Session API is not working for some endpoints authenticating after every hour.

Parag Mahajan · ‎05-11-2017

Having ISE architecture with dedicated Admin, MnT and PSN. We are trying to generate report from third party tool for endpoints authenticated through ISE. For the same, we are using session API. It has been observed that for some of the endpoints, session API does not work and gives error 'Session data is not available in the last 5 days.' The periodic authentication command does present on the interface and endpoint is getting authenticated after every hour. So According to me session API should have worked. Any Guess ? Please find attachment

More information.

for same endpoints if we send CoA with port bounce from Live session and then execute session API then we are able to achieve expected result.
The command 'aaa accounting update newinfo periodic 2880' is NOT present on global mode. Is radius interim accounting update is cause of this issue.

If endpoint is getting authenticated after every hour (PFA) still do we need to worry about radius interim accounting messages. What is correlation.

hslai · ‎05-11-2017

From one of your pics, it looks like an ISE 2.1 deployment. In case it has at least Patch 2 applied, which fixes CSCur11333, please open a TAC case to investigate. Also, please verify that last-5-day records are present in either RADIUS auth or account reports for such endpoints.

Parag Mahajan · ‎05-12-2017

Hi Hslai,

Thanks for the reply. we are on patch 3 so bug should not be coming into the picture. We will open TAC case but still curious to know below.

If endpoint is getting authenticated after every hour still do we need to worry about radius interim accounting messages. What is correlation.

Why session API gets working for concern endpoints if we send CoA with port bounce from Live session. What is correlation of Radius reauth vs Coa Port bounce with respect to Session API.

hslai · ‎05-12-2017

Are you able to check the RADIUS auth and accounting reports on the problem endpoints. With log suppression enabled, not all authentication attempts are recorded in the ISE db but that is a good thing.

With port bounce, the endpoints would get new session IDs. Regardless of session IDs old or new, we should have be able obtain the results. Thus, we need a TAC engagement and get a copy of the OPS backup to dive into data analysis or it might be a side effect of other exceptions.

Parag Mahajan · ‎05-17-2017

Sorry for delay. I did check Radius auth and accounting reports..MAC address logs is getting showed of couple of times a day. Auth Supression is setting is completely disabled. we will open TAC case to investigate further.

Could you please explain / point out any doc , to answer below question

If endpoint is getting authenticated after every hour still do we need to worry about radius interim accounting messages ?

In other words is 'aaa accounting update .....' command required on switch if endpoint is getting authenticated after every hour.

hslai · ‎05-17-2017

If ISE is getting accounting start and stop and the endpoints' IP address, and if not using device sensor, I see no reason to have that command. However, you might want to turn it on to test and verify it making some difference. It would be good to get wire captures.

Parag Mahajan · ‎06-13-2017

hslai : Just to update you . TAC case 682422845 has been opened to track this issue. TAC believes below bug is causing issue

CSCvd41050: ISE 2.1 Endpoint lookup using ERS API is very slow.

But honestly I am not sure if above bug is real cause because we do get response from session API as 'Session data is not available in the last 5 days.' What do you think ?