Solved: Re: Passive Identity using Syslog Provider, no Live Sessions displayed

rick505d3 · ‎11-24-2021

Hi,

I have a VPN firewall (ASA) sending syslog to ISE (2.7 patch 6). ISE has Syslog Provider configured for passive identity feature. ISE is also configured with AD as PID provider using WMI. The VPN user testuser1 is an AD user account.

When a user (testuser1) connects to VPN firewall. ISE gets syslog messages for the connection. The ISE log file "passiveid-syslog.log" confirms syslogs are received, parsing is successful and request has been made to Session Directory to "Add" the user-ip binding.

2021-11-25 11:31:55,488 DEBUG  [Thread-14][] com.cisco.idc.syslog-probe-  Process message : <164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,488 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Going to parse hostname from message: <164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,488 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Parsed hostname: 11:31:52 from message: <164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,488 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Did not find matching hostname in syslog message. Checking if Custom Header is configured. Message: <164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,488 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Going to parse hostname using Custom Header configuration. Seperator:   , Message: <164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,488 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Found hostname: asav-1-outside in location: 5, Message: <164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,488 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Found Syslog client for hostname: asav-1-outside, from message:<164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,488 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Will parse syslog message as a Syslog Provider asav-1 , Message : <164>Nov 25 2021 11:31:52 asav-1-outside : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,490 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Message received. Identity Mapping.probe = Syslog , Identity Mapping.syslog-message = : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session
 , Identity Mapping.server = ise01 , 
2021-11-25 11:31:55,490 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Will handle this message as New Mapping. Message: : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,490 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- This is not a Removed Mapping message. Message: : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,490 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Found IP Address 192.168.100.10 in message: : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,490 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Found User Name testuser1 in message: : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,490 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- MAC address pattern is not configured for message: : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session

2021-11-25 11:31:55,490 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Domain pattern is not configured will use default domain
2021-11-25 11:31:55,491 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Message parsed. Identity Mapping.probe = Syslog , Identity Mapping.syslog-message = : %ASA-4-722051: Group <GroupPolicy_RAVPN> User <testuser1> IP <10.31.113.179> IPv4 Address <192.168.100.10> IPv6 address <::> assigned to session
 , Identity Mapping.dc-host = asav-1-outside.example.local , Identity Mapping.server = ise01 , 
2021-11-25 11:31:55,576 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Forwarded login event to session directory. Identity Mapping.dc-domainname = example.local , Identity Mapping.Identity Mapping.provider = Syslog , Identity Mapping.probe = Syslog , Identity Mapping.event-user-name = testuser1 , Identity Mapping.dc-host = asav-1-outside.example.local/10.31.113.175 , Identity Mapping.Identity Mapping.mac-address = null , Identity Mapping.server = ise01 , Identity Mapping.event-ip-address = 192.168.100.10 , 

2021-11-25 11:31:55,576 DEBUG  [PassiveID-SyslogHandlerThread][] com.cisco.idc.syslog-probe- Publishing identity mapping event. MappingOperationType = ADD , Identity Mapping.dc-domainname = example.local , Identity Mapping.Identity Mapping.provider = Syslog , Identity Mapping.probe = Syslog , Identity Mapping.event-user-name = testuser1 , Identity Mapping.dc-host = asav-1-outside.example.local/10.31.113.175 , Identity Mapping.Identity Mapping.mac-address = null , Identity Mapping.server = ise01 , Identity Mapping.event-ip-address = 192.168.100.10 ,

However, no sessions are seen in Work Centers -> Passive Identity -> Overview -> Live Sessions.

Is there something else to be done to make PID work for Syslog?

Thanks,

Rick.

rick505d3 · ‎11-25-2021

Resolved it by disabling the "ISE Messaging Service". The Live Sessions are now getting displayed.

It was enabled before, I think that is the default. The cert for the service is valid. It's a single ise node deployment. However, the status of this service was "not running" in the output from "show application status ise". ISE services restart or node reboot won't bring it to running state.

It may be due to this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs91026

Regards,

Rick.

View solution in original post

rick505d3 · ‎11-25-2021

Resolved it by disabling the "ISE Messaging Service". The Live Sessions are now getting displayed.

It was enabled before, I think that is the default. The cert for the service is valid. It's a single ise node deployment. However, the status of this service was "not running" in the output from "show application status ise". ISE services restart or node reboot won't bring it to running state.

It may be due to this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs91026

Regards,

Rick.