Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2560
Views
60
Helpful
20
Replies

What can cause ISE

Go to solution
Leftz
Level 4
Level 4

‎12-08-2021 08:40 AM

Hi we have ISE 2.4 with primary and secondary PAN and several PSNs. Two MnTs are at PAN node together. When we logon the ISE via PAN, we can see each reaction is very slow. Anyone has some suggestions to resolve it? Thank you

0 Helpful
16 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-08-2021 08:43 AM

@Leftz

How many concurrent sessions do you have?

What is the specification of the ISE hardware/VM?

Potentially you may want to deploy new ISE nodes and have dedicated MnT nodes, thus taking the load of the PAN.

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-08-2021 08:49 AM

i would suggest to re-visit the resource issue and make necessary action based on the requirement.,

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-08-2021 09:02 AM

@Leftz good question, are these ISE nodes part of a cluster? Or do you have separate clusters?

You have a small deployment, what is the VM spec of the CPU and Memory?

Does it meet the Cisco recommended requirements?

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-08-2021 09:08 AM

Check the URL I have provided has Specification, what is the current resource you have ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-08-2021 09:12 AM - edited ‎12-08-2021 09:19 AM

what version of ISE ?( I have missed 2.4 ) - if you looking to deploy new look for 2.7 or 3.0

 

2.7 here is the requirement :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_01.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-08-2021 09:14 AM

@Leftz run "show inventory" to determine CPU and memory are compare to the ISE guides for the deployment requirements.

Go to the configuration > deployment and determine what ISE nodes are part of the cluster.

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-08-2021 02:01 PM

what account you trying to login ? Not sure if the ISE configured as Multi authentication, command level  i do not see that option, you can just login using admin account ?

 

image.png

 

On the GUI Home - dashboard you see the system summary.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Leftz
Level 4
Level 4

‎12-08-2021 02:35 PM - edited ‎12-08-2021 02:37 PM

Tried to logon to PSN and PSN via cli, but failed. I think its because it need to enter username, password and Identity Source. we can enter the three via Gui, but cannot enter the three items via cli, instead I can only enter username and password via cli. Do not know how to enter Identity Source if using cli. 

Please see the below

Capture.PNG

 

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-09-2021 12:06 AM

@Leftz just because you have configured the GUI to authenticate using an external identity source, does not mean the CLI is configured the same way. All ISE nodes will have a local "admin" account which you can login to the CLI, you will need to know this password, if not you will need to speak to someone who does or reset the password - guide.

 

Altertnatively, just speak to the server team who adminster the VMs and ask them what CPU, memory has been provisioned for the ISE VMs.

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-09-2021 12:11 AM

I am more interested to know what username and password you use to Login ( admin account), Looks like ISE configured  external source to authenticate, But again admin account is local (so i am more interested to know the username you using to login)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Leftz
Level 4
Level 4

‎12-09-2021 06:20 AM

Based on my understanding, the credential for gui and cli is different. and Gui cannot change/reset cli credential, it this right? 

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-09-2021 06:32 AM

@Leftz yes you are correct. The GUI and CLI have the same user account called "admin" but they are different. The GUI cannot reset the CLI admin password. If you don't know the CLI password you would need to reset it as per the information in the guide provided above.

 

 

View solution in original post

Go to solution
Leftz
Level 4
Level 4

‎12-09-2021 07:19 AM - edited ‎12-09-2021 07:21 AM

Thank you Rob! Not sure if I should ask questions again since the post is very long

You asked how many concurrent endpoint in previous, I notice there is different concurrent endpoint number between primary and second PAN. Is this normal? How long ISE show active endpoint after the active endpoint is off line

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-09-2021 07:43 AM

@Leftz no it is not normal, if everything was setup correctly on the NAD I think the session should expire from ISE in 15 minutes. Can you please provide a sreenshot from the Primary PAN and Secondary PAN GUI to reflect this discrepancy in the number of sessions. Provide a screenshot from the deployment page to confirm the roles/personas of the ISE nodes as well.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-09-2021 08:25 AM

@Leftz edit the screenshot by hiding some of the company specific information, send a private message if you prefer.

View solution in original post

Go to solution
Leftz
Level 4
Level 4

‎12-09-2021 09:07 AM - edited ‎12-09-2021 09:08 AM

Its because i am not sure which is company info. I already opened a case for cisco. I will let you know what's going on if cisco give satisfactory explanation. Thanks

View solution in original post

0 Helpful
20 Replies 20

Go to solution
Rob Ingram
VIP
VIP

‎12-08-2021 08:43 AM

@Leftz

How many concurrent sessions do you have?

What is the specification of the ISE hardware/VM?

Potentially you may want to deploy new ISE nodes and have dedicated MnT nodes, thus taking the load of the PAN.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-08-2021 08:49 AM

i would suggest to re-visit the resource issue and make necessary action based on the requirement.,

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Leftz
Level 4
Level 4

‎12-08-2021 08:58 AM - edited ‎12-08-2021 09:01 AM

Thank you for your reply!

How many concurrent sessions do you have?

-- concurrent session is this Active Endpoints? Its about 1000 at primary PAN. 500 at secondary PAN. Why there is different number between the two PAN?

What is the specification of the ISE hardware/VM? at VM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-08-2021 09:02 AM

@Leftz good question, are these ISE nodes part of a cluster? Or do you have separate clusters?

You have a small deployment, what is the VM spec of the CPU and Memory?

Does it meet the Cisco recommended requirements?

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-08-2021 09:08 AM

Check the URL I have provided has Specification, what is the current resource you have ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Leftz
Level 4
Level 4

‎12-08-2021 09:08 AM

are these ISE nodes part of a cluster? Or do you have separate clusters? 

These nodes mentioned above are all we have. I do not think it is part of a cluster

You have a small deployment, what is the VM spec of the CPU and Memory?

Can we get the info from the ISE? If not, now i cannot get the info as its managed by another team

Does it meet the Cisco recommended requirements? should be

Thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-08-2021 09:12 AM - edited ‎12-08-2021 09:19 AM

what version of ISE ?( I have missed 2.4 ) - if you looking to deploy new look for 2.7 or 3.0

 

2.7 here is the requirement :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_01.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-08-2021 09:14 AM

@Leftz run "show inventory" to determine CPU and memory are compare to the ISE guides for the deployment requirements.

Go to the configuration > deployment and determine what ISE nodes are part of the cluster.

Go to solution
Leftz
Level 4
Level 4

‎12-08-2021 12:13 PM - edited ‎12-08-2021 12:29 PM

Sorry, cannot logon ise via cli to get that info. When we logon to ise via GUI, we use three info: username, password and identity source. but via cli, how can we enter identity source?
In Gui, i cannot find info for CPU and memory via Gui. but i am sure its not in cluster.

Its version is 2.4 Thanks

 

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-08-2021 02:01 PM

what account you trying to login ? Not sure if the ISE configured as Multi authentication, command level  i do not see that option, you can just login using admin account ?

 

image.png

 

On the GUI Home - dashboard you see the system summary.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Leftz
Level 4
Level 4

‎12-08-2021 02:35 PM - edited ‎12-08-2021 02:37 PM

Tried to logon to PSN and PSN via cli, but failed. I think its because it need to enter username, password and Identity Source. we can enter the three via Gui, but cannot enter the three items via cli, instead I can only enter username and password via cli. Do not know how to enter Identity Source if using cli. 

Please see the below

Capture.PNG

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎12-09-2021 12:06 AM

@Leftz just because you have configured the GUI to authenticate using an external identity source, does not mean the CLI is configured the same way. All ISE nodes will have a local "admin" account which you can login to the CLI, you will need to know this password, if not you will need to speak to someone who does or reset the password - guide.

 

Altertnatively, just speak to the server team who adminster the VMs and ask them what CPU, memory has been provisioned for the ISE VMs.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leftz

‎12-09-2021 12:11 AM

I am more interested to know what username and password you use to Login ( admin account), Looks like ISE configured  external source to authenticate, But again admin account is local (so i am more interested to know the username you using to login)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Leftz
Level 4
Level 4

‎12-09-2021 06:20 AM

Based on my understanding, the credential for gui and cli is different. and Gui cannot change/reset cli credential, it this right? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card