01-17-2022 08:36 AM
Hi CSC,
I have a 2 Node deployment -
Node A - Admin (Pri) MnT (Sec), PSN
Node B - Admin (Sec) MnT (Pri), PSN
When using Node A for TACACs - all logs visible within ISE
When using Node B for TACACs - Authentication etc.. is all good but logs are not being sent to the primary MnT node.
Using self signed certificates for messaging service. Does each node require the others Messaging Service Certificate to be exported and installed to each other?
I'm assuming it is indeed the messaging service responsible for this logging element that isn't working?
Also have the following checked -
"Use "ISE Messaging Service" for UDP Syslogs delivery to MnT"
Thanks
Solved! Go to Solution.
01-22-2022 12:07 PM
Yes, each ISE node needs to trust the others so the other nodes' self-signed certificate(s) and must be in the other node's Trusted Certificates store. This is one of the many reasons why you should never use self-signed certificates in a production deployment. When you joined the Secondary node to the primary, you had to accept the following ⚠ Warning:
The node you are trying to register uses a self-signed certificate which is not trusted.
Are you sure you want to trust this certificate and proceed with registration?
If you are unsure, please click 'Cancel Registration'. Manually import relevant certificate chain of Node that is being registered into 'Trusted Certificates' and ensure 'Trust within ISE' checkbox is selected.
Please note that this certificate will by default be trusted only for authentication within ISE. If the same certificate needs to be used for other purposes (e.g. client authentication and syslog), please enable those options by editing the certificate under the 'Trusted Certificates' page.
Additionally, I don't know what your datacenter colocation or distribution setup is but in the ISE Admin Guide, Syslog over Cisco ISE Messaging Service provides guidance for which ports are used to communicate :
The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE, Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE, Release 2.6, Cumulative Patch 2 and later releases.
Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN survivability period is approximately 2 hours and 30 mins.
This service uses TCP port 8671. Configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in the Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue. .
You may also refer to the Cisco ISE Ports Reference for other required ports.
01-22-2022 12:07 PM
Yes, each ISE node needs to trust the others so the other nodes' self-signed certificate(s) and must be in the other node's Trusted Certificates store. This is one of the many reasons why you should never use self-signed certificates in a production deployment. When you joined the Secondary node to the primary, you had to accept the following ⚠ Warning:
The node you are trying to register uses a self-signed certificate which is not trusted.
Are you sure you want to trust this certificate and proceed with registration?
If you are unsure, please click 'Cancel Registration'. Manually import relevant certificate chain of Node that is being registered into 'Trusted Certificates' and ensure 'Trust within ISE' checkbox is selected.
Please note that this certificate will by default be trusted only for authentication within ISE. If the same certificate needs to be used for other purposes (e.g. client authentication and syslog), please enable those options by editing the certificate under the 'Trusted Certificates' page.
Additionally, I don't know what your datacenter colocation or distribution setup is but in the ISE Admin Guide, Syslog over Cisco ISE Messaging Service provides guidance for which ports are used to communicate :
The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE, Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE, Release 2.6, Cumulative Patch 2 and later releases.
Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN survivability period is approximately 2 hours and 30 mins.
This service uses TCP port 8671. Configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in the Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue. .
You may also refer to the Cisco ISE Ports Reference for other required ports.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide