ISE TACACS Live Logs from secondary not seen on Primary

shabeer G · ‎06-28-2018

Hi

I have two ise does used for device administration, one is primary for both administration and monitoring and the other is secondary for both.

Since both ISE in across two Data centers i have configured Primary ISE as the first authentication server for devices in datacenter 1 and the secondary ise as the first authentication server for devices in datacenter 2.

Now, i am not able to see tacacs/radius live logs from the secondary ISE on the primary.

Any reason on why and do i get it working. For now i live with changing the monitoring role to primary on the secondary ise in case i have to debug an failed auth, which is not a ideal solution on a long run.

any advice ?

Rob Ingram · ‎06-28-2018

Ok, so only 2 ISE nodes in this deployment?

DC1 is Primary for Admin and MnT and DC2 is Seconary for Admin and MnT.

In addition to those roles, is the Policy Services (radius) and Device Admin (tacacs) enabled on both DC1 and DC2 nodes?

Regarding TACACS in particular, is the "Device Administration Deployment" enabled on specific nodes or all?

shabeer G · ‎06-28-2018

Both units is enabled for Policy Services (radius) and Device Admin (tacacs)

-Thanks

stephan.ochs · ‎08-25-2021

I have this problem, too (Version 2.7.0356 / Patch 3).

Did anyone resolve it?

david.tran · ‎08-25-2021

What do you have under "Administration --> System ---> Logging"? Under "local log settings", is the box "ISE Messaging Settings" checked? If it is, "uncheck" it. The box is "checked" by default. I think it will solve your issue.

stephan.ochs · ‎08-25-2021

@david.tran Thank you very much. This solved the problem.

Does this mean, that "ISE Messaging Service" doesn't work as expected?

Is it a bug?

david.tran · ‎08-25-2021

@stephan.ochs: No, it is not a bug. If you have this box check, you will need to setup certificates on all of your nodes for it to work properly. Otherwise, you will have issues like this.

george.chung · ‎01-05-2022

Hi,
I have the same problem but running

with the log4j hotfix. The system was upgraded from 2.4 recently, patched and hot fixed. I am not sure when this started to happen, after it was first upgarded, after installing ptch 5 or after the log4j hotfix.

Marvin Rhoads · ‎01-05-2022

@george.chung check the ISE alarm widget on the home page for queue link errors. If you see them, go into the system certificates and generate a new CSR for the the ISE CA. That will replace the internal CA root certificate and its issued certificates and fix the message queuing between nodes. It's actually a mandatory post-upgrade step that is often overlooked.

Nick O · ‎08-29-2023

I do not have the option for generating a CSR for my ISE messaging what are my other options?

Marvin Rhoads · ‎08-29-2023

@Nick O why not? Is it not allowed in your environment or you don't know how?

Nick O · ‎08-29-2023

the only options I have are the Multi Use, Admin, EAP Authentication, Radius DTLS, Portal, pxGrid, SAML.

Marvin Rhoads · ‎08-29-2023

@Nick O check that the internal CA is enabled first. Administration > System > Certificates > Certificate Authority > Internal CA settings.

Once it is enabled, you should then be able to generate a CSR and select the Usage option "ISE Root CA".

Nick O · ‎08-29-2023

I have it enabled already. And I still do not have the ISE Root CA option in the Usage drop down.

Marvin Rhoads · ‎08-29-2023

That's odd. Are you logged in to the Primary PAN as an admin superuser? What version of ISE?