Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
993
Views
0
Helpful
5
Replies

ISE pxGrid Session interface: Difference between ISE GUI Live sessiosn and pxGrid Sessions?

Go to solution
hnohre
Cisco Employee
Cisco Employee

‎10-21-2018 10:39 AM

When querying the pxGrid sessions interface I get quite a few more entries than I do from the ISE GUI interface (Live sessions).

Upon investigation, it shows that the sessions which also appear in ISE GUI interface are in state STARTED or POSTURE, whereas the sessions retrieved through pxGrid interface also includes sessions in state AUTHENTICATED.'

Many of these sessions from pxGrid that are in state AUTHENTICATED are also very old, some from 6 months back.

I believe I can (in my script) easily filter on this, but it would still be nice to have a pointer to the difference between

sessions that are kept in pxGrid, but now shown in ISE GUI (live sessions).

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to hnohre

‎10-26-2018 07:46 PM

The aged authenticated sessions might be due to CSCvi79632.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-21-2018 04:22 PM

It's the first I heard of such. Please see if Removing Stale Sessions helps.

0 Helpful

Go to solution
hnohre
Cisco Employee
Cisco Employee
In response to hslai

‎10-22-2018 02:34 PM

Thanks. I am sure I can remove the stale sessions as per your suggestion.

But is there meaning of the state anywhere documented?

My guess is that the session gets AUTHENTICATED, then to STARTED after accounting start, then back to AUTHENTICATED after accounting stop, or after a timeout??

But I prefer not to guess.

Also what is the expected behaviour wrt ISE purging these sessions? Should they be purged after accounting stop, or after a timeout, or never?

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to hnohre

‎10-22-2018 03:38 PM

AUTHENTICATED -- after sending the access-accept.

STARTED -- after receiving ACCT start

TERMINATED -- after receiving ACCT stop

Postured -- after receiving a posture report

 

There are also Authenticating and Authorized but I do not think we using them any longer, because we do not recommend sending epm events via syslog from NAD to ISE M&T nodes.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to hnohre

‎10-24-2018 10:25 PM

Also what is the expected behaviour wrt ISE purging these sessions? Should they be purged after accounting stop, or after a timeout, or never?

 

Usually accounting stop will terminate the associated session, except for roaming (nas-update). If no accounting, the sessions clear after 1 hour. If accounting received, they clear after 5 days if not further updates.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to hnohre

‎10-26-2018 07:46 PM

The aged authenticated sessions might be due to CSCvi79632.

0 Helpful
Customers Also Viewed These Support Documents