cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9914
Views
10
Helpful
10
Replies

New ISE node not showing any TACACS logs

umeshunited
Level 1
Level 1

I had two ISE VM nodes running on 2.4 ( no patch) with in sufficient resources. I was getting multiple alarms.

I made one node primary for both Admin and MnT personas and de-registered the second node. Then I registered a newly created VM node with sufficient resources. So one node is running with in-sufficient resources and another with recommended resources. The one with in-sufficient resources is having both personas as primary. And I see tacacs live logs there.But when I promote newly registered node as primary MnT node. I do not see any TACACS live logs.

I tried to removing and adding logcollector and logcollector2 from tacacs logging catagories and also tried manyal sync.

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Please do apply the latest patch. You might need to reset M&T database after the patching. If that not. helping, please open a TAC case to debug further.

Below are two known bugs:

  • CSCvk48315
  • CSCvj79271

View solution in original post

10 Replies 10

ldanny
Cisco Employee
Cisco Employee

Is this only the tacacs+ logs you dont see and do you receive radius logs?

Im sure you have Double checked that you have Tacacs+ services enabled and tested some NADs which are using the correct Tacacs+ server :)

 

If not in production I would bounce which is less attractive.

 

If problem persists please work with TAC to troubleshoot.

Hello Idanny,

Thank you for your reply.

We are not using Radius , we are using device administration only.

 

192.168.255.251 is my primary admin and primary MnT node.

192.168.255.252 is my Sec admin and Sec MnT node.

For above mentioned state I am getting live logs.

But when I change the persons so that

192.168.255.251 is my primary admin and Sec MnT node.

192.168.255.252 is my Sec admin and Sec primary node

I do not see any logs. 

Hello,

 

Yes I have TAC opened for it.

Will soon share findings/results.

hslai
Cisco Employee
Cisco Employee

Please do apply the latest patch. You might need to reset M&T database after the patching. If that not. helping, please open a TAC case to debug further.

Below are two known bugs:

  • CSCvk48315
  • CSCvj79271

Hello ,

 

Apologies for delayed response. 

I applied patch and it did not resolve my issue. So I went for MnT database reset.

I had one TAC going on , engineer said that reset might have revert all changes that patch applied. So you need to patch it again. My priority is to bring both nodes resources to the recommended level and then apply patch and see if it resolves my issue or not. Will keep posting my observation.

thanks,

Hello ,

 

Apologies for delayed response. 

I applied patch and it did not resolve my issue. So I went for MnT database reset.

I had one TAC going on , engineer said that reset might have revert all changes that patch applied. So you need to patch it again. My priority is to bring both nodes resources to the recommended level and then apply patch and see if it resolves my issue or not. Will keep posting my observation.

thanks,

laurathaqi
Level 3
Level 3

Hi, 

 

Did you solve the issue? I am having same issue in my two node deployment. From NAD, I issue commands test aaa group tacacs username password new-code, which results in successful authentication, but no logs showing in the ISE TACACS Logs. 

 

NAD is added successfully in ISE;

There is ping between ISE and NAD device; 

TACACS server is configured with the right ip;

TACACS configuration commands added due to its successful test aaa.... result. 

 

Any thoughts or suggestions would be highly appreciated.

 

Thank you,

Laura  

waqas.suneel
Level 1
Level 1

 i also have similar problem. i can see that there is no update since long time. please update on if someone find a solution.

Hi, 

 

Please use following: 

aaa authentication login default group tacacs+ local

Hope it helps! 

 

Best,

Laura 

In my case I had two node deployment, if I promote newly deployed node as my primary MnT I could not see any T+ logs (new logs). I had a case opened and I installed hot fix , even that did not solve it. Then BU was engaged and they cleared some stuck dB processes on the ISE and then it was fixed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: