Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
166
Views
1
Helpful
2
Replies

ISE Timezone Configuration

craddockchristopher
Level 1
Level 1

‎07-23-2024 08:37 AM - edited ‎07-23-2024 08:38 AM

Dear Community,

I am standing up a brand new distributed ISE deployment using SNS appliances. I have 8 appliances in total: (2x PAN, 2x MON, 4x PSN). The question I have is about what timezone I should configure the devices for. The devices will physically reside in EDT and CDT as follows:

Primary Admin: EDT

Secondary Admin: CDT

Primary Mon: EDT

Secondary Mon: CDT

PSNx2: EDT

PSNx2: CDT

I believe the PANs and MONs must be configured for the same time zone regardless of where they are physically located, correct? While the PSNs can be configured for any timezone independently?

Is there a case to configure my whole deployment for UTC?

Any help on best practices is highly appreciated. Thank you. 

0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎07-23-2024 09:09 AM

 

  - FYI : https://community.cisco.com/t5/network-access-control/ntp-servers-and-time-zones-configuration-on-cisco-ise-2-7-large/m-p/4435964#M568555
   and or I would stick to UTC

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Arne Bier
VIP
VIP

‎07-25-2024 01:33 PM

It's a matter of opinion.  When customers have ISE nodes in more than one time zone, the "Cisco recommends common time zone" has never been a satisfactory answer to me because they don't explain their reasoning.

I see a few scenarios that could play out.

  1. Set the time zone of all nodes to UTC. In my opinion this is the only sensible option, but also the most annoying choice because it causes confusion and constant mental maths converting the times to get a frame of time reference, no matter where you are in the world (unless you're based in UTC!).
  2. Set the time zone of all nodes to the time zone where your ISE admins are located. This makes the job easier for the operations team because they have a common clock reference for their troubleshooting.
  3. Set the time zone of each node to be in their respective region. This certainly makes reading the local logs easier for local admins, because they don't need to do any conversion for events. But it might cause confusion when trying to correlate events that occurred in other time zones.

The big question is what would ISE Live Logs look like in a user's browser, in various global locations, in each of the above scenarios?  I believe that the answer is: it doesn't matter how you set the time zone of the ISE node - the Live Logs will display the arrival timestamps in your local browser LOCALE settings, because they arrived in chronological order. But that might also be confusing for an ISE admin in New York viewing the same Live Logs in real time with another ISE Admin in Tokiyo - each user's PC will have their own time zone configured and it would be interesting to test all this out to see what would happen, unless someone has already done this and can answer these scenario questions.

Customers Also Viewed These Support Documents