Monitoring Application Server status in ISE

alinbaby · ‎03-17-2021

Hi All,

Is there any possible way for monitoring 'Application Server' status in ISE?

Marcelo Morais · ‎03-17-2021

at Administration > System > Settings > Alarm Settings click the Process Down and verify the Alarm Notification configuration.

Hope this helps !!!

alinbaby · ‎03-19-2021

Hi Marcelo,

Thanks for the reply. We are running on ISE 2.2 and we have configured the email alerts and alarms but we are not receiving it when the application server goes down. Is there any other possible ways like SNMP or using any 3rd party services ?

Arne Bier · ‎03-19-2021

Probably need a REST API call. Or a periodic synthetic test like a PRTG RADIUS request to a node. However that only works on PSN nodes. Sadly there is no SNMP trap. ISE only supports one configurable SNMP trap (disk space warning). It’s not great for alerting process status.

hslai · ‎03-19-2021

Arne Bier, ISE has traps for application processes but can only detect certain abnormalities, due to reliance on M/Monit. See SNMP Traps to Monitor Cisco ISE

alinbaby, external monitoring is a good idea, but please make sure to do it moderately so not to contribute much load on the system. However, you should have received emails on configured alarms. If the process got restarted within a short period of time, it might not have triggered any alarm.

Arne Bier · ‎03-19-2021

thanks for being more precise about the answer than I was - I have seen the SNMP traps when I reboot my nodes - but I wasn't aware that ISE checks every 5 minutes for application status to send an SNMP if application process died.

Would it be possible to have an SNMP trap sent anyway if an admin does an "application stop ise"

hslai · ‎03-20-2021

Arne Bier, No, an "application stop ise" will not trigger any trap because that also stops monit.

alinbaby · ‎03-27-2021

Thanks for the note. We had a recent issue where the app server went down in PSN node and it was not noticed. We have configured the alarms and email notifications but we haven't received any. So i am looking for the possible ways for monitoring app server status.

alinbaby · ‎03-27-2021

Could you please help me with more details regarding REST API call and periodic synthetic test ?

Will the below SNMP trap be generated when app server stops running ?

"HOSTRESOURCES- MIB::hrSWRunName = STRING: "app-server:Not Running""

Arne Bier · ‎03-29-2021

Hi

I can't comment on the SNMP trap. why don't you just check what ISE sends out to the SNMP server IP address when you stop the ISE applications. You can run an open-source SNMP server like Net-SNMP or other Windows variants.

Periodic synthetic tests - example below of a REST API call to the PAN

[admin-biera@iptel-centos-01 ~]$ curl -k -v -X GET https://restapi:Encryption123@192.168.0.221:9060/ers/config/node/name/ise01 -H 'ACCEPT: application/json'
* About to connect() to 192.168.0.221 port 9060 (#0)
*   Trying 192.168.0.221...
* Connected to 192.168.0.221 (192.168.0.221) port 9060 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=ise01.milton.iptel.com.au,OU=Ops,O=IPTel Solutions,L=Milton,ST=Queensland,C=AU
*       start date: Aug 23 00:14:00 2018 GMT
*       expire date: Aug 23 00:24:00 2021 GMT
*       common name: ise01.milton.iptel.com.au
*       issuer: CN=milton-IPTEL-AD-01-CA,DC=milton,DC=iptel,DC=com,DC=au
* Server auth using Basic with user 'restapi'
> GET /ers/config/node/name/ise01 HTTP/1.1
> Authorization: Basic cmVzdGFwaTpFbmNyeXB0aW9uMTIz
> User-Agent: curl/7.29.0
> Host: 192.168.0.221:9060
> ACCEPT: application/json
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, must-revalidate
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: JSESSIONIDSSO=8F19AF45AB203E4939229E6457A9ABAD; Path=/; Secure; HttpOnly
< Set-Cookie: APPSESSIONID=A7AB57EC45A99161F2F6DBEC3D7E6A35; Path=/ers; Secure; HttpOnly
< Pragma: no-cache
< ETag: "2D5E1AAE6110C382B56B6C8981E18E60"
< Date: Wed, 05 Jun 2019 02:26:20 GMT
< Content-Type: application/json;charset=utf-8
< Content-Length: 563
< Server:
<
{
  "Node" : {
    "id" : "aee5cb10-42d6-11e8-9914-0050568a2395",
    "name" : "ise01",
    "gateWay" : "192.168.0.1",
    "displayName" : "ise01",
    "inDeployment" : true,
    "otherPapFqdn" : "",
    "ipAddresses" : [ "192.168.0.221" ],
    "ipAddress" : "192.168.0.221",
    "nodeServiceTypes" : "SESSION,PROFILER,DEVICE ADMIN",
    "primaryPapNode" : true,
    "pxGridNode" : true,
    "papNode" : true,
    "link" : {
      "rel" : "self",
      "href" : "https://192.168.0.221:9060/ers/config/node/name/ise01",
      "type" : "application/xml"
    }
  }
* Connection #0 to host 192.168.0.221 left intact

There are of course other tests you can run - but the above test will fail if the application services are not running. That should be a trigger for alerting. PRTG has many other tests you can run against a node to check its health. Probably the best PSN test is one that is end-to-end (and would test a periodic user auth of an AD account at a regular interval - and run that against each individual PSN).

thomas · ‎03-29-2021

Also see my response to a very similar question a few days ago:

ISE Services monitoring with ERS / REST API

which is similar to Arne's response.