Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4275
Views
13
Helpful
0
Comments

ISE - What we need to know about Support Bundle

Marcelo Morais
VIP
VIP

‎01-18-2025 05:13 PM - edited ‎03-28-2025 12:58 PM

 

The Portuguese version of this Article can be found at: ISE - O que precisamos saber sobre Support Bundle .

 

MarceloMorais_0-1654436644727.png For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like.

 

Introduction

In Cisco ISE, the Support Bundle is a collection of Logs, Configuration Files and Diagnostic Information that can help you troubleshoot your ISE Deployment.

You can think of the Support Bundle as the equivalent of the show tech-support on a Cisco IOS Device.

 

Note: this Article uses Cisco ISE 3.4 P1 (released on Dec 18th, 2024) as an example.

 

Format

The Support Bundle is an encrypted TAR.GPG file that can be generated via CLI or GUI.

 

GPG (GNU Privacy Guard) is fee, Open-Source tool Encrypts Files and provides Digital Signatures.

 

Possible formats: 

  • CLI

Public Key Encryption

ise-support-bundle-pk-<Support Bundle Name>-yymmdd-hhmm.tar.gpg

Shared Key Encryption

ise-support-bundle-<Support Bundle Name>-yymmdd-hhmm.tar.gpg

 

  • GUI

Public Key Encryption

ise-support-bundle-pk-<ISE Node Hostname>-<Admin Username>-mm-dd-yyyy-hh-mm.tar.gpg

Shared Key Encryption

ise-support-bundle-<ISE Node Hostname>-<Admin Username>-mm-dd-yyyy-hh-mm.tar.gpg

 

Support Bundle 

The Support Bundle can be generated via:

  • CLI
ise/admin# backup-logs <backup-name> repository <repository-name> {public-key | {encryption-key { hash | plain } <encryption-key name>}} ?
 Possible completions:
  core-files Include Core and Heap dumps
  date-from Start date for support bundle
  date-to End date for support bundle
  db-logs Include full configuration database
  debug-logs Include debug logs
  local-logs Include local logs
  mnt-report-logs Include monitoring and reporting logs
  policy-cache-logs Include policy cache logs
  policy-conf-logs Include policy configuration logs
  system-logs Include system logs
  | Output modifiers
  <cr>

 

  • GUI

In Operations > Troubleshoot > Download Logs > Support Bundle:

Support Bundle.png

 

Note: the output of the show tech-support will always be included in any (CLI or GUISupport Bundle.

 

Logs Category

Logs are categorized into the following Groups (CLI | GUI) : 

  • db-logs | Include Full Configuration Database

Exports ISE Configuration Database.

 

. Date Range (From Date & To Date) does not apply for this category !!!
. Allows Cisco TAC to import Database Configuration into another ISE Node to recreate the scenario.

 

  • debug-logs | Include Debug Logs

Files related to Apache Tomcat Configuration.

Files related to ISE Configuration, Property and Resource.

Oracle and Timesten logs.

Files related to Protocol Runtime and Policy Services Component.

ISE Messaging logs.

Includes SSE Configuration and Logs.

Dashboard Summary, Health Monitoring Test log, and pxGrid Databases Synchronization Test log (if pxGrid is enabled in the Deployment).

 

. Timesten is the Internal Database used by M&T.

 

  • local-logs | Include Local Logs

A local copy of the RADIUS Logs.

 

  • core-files | Include Core Files

ISE Core Files.

 

. These Logs are created if the Application crashes and include Core Dumps Files.

 

  • mnt-report-logs | Include Monitoring and Reporting Logs

Contains CSV Files exported from various Operational Counters (M&T)

 

. Date Range (From Date & To Date) does not apply for this category !!!

 

  • system-logs | Include System Logs

ADE-OS specific logs.

confd specific logs.

Oracle and Timesten logs.

Apache Tomcat logs.

 

. Cisco ISE runs on Cisco Application Deployment Engine Operating System (ADE-OS), which is based on
 Red Hat Enterprise Linux (RHEL). For Cisco ISE 3.4, ADE-OS is based on RHEL 8.8.

 

  • policy-conf-logs | Include Policy Configuration

Authentication & Authorization Policy Configuration.

 

. Date Range (From Date & To Date) does not apply for this category !!!

 

  • policy-cache-logs | Include Policy Cache

Policy Sets Cache information.

 

Log Range

The date-from & date-to | From Date & To Date fields are optional, ad may be empty, in which case there will be no Date restriction.

The date-from  | From Date fields accepts Dates from the last 15 days !!!

 

Note: it is important to note that it is not possible to generate a Support Bundle in the GUI with a From Date greater that the last 15 days, however the same does not occur in the CLI:

Error - From Date within 15 Days.png

 

ise/admin# backup-logs <backup-name> repository <repository-name> public-key date-from 2020-01-01
 % Creating log backup with timestamped filename: ise-support-bundle-<backup-name>-pk-yymmdd-hhmm.tar.gpg 
 date: invalid date ‘NOVAL next day’
 touch: invalid date format ‘0000’
 % supportbundle in progress: Copying database config files...10% completed
 % supportbundle in progress: Copying debug logs...20% completed
 % supportbundle in progress: Copying local logs...30% completed
 % supportbundle in progress: Copying core files...40% completed
 % supportbundle in progress: Copying monitor logs...40% completed
 % supportbundle in progress: Copying policy xml...50% completed
 % supportbundle in progress: Copying system logs...60% completed
 % supportbundle in progress: Moving support bundle to the repository...75% completed 
 % supportbundle in progress: Completing support bundle generation......100% completed

 

Encryption

In the Support Bundle - Encryption window, you can select:

  • Public Key Encryption

The Cisco PKI (Public Key Infrastructure) will be used to encrypt / decrypt the Support Bundle.

Cisco ISE uses the Public Key to encrypt the Support Bundle.

Cisco TAC used the Private Key to decrypt the Support Bundle.

Note: this is the recommended method to use with TAC because it assists with Cisco TAC Automation Tools, capable of generating information such as:

Support Bundle - TAC Automation Tools.png

 

  • Shared Key Encryption

The Support Bundle can be decrypted by anyone who has the Shared Key.

 

Cisco ISE 3.4 - New Features

Since ISE 3.4, the backup-log command has gained new options.

 

Pre-Cisco ISE 3.4

When the Support Bundle is generated via CLIALL options are automatically included (except Core and Heap Dumps) :

 

ise/admin# backup-logs <backup-name> repository <repository-name> {public-key | {encryption-key { hash | plain } <encryption-key name>}} ?
 Possible completions:
   | <cr>
 Include Core and Heap dumps? (YES/NO):

 

Cisco ISE 3.4+

When the Support Bundle is generated via CLI, it is possible to manually include the options (just like in the GUI) :

 

ise/admin# backup-logs <backup-name> repository <repository-name> {public-key | {encryption-key { hash | plain } <encryption-key name>}} ?
 Possible completions:
  core-files Include Core and Heap dumps
  date-from Start date for support bundle
  date-to End date for support bundle
  db-logs Include full configuration database
  debug-logs Include debug logs
  local-logs Include local logs
  mnt-report-logs Include monitoring and reporting logs
  policy-cache-logs Include policy cache logs
  policy-conf-logs Include policy configuration logs
  system-logs Include system logs
  | Output modifiers
  <cr>

 

Note: regarding Note from ISE 3.4 backup-logs it is important to highlight that since ISE 3.2 the write command was discontinued and the copy command was modified to no longer support the running-config and startup-config functions, take a look at ISE - write e which descontinuados.

CLI backup-logs Note.png

 

How to Decrypt the Support Bundle ?

There are several ways to decrypt the Support Bundle, when the Shared Secret Encryption option is selected, as follow:

 

Windows

Download and Install the software: GPG4Win.

Run the Kleopatra application, select the Decrypt/Verify option and enter the Shared Secret:

Kleopatra Decrypt Verify.png

 Kleopatra Decrypt Passphrase.png

 

After decrypting the Support Bundle, I recommend reading the README.txt file:

 

=============================================================================
ISE SUPPORT BUNDLE README.TXT
=============================================================================

The purpose of this README is to describe the contents of the support bundle 
as well as describe how to import the contents of the ISE database if it was 
included in the support bundle. This README is divided into the following 
sections:

SECTION 1....: CONTENTS OF ISE SUPPORT BUNDLE
SECTION 1.1..: DIRECTORY STRUCTURE
SECTION 1.2..: MAPPING OF SUPPORT BUNDLE CONTENT FROM OPTIONS CHOSEN ON ISE
ADMIN UI
SECTION 1.3..: MAPPING OF ISE COMPONENTS TO CORRESPONDING DEBUG LOGS
SECTION 1.4..: DESCRIPTION OF INDIVIDUAL LOG FILES
SECTION 2....: STEPS TO IMPORT ISE CONFIGURATION DATABASE

=============================================================================

...

 

Bugs

CSCwk07529 Support bundle stuck at 50% and goes to 0% with error as "Node not reachable"

CSCwk07529.png

 

References

Collect Support Bundle on the Identity Services Engine

Collect ISE Support Bundle Using ERS API

Troubleshoot and Enable Debugs on ISE

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents