Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
2
Replies

ISE TrustSec Maxtrix - Import empty cell

Go to solution
Michal Olsovsky
Level 1
Level 1

‎09-14-2018 05:53 AM

Dear team,

 

I'm trying to find a way how to easily delete a lot of policies from an existing TrustSec matrix. Based on documentation this seems to be the right way:

 

"Check the Overwrite Existing Data with New Data check box if you want to overwrite the existing policy with the one that you are importing. If empty cells (cells that are marked with the "Empty" keyword in the SGACL column) are included in the imported file, the existing policy in the corresponding matrix cells will be deleted. "

 

However it doesn't seem to work (ISE 2.4, patch 2) - there is no difference if the keyword is empty/EMPTY/Empty and if single or more SGACLs are allowed per cell - the policy is not removed.

 

Did anyone manage to get this working?

 

Thank you.

 

BR M

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-14-2018 06:34 PM

Here is a workaround.

Go to trustsec policy --> egress policy --> choose source or destination tree that shows policy based on source or destination and delete it in bulk.

 

For your problem, you can clear browser cache and see what is going on. Check the ISE 2.4 compatibility chart to see if you are using the right browser version

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

Turn the debug on trustsec, try it again to gather the logs.

 

Thanks

Krishnan

 

 

 

-Krishnan

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-14-2018 06:34 PM

Here is a workaround.

Go to trustsec policy --> egress policy --> choose source or destination tree that shows policy based on source or destination and delete it in bulk.

 

For your problem, you can clear browser cache and see what is going on. Check the ISE 2.4 compatibility chart to see if you are using the right browser version

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

Turn the debug on trustsec, try it again to gather the logs.

 

Thanks

Krishnan

 

 

 

-Krishnan

0 Helpful

Go to solution
Michal Olsovsky
Level 1
Level 1
In response to kthiruve

‎09-17-2018 04:35 AM

Hello Krishnan,

 

thank you for your advise. Workaround will do the job in smaller matrixes but will be time consuming for larger changes (we expect to change 50+ cells multiple times after some testing period to go from specific SGACL to fallback to the global matrix rule and the idea is to alway prepare CSV file for this to speed-up the operation and minimize possible errors).

 

Browser cache was cleared, also all recommended browsers from compatibility matrix were tested under Win10 - FF, IE11 and Chrome but not difference. What we however observed was that despite the fact that SGACL cannot be removed it can be changed to another SGACL.

 

When doing debugging following items were set to DEBUG as per docu:

 

Problem: TrustSec

Attributes to be set to debug level:

  • sxp (sxp_appserver/sxp.log)
  • sgtbinding (sxp_appserver/sxp.log)
  • runtime-AAA (prrt-server.log)
  • nsf (ise-psc.log)
  • nsf-session (ise-psc.log)

 

Following error was noticed in all browsers on 2 different PCs when doing the empty cell import:

 

show logging app ise-psc.log tail

2018-09-17 09:56:03,121 ERROR  [admin-http-pool2025][] cpm.admin.importexport.ac
tion.GenericImportUploadAction -:admin:::- Schedule exception
org.quartz.ObjectAlreadyExistsException: Unable to store Trigger with name: 'cli
ent report time' and group: 'DEFAULT', because one already exists with this iden
tification.
        at org.quartz.simpl.RAMJobStore.storeTrigger(RAMJobStore.java:314)
        at org.quartz.simpl.RAMJobStore.storeJobAndTrigger(RAMJobStore.java:194)
        at org.quartz.core.QuartzScheduler.scheduleJob(QuartzScheduler.java:822)
        at org.quartz.impl.StdScheduler.scheduleJob(StdScheduler.java:243)
        at com.cisco.cpm.admin.importexport.action.GenericImportUploadAction.defineSchedule(GenericImportUploadAction.java:162)
        at com.cisco.cpm.admin.importexport.action.GenericImportUploadAction.processReport(GenericImportUploadAction.java:494)
        at sun.reflect.GeneratedMethodAccessor3339.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.cisco.webui.action.common.PojoActionProxy.performExecution(PojoActionProxy.java:396)
        at com.cisco.webui.action.common.PojoActionProxy.execute(PojoActionProxy.java:232)
        at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
        at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
        at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
        at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
        at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
        at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
       at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
        at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:142)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.NavigationalViewPreferencesFilter.doFilter(NavigationalViewPreferencesFilter.java:99)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:467)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:392)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:311)
        at com.cisco.cpm.admin.infra.utils.WebRequestForwardingFilter.doFilter(WebRequestForwardingFilter.java:43)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.WebCleanCacheFilter.doFilter(WebCleanCacheFilter.java:42)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.rbacfilter.AccessCheckFilter.doFilter(AccessCheckFilter.java:75)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.LogFilter.doFilter(LogFilter.java:83)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderRefererValidationFilter.processRequest(RequestHeaderRefererValidationFilter.java:53)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderRefererValidationFilter.doFilter(RequestHeaderRefererValidationFilter.java:39)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderValidationFilter.doFilter(RequestHeaderValidationFilter.java:141)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderSanityFilter.doFilter(RequestHeaderSanityFilter.java:114)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:142)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.ImportParametersFilter.doFilter(ImportParametersFilter.java:56)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.xss.XssCheckFilter.doFilter(XssCheckFilter.java:133)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.LoginCheckFilter.doFilter(LoginCheckFilter.java:359)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.ParamFilter.doFilter(ParamFilter.java:72)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.CommonRequestParameterFilter.doFilter(CommonRequestParameterFilter.java:67)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:123)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.NavigationalViewPreferencesFilter.doFilter(NavigationalViewPreferencesFilter.java:99)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.ise.tomcat.xss.FilePathCheckFilter.doFilter(FilePathCheckFilter.java:72)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.ResponseHeadersFilter.doFilter(ResponseHeadersFilter.java:63)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestDecodingFilter.executeNextFilter(RequestDecodingFilter.java:143)
        at com.cisco.cpm.admin.infra.utils.RequestDecodingFilter.doFilter(RequestDecodingFilter.java:94)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:595)        
        at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:319)
        at org.apache.catalina.valves.LocalAddrValve.invoke(LocalAddrValve.java:47)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
        at com.cisco.ise.tomcat.valves.GuestVlanUrlRedirectValve.invoke(GuestVlanUrlRedirectValve.java:80)
        at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.valves.MethodsValve.invoke(MethodsValve.java:52)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

 

If there is any better debug approach to catch more details about the error? It looks that import is failing and that is preventing to override the policy however in GUI successfull message is shown saying 1 cell was imported (only 1 policy change in CSV file) but matrix is without any change. Is there any other way how to carry out this type of bulk imports?

 

Thank you.

 

Best regards,

M

0 Helpful
Customers Also Viewed These Support Documents