Solved: Strange behaviour with ISE 2.3 (Patch 1) viewing Endpoints

randomuser · ‎10-20-2017

We have a strange behavior when displaying an endpoint in the Live Log compared to the Context Visibility > Endpoints.

In the Live Log, it is displayed when the Endpoint connects (looking up with the Endpoint ID), that the Endpoint comes from Switch-Location-A at Port 42 and some entries from Switch-Location-B at Port 49. The Switch-Location-A Port 42, where the endpoint is actually connected, displays everything correctly at the CLI level.

In the Context Visibility > Endpoint, Switch-Location-B at Port 49 is always assigned to the endpoint, which is wrong. Cleanup via 'application configure ise' after purging the database for 1 day does not bring any changes, even if the endpoint was deleted from context visibility before.

# application configure ise executed in the following order:

[3]Purge M&T Operational Data > retain 1 day

[2]Rebuild M&T Unusable Indexes

[5]Refresh Database Statistics

[20]Reset Context Visibility

[21]Synchronize Context Visibility With Database

Has anyone been able to observe the same behavior/issue?

Regards

Joseph Johnson · ‎10-20-2017

I have seen this as well. The information in Context Visibility is not updating properly. Here is how I tested:

Endpoint connected to Gi1/0/05 and authenticates.
Live logs show endpoint authenticated on Gi1/0/5.
Check Context Visibility information and it shows the NAS-Port-Id is Gi1/0/5.
Move wired connection to Gi1/0/3.
Live logs show endpoint authenticated on Gi1/0/3.
Check Context Visibility and endpoint still shows NAS-Port-Id is Gi1/0/5.

I tried waiting a minute or so and going back into the Endpoint details in Context Visibility but the NAS-Port-Id never updated to the correct port (Gi1/0/3).

This is only in the Attributes tab for the endpoint in Context Visibility. Switching to the Authentication tab shows the correct port (Gi1/0/3). If you add the NAD Port ID column to the main Context Visibility > Endpoints report, it also shows the correct port.

View solution in original post

hslai · ‎10-20-2017

At present, the purging of M&T Operational Data has no impact on Context Visibility. This has been so since ISE 2.1.

Nonetheless, deleting the endpoint in the ISE context visibility should have zeroed out its attributes. If it's not doing so, please engage Cisco TAC to troubleshoot. You may also configure endpoint purge policy.

Joseph Johnson · ‎10-20-2017

I have seen this as well. The information in Context Visibility is not updating properly. Here is how I tested:

Endpoint connected to Gi1/0/05 and authenticates.
Live logs show endpoint authenticated on Gi1/0/5.
Check Context Visibility information and it shows the NAS-Port-Id is Gi1/0/5.
Move wired connection to Gi1/0/3.
Live logs show endpoint authenticated on Gi1/0/3.
Check Context Visibility and endpoint still shows NAS-Port-Id is Gi1/0/5.

I tried waiting a minute or so and going back into the Endpoint details in Context Visibility but the NAS-Port-Id never updated to the correct port (Gi1/0/3).

This is only in the Attributes tab for the endpoint in Context Visibility. Switching to the Authentication tab shows the correct port (Gi1/0/3). If you add the NAD Port ID column to the main Context Visibility > Endpoints report, it also shows the correct port.

Joseph Johnson · ‎10-23-2017

Update 2017-10-23: This appears to be corrected in the newly released Patch 1 (ise-patchbundle-2.3.0.298-Patch1-221754.SPA.x86_64.tar.gz). I moved the endpoint between three different ports. After each move, I verified the Attributes tab was now showing the correct port number. Rollback the previous Patch 1 install and install the latest Patch 1 release.

randomuser · ‎10-24-2017

Sounds good. I will check with the customer and report back.

Thanks.