Re: No Authentications in the last 15 minutes in ISE 3.0 patch-3

david.tran · ‎08-30-2021

I am seeing this alarm in my Cisco alarms dashboard.

However, tcpdump revealed that there we constant radius authentication between the PSN nodes and Cisco switches.

Is it still a bug in ISE 3.0 patch-3?

Marcelo Morais · ‎08-30-2021

in other words, when you click the Alarms: ISE Authentication Inactivity then you notice a lot of No Authentications in the last 15 minutes, just like that?

If the answer is yes, please 1st double check if this Alarm occurs every 15 min or on an specific time.

Hope this helps !!!

david.tran · ‎08-30-2021

@Marcelo Morais: it happens randomly.

As I've already mentioned before, I do see radius log and also tcpdump within +/-5 minutes of the alarm.

Damien Miller · ‎08-30-2021

There are two common causes for this. It sounds like you may have already ruled out the first I'll list with your pcaps.

At least one PSN node is not receiving radius authentications for the 15 minute interval, this is fairly common with deployments where everything is primary on the same node, secondary on the other.
The monitoring node has a log ingestion problem caused by either the collector processing stalling for 15+ minutes (live logs will be delayed if you look at the time stamps), or a communication problem such as the ISE messaging service being unhappy.

Do you have any other alarms in the dashboard, specifically queue link errors or health status unavailable?

david.tran · ‎08-30-2021

@Damien Miller:

Item #1 is already ruled out because I see traffic with my pcap,

Item #2: ISE messaging service is perfectly fine, because I opened another TAC case unrelated to this and it was confirmed by TAC.

I have this scenario:

node1: Primary Admin & Primary MNT

node2: Secondary Admin & Secondary MNT

node3: PSN

node4: PSN

All of these nodes are on the same network 192.168.1.0/24 and literally on top of one another

I don't have any other alarms like queue link errors or health status unavailable.

How do you determine if the monitoring has log ingestion problem?

Marcelo Morais · ‎08-30-2021

Hi @david.tran ,

in this case, please take a look at: CSCvr91902 ISE generating false Authentication Inactivity Alarms.

Symptom: ISE generating false intermittent Authentication Inactivity Alarms
Known Fixed Releases: No release planned to fix this bug
Last Modified: Nov 30,2020
Status: Terminated

and also at: CSCvw21033 ISE 2.7: "ISE Authentication Inactivity" alarm - no details available.

Last Modified: Nov 30,2020
Status: Open
Severity: 6 Enhancement

Hope this helps !!!

david.tran · ‎08-30-2021

@Marcelo Morais: Both of the Cisco bugs mentioned here are for version 2.4 and 2.7, nothing about ISE 3.0 patch-3. How do you make a leap to ISE 3.0 patch-3?

Marcelo Morais · ‎08-30-2021

Hi @david.tran ,

please take a look at:

Known Fixed Releases: No release planned to fix this bug

and

Severity: 6 Enhancement

IMO, still an issue on ISE 3.0 P3.

Hope this helps !!!

adamscottmaster2013 · ‎09-06-2021

I had a TAC case opened with Cisco and this issue was fixed but broke it again in version 3.0 patch-3. They offered to fix by root into the appliance and manually fix it but I declined.