Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
4
Helpful
6
Replies

ISE not retrieving radius live logs

MaErre21325
Level 1
Level 1

‎01-12-2024 07:52 AM

Hi all,

i'm running a phisycal SNS-3655-K9 with version 3.1 and patch5.
Randomly when i go under radius live logs tab no logs are shown, the page is blank and only showing "fetching records" and keeps stuck in this status (sometimes i've to wait 20 min to see logs other time nothing is shown).
Other times instead the page is working quiet correctly.
I don't have any "Queue Link Error" on the dashboard and the checkbox "ISE Messaging Service" for UDP Syslogs delivery to MnT" is enabled.
If i disabled it logs are shown, may i open a tac to understand this behaviour?
What is the consequence of unchecking this box?

Thank you
Regards

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎01-12-2024 08:48 AM

is this issue after any patch or just started working one not getting logs ?

on the dashboard and the checkbox "ISE Messaging Service" for UDP Syslogs delivery to MnT" is enabled. - If i disabled it logs are shown - Looks that is fix offered

i am running 3.X and enable and works as expected :

balajibandi_0-1705078097294.png

 

 

check this post :

https://community.cisco.com/t5/network-access-control/ise-2-6-alarm-quot-queue-link-error-quot/td-p/3846992/page/2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rodrigo Diaz
Cisco Employee
Cisco Employee

‎01-12-2024 09:05 AM

by disabling the checkbox you are not longer going to be sending the syslog to the MNT nodes through TCP 8671 and the ISE messaging certificates but you are going to be sending logs through UDP 20514, the problem that you mention could be a problem of communication, review this video to check some points of the ISE messaging service https://www.youtube.com/watch?v=Ty46Wpzvwv8

let me know if that helped you. 

MaErre21325
Level 1
Level 1
In response to Rodrigo Diaz

‎01-15-2024 01:00 AM

Hi @Rodrigo Diaz,

the video was very useful, i don't have any Queue Link Errors so ise messages service and internal CA certificates should be ok.
what it's strange is that some times its work and some times not, i expected it shouldn't work at all.
However by unchecking the "ISE Messaging Service" for UDP Syslogs delivery to MnT" seems to work properly at the moment.

 

0 Helpful

Arne Bier
VIP
VIP
In response to Rodrigo Diaz

‎01-15-2024 01:14 AM

Yes. It’s sad that Cisco wanted to improve the message delivery by implementing this feature but the actual way they implemented it is nothing short of terrible. It’s something the average user should not have to worry about but this breaks all the time. 
I would still consider giving it a go - regent internal CA. 

0 Helpful

Arne Bier
VIP
VIP

‎01-12-2024 01:52 PM

Usually regenerating the ISE Messaging Certificate fixes this. It's not service affecting. And if that doesn't do it, then I regenerate the entire internal ISE CA - also not service affecting, UNLESS, you have already issued certs using the internal CA - check first!

MaErre21325
Level 1
Level 1
In response to Arne Bier

‎01-15-2024 01:01 AM

Hi @Arne Bier ,

i'm using an external CA to sign my certificates, i'll try what you suggested 

0 Helpful
Customers Also Viewed These Support Documents