course, you should follow any guidance and troubleshooting from the Cisco Identity Services Engine Upgrade Guide, Release 2.7
Customers Also Viewed These Support Documents
Top