cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2555
Views
60
Helpful
20
Replies

What can cause ISE

Leftz
Level 4
Level 4

Hi we have ISE 2.4 with primary and secondary PAN and several PSNs. Two MnTs are at PAN node together. When we logon the ISE via PAN, we can see each reaction is very slow. Anyone has some suggestions to resolve it? Thank you

16 Accepted Solutions

Accepted Solutions

@Leftz

How many concurrent sessions do you have?

What is the specification of the ISE hardware/VM?

Potentially you may want to deploy new ISE nodes and have dedicated MnT nodes, thus taking the load of the PAN.

View solution in original post

balaji.bandi
Hall of Fame
Hall of Fame

i would suggest to re-visit the resource issue and make necessary action based on the requirement.,

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

@Leftz good question, are these ISE nodes part of a cluster? Or do you have separate clusters?

You have a small deployment, what is the VM spec of the CPU and Memory?

Does it meet the Cisco recommended requirements?

View solution in original post

Check the URL I have provided has Specification, what is the current resource you have ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

what version of ISE ?( I have missed 2.4 ) - if you looking to deploy new look for 2.7 or 3.0

 

2.7 here is the requirement :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_01.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

@Leftz run "show inventory" to determine CPU and memory are compare to the ISE guides for the deployment requirements.

Go to the configuration > deployment and determine what ISE nodes are part of the cluster.

View solution in original post

what account you trying to login ? Not sure if the ISE configured as Multi authentication, command level  i do not see that option, you can just login using admin account ?

 

image.png

 

On the GUI Home - dashboard you see the system summary.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Leftz
Level 4
Level 4

Tried to logon to PSN and PSN via cli, but failed. I think its because it need to enter username, password and Identity Source. we can enter the three via Gui, but cannot enter the three items via cli, instead I can only enter username and password via cli. Do not know how to enter Identity Source if using cli. 

Please see the below

Capture.PNG

 

View solution in original post

@Leftz just because you have configured the GUI to authenticate using an external identity source, does not mean the CLI is configured the same way. All ISE nodes will have a local "admin" account which you can login to the CLI, you will need to know this password, if not you will need to speak to someone who does or reset the password - guide.

 

Altertnatively, just speak to the server team who adminster the VMs and ask them what CPU, memory has been provisioned for the ISE VMs.

View solution in original post

I am more interested to know what username and password you use to Login ( admin account), Looks like ISE configured  external source to authenticate, But again admin account is local (so i am more interested to know the username you using to login)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Leftz
Level 4
Level 4

Based on my understanding, the credential for gui and cli is different. and Gui cannot change/reset cli credential, it this right? 

View solution in original post

@Leftz yes you are correct. The GUI and CLI have the same user account called "admin" but they are different. The GUI cannot reset the CLI admin password. If you don't know the CLI password you would need to reset it as per the information in the guide provided above.

 

 

View solution in original post

Leftz
Level 4
Level 4

Thank you Rob! Not sure if I should ask questions again since the post is very long

You asked how many concurrent endpoint in previous, I notice there is different concurrent endpoint number between primary and second PAN. Is this normal? How long ISE show active endpoint after the active endpoint is off line

View solution in original post

@Leftz no it is not normal, if everything was setup correctly on the NAD I think the session should expire from ISE in 15 minutes. Can you please provide a sreenshot from the Primary PAN and Secondary PAN GUI to reflect this discrepancy in the number of sessions. Provide a screenshot from the deployment page to confirm the roles/personas of the ISE nodes as well.

View solution in original post

@Leftz edit the screenshot by hiding some of the company specific information, send a private message if you prefer.

View solution in original post

Leftz
Level 4
Level 4

Its because i am not sure which is company info. I already opened a case for cisco. I will let you know what's going on if cisco give satisfactory explanation. Thanks

View solution in original post

20 Replies 20

@Leftz

How many concurrent sessions do you have?

What is the specification of the ISE hardware/VM?

Potentially you may want to deploy new ISE nodes and have dedicated MnT nodes, thus taking the load of the PAN.

balaji.bandi
Hall of Fame
Hall of Fame

i would suggest to re-visit the resource issue and make necessary action based on the requirement.,

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz
Level 4
Level 4

Thank you for your reply!

How many concurrent sessions do you have?

-- concurrent session is this Active Endpoints? Its about 1000 at primary PAN. 500 at secondary PAN. Why there is different number between the two PAN?

What is the specification of the ISE hardware/VM? at VM

@Leftz good question, are these ISE nodes part of a cluster? Or do you have separate clusters?

You have a small deployment, what is the VM spec of the CPU and Memory?

Does it meet the Cisco recommended requirements?

Check the URL I have provided has Specification, what is the current resource you have ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz
Level 4
Level 4

are these ISE nodes part of a cluster? Or do you have separate clusters? 

These nodes mentioned above are all we have. I do not think it is part of a cluster

You have a small deployment, what is the VM spec of the CPU and Memory?

Can we get the info from the ISE? If not, now i cannot get the info as its managed by another team

Does it meet the Cisco recommended requirements? should be

Thanks

what version of ISE ?( I have missed 2.4 ) - if you looking to deploy new look for 2.7 or 3.0

 

2.7 here is the requirement :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_01.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@Leftz run "show inventory" to determine CPU and memory are compare to the ISE guides for the deployment requirements.

Go to the configuration > deployment and determine what ISE nodes are part of the cluster.

Leftz
Level 4
Level 4

Sorry, cannot logon ise via cli to get that info. When we logon to ise via GUI, we use three info: username, password and identity source. but via cli, how can we enter identity source?
In Gui, i cannot find info for CPU and memory via Gui. but i am sure its not in cluster.

Its version is 2.4 Thanks

 

 

what account you trying to login ? Not sure if the ISE configured as Multi authentication, command level  i do not see that option, you can just login using admin account ?

 

image.png

 

On the GUI Home - dashboard you see the system summary.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz
Level 4
Level 4

Tried to logon to PSN and PSN via cli, but failed. I think its because it need to enter username, password and Identity Source. we can enter the three via Gui, but cannot enter the three items via cli, instead I can only enter username and password via cli. Do not know how to enter Identity Source if using cli. 

Please see the below

Capture.PNG

 

@Leftz just because you have configured the GUI to authenticate using an external identity source, does not mean the CLI is configured the same way. All ISE nodes will have a local "admin" account which you can login to the CLI, you will need to know this password, if not you will need to speak to someone who does or reset the password - guide.

 

Altertnatively, just speak to the server team who adminster the VMs and ask them what CPU, memory has been provisioned for the ISE VMs.

I am more interested to know what username and password you use to Login ( admin account), Looks like ISE configured  external source to authenticate, But again admin account is local (so i am more interested to know the username you using to login)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz
Level 4
Level 4

Based on my understanding, the credential for gui and cli is different. and Gui cannot change/reset cli credential, it this right? 

Review Cisco Networking for a $25 gift card