Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2325
Views
0
Helpful
5
Replies

ISE: Radius live log: no data founf after changfing the primary PAN

naoki_Japan
Spotlight
Spotlight

‎12-14-2021 02:05 AM - edited ‎12-14-2021 02:55 AM

My network is using distributed deployment of ISE(primary PAN and secondary PAN).

tmy network configuration is below as normal.

PAN X:  admin(Primary) Mnt(Primary)

PAN Y: admin(secondary) Mnt(Primary)

 

 

As a part of test of promotion, I halted PAN X by the command "application stop ise" and "halt" and promtoed the PAN Y as primary PAN.

the configuration after the promotion of PAN Y is below.

 

PAN X : admin(Secondary) Mnt (Primary)

PAN Y: admin (Primary) Mnt(Secondary)

 

After the manual  promotion of PAN Y, I cannnot any authentication data log on the panel "radius > live logs"

why this happens???

How solve this?

 

I temporarilly fixed this probelm by changing the MnT role.
Is there other way to fix this without changing the MnT role?

 

 

 

 

※I use ISE 3.0, and NTP is correctly syncronized.

0 Helpful
5 Replies 5

Marcelo Morais
VIP
VIP

‎12-14-2021 09:16 AM

Hi @naoki_Japan ,

 if my understanding is correct, you stop and halt the PPAN before promoting the SPAN just for test, is that correct?

 Any Alarms on Home? For example Queue Link Error alarm?

 

Hope this helps !!!

0 Helpful

naoki_Japan
Spotlight
Spotlight
In response to Marcelo Morais

‎12-14-2021 05:22 PM

your understanging is correct.

Sorry, I cannot confirm it currently.

 

but, do you know any alrams wihch may be related to this problem ?

I mean, for example, if there is Queue Link Error alarm on the alarm panel, does Queue Link Error have possibility to be related to this problem?

 

I wanna know alarms which may cause this problem as far as you know.

0 Helpful

Marcelo Morais
VIP
VIP
In response to naoki_Japan

‎12-15-2021 12:50 AM

Hi @naoki_Japan ,

 for Queue Link Error, please take a look at: CSCvp45528 - Queue Link Error alarm.

Symptom:
1. Queue Link Error alarm constantly generated on ISE dashboard,
2. Health Status and live logs are unavailable when "ISE Messaging Service for UDP Syslogs delivery to MnT" is enabled.

 

Note: for a list of Alarms, please check: ISE 2.7 Alarms.

 

Hope this helps !!!

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎12-19-2021 07:04 PM

ISE 3.0 has the fix for CSCvp45528. Also, the live log is working after manually toggled Y as the primary MnT. I do not see it an issue on Queue Link Error or related to ISE messaging.

Cisco Identity Services Engine Administrator Guide, Release 3.1 > Chapter: Deployment > Monitoring Node says,

... If the primary MnT goes down, the primary PAN points to the secondary node to gather monitoring data. ...

If possible, please work with Cisco TAC to recreate.

 

 

0 Helpful

naoki_Japan
Spotlight
Spotlight
In response to hslai

‎12-19-2021 10:17 PM - edited ‎12-19-2021 10:19 PM

thank you for advice.

I opened the ticekt to Cisco TAC about this case.

 

 

 

Given the below description which you pointed, there is an problem I can think of. 

> Cisco Identity Services Engine Administrator Guide, Release 3.1 > Chapter: Deployment > Monitoring Node says,

> ... If the primary MnT goes down, the primary PAN points to the secondary node to gather monitoring data. ...

 

 

If the administartor configure the ISE deployment as I do this time (I mean the Primadn PAN has primary MnT role), who can tell the secondary notde to gather monitoring data when the Primary PAN goes down?

0 Helpful
Customers Also Viewed These Support Documents