cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

192
Views
0
Helpful
2
Replies
Highlighted

ISE TrustSec Maxtrix - Import empty cell

Dear team,

 

I'm trying to find a way how to easily delete a lot of policies from an existing TrustSec matrix. Based on documentation this seems to be the right way:

 

"Check the Overwrite Existing Data with New Data check box if you want to overwrite the existing policy with the one that you are importing. If empty cells (cells that are marked with the "Empty" keyword in the SGACL column) are included in the imported file, the existing policy in the corresponding matrix cells will be deleted. "

 

However it doesn't seem to work (ISE 2.4, patch 2) - there is no difference if the keyword is empty/EMPTY/Empty and if single or more SGACLs are allowed per cell - the policy is not removed.

 

Did anyone manage to get this working?

 

Thank you.

 

BR M

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE TrustSec Maxtrix - Import empty cell

Here is a workaround.

Go to trustsec policy --> egress policy --> choose source or destination tree that shows policy based on source or destination and delete it in bulk.

 

For your problem, you can clear browser cache and see what is going on. Check the ISE 2.4 compatibility chart to see if you are using the right browser version

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

Turn the debug on trustsec, try it again to gather the logs.

 

Thanks

Krishnan

 

 

 

-Krishnan

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: ISE TrustSec Maxtrix - Import empty cell

Here is a workaround.

Go to trustsec policy --> egress policy --> choose source or destination tree that shows policy based on source or destination and delete it in bulk.

 

For your problem, you can clear browser cache and see what is going on. Check the ISE 2.4 compatibility chart to see if you are using the right browser version

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

Turn the debug on trustsec, try it again to gather the logs.

 

Thanks

Krishnan

 

 

 

-Krishnan

View solution in original post

Highlighted

Re: ISE TrustSec Maxtrix - Import empty cell

Hello Krishnan,

 

thank you for your advise. Workaround will do the job in smaller matrixes but will be time consuming for larger changes (we expect to change 50+ cells multiple times after some testing period to go from specific SGACL to fallback to the global matrix rule and the idea is to alway prepare CSV file for this to speed-up the operation and minimize possible errors).

 

Browser cache was cleared, also all recommended browsers from compatibility matrix were tested under Win10 - FF, IE11 and Chrome but not difference. What we however observed was that despite the fact that SGACL cannot be removed it can be changed to another SGACL.

 

When doing debugging following items were set to DEBUG as per docu:

 

Problem: TrustSec

Attributes to be set to debug level:

  • sxp (sxp_appserver/sxp.log)
  • sgtbinding (sxp_appserver/sxp.log)
  • runtime-AAA (prrt-server.log)
  • nsf (ise-psc.log)
  • nsf-session (ise-psc.log)

 

Following error was noticed in all browsers on 2 different PCs when doing the empty cell import:

 

show logging app ise-psc.log tail

2018-09-17 09:56:03,121 ERROR  [admin-http-pool2025][] cpm.admin.importexport.ac
tion.GenericImportUploadAction -:admin:::- Schedule exception
org.quartz.ObjectAlreadyExistsException: Unable to store Trigger with name: 'cli
ent report time' and group: 'DEFAULT', because one already exists with this iden
tification.
        at org.quartz.simpl.RAMJobStore.storeTrigger(RAMJobStore.java:314)
        at org.quartz.simpl.RAMJobStore.storeJobAndTrigger(RAMJobStore.java:194)
        at org.quartz.core.QuartzScheduler.scheduleJob(QuartzScheduler.java:822)
        at org.quartz.impl.StdScheduler.scheduleJob(StdScheduler.java:243)
        at com.cisco.cpm.admin.importexport.action.GenericImportUploadAction.defineSchedule(GenericImportUploadAction.java:162)
        at com.cisco.cpm.admin.importexport.action.GenericImportUploadAction.processReport(GenericImportUploadAction.java:494)
        at sun.reflect.GeneratedMethodAccessor3339.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.cisco.webui.action.common.PojoActionProxy.performExecution(PojoActionProxy.java:396)
        at com.cisco.webui.action.common.PojoActionProxy.execute(PojoActionProxy.java:232)
        at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
        at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
        at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
        at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
        at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
        at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
       at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
        at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:142)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.NavigationalViewPreferencesFilter.doFilter(NavigationalViewPreferencesFilter.java:99)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:467)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:392)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:311)
        at com.cisco.cpm.admin.infra.utils.WebRequestForwardingFilter.doFilter(WebRequestForwardingFilter.java:43)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.WebCleanCacheFilter.doFilter(WebCleanCacheFilter.java:42)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.rbacfilter.AccessCheckFilter.doFilter(AccessCheckFilter.java:75)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.LogFilter.doFilter(LogFilter.java:83)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderRefererValidationFilter.processRequest(RequestHeaderRefererValidationFilter.java:53)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderRefererValidationFilter.doFilter(RequestHeaderRefererValidationFilter.java:39)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderValidationFilter.doFilter(RequestHeaderValidationFilter.java:141)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestHeaderSanityFilter.doFilter(RequestHeaderSanityFilter.java:114)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:142)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.ImportParametersFilter.doFilter(ImportParametersFilter.java:56)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.xss.XssCheckFilter.doFilter(XssCheckFilter.java:133)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.LoginCheckFilter.doFilter(LoginCheckFilter.java:359)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.ParamFilter.doFilter(ParamFilter.java:72)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.CommonRequestParameterFilter.doFilter(CommonRequestParameterFilter.java:67)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:123)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.NavigationalViewPreferencesFilter.doFilter(NavigationalViewPreferencesFilter.java:99)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.ise.tomcat.xss.FilePathCheckFilter.doFilter(FilePathCheckFilter.java:72)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.ResponseHeadersFilter.doFilter(ResponseHeadersFilter.java:63)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at com.cisco.cpm.admin.infra.utils.RequestDecodingFilter.executeNextFilter(RequestDecodingFilter.java:143)
        at com.cisco.cpm.admin.infra.utils.RequestDecodingFilter.doFilter(RequestDecodingFilter.java:94)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:595)        
        at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:319)
        at org.apache.catalina.valves.LocalAddrValve.invoke(LocalAddrValve.java:47)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
        at com.cisco.ise.tomcat.valves.GuestVlanUrlRedirectValve.invoke(GuestVlanUrlRedirectValve.java:80)
        at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.valves.MethodsValve.invoke(MethodsValve.java:52)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

 

If there is any better debug approach to catch more details about the error? It looks that import is failing and that is preventing to override the policy however in GUI successfull message is shown saying 1 cell was imported (only 1 policy change in CSV file) but matrix is without any change. Is there any other way how to carry out this type of bulk imports?

 

Thank you.

 

Best regards,

M