Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
2
Replies

Change TTL for IP-to-username mappings from ISE-PIC on WSA

Scott123
Level 1
Level 1

‎07-03-2023 07:45 PM

I am trying to change the TTL on username-to-IP mappings learnt from ISE-PIC on Web Security Appliance (software version 14.5.1-016) from the default 6 hours to 1 hour. This can be seen by issusing the command "isedata > cache > show", selecting an IP of a user IP mapping and then "checkip <IP>".


I cannot find a setting for it in the web interface and suspect it is set in the following section of the "showconfig" output:
  <ise_service>
    <ise_service_ise_user_timeout>6</ise_service_ise_user_timeout>
  </ise_service>

So, I wonder if the TTL can be changed by the following method or if there is a better way:
1. export the output of "showconfig"
2. change "<ise_service_ise_user_timeout>6</ise_service_ise_user_timeout>" to "<ise_service_ise_user_timeout>1</ise_service_ise_user_timeout>"
3. upload the new config and restart the ISE-PIC vm

 

 

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎07-03-2023 08:15 PM

You can actually save the config file locally via the gui, edit it, upload it via ftp, and load it. Safer than trying to capture a showconfig. I suspect that there is cli command for it. I couldn't find it, but someone might know, or you could open a ticket.

You wouldn't need to bounce ISE-PIC.
0 Helpful

amojarra
Cisco Employee
Cisco Employee

‎07-12-2023 03:49 AM

Hello @Scott123 

 

if you want to modify cached timeout, you can use ICSECONFIG command in CLI :

iseconfig
Displays current ISE configuration parameters; specify an ISE configuration operation to perform:
ISE RECONCILIATION TIME SETUP—Configure ISE reconciliation time setup. To restart the ised process
automatically, set the time in the HH::MM format within 24 hours of ISE configuration. After a restart, the
bulk download takes place.
Choose the operation you want to perform:
- Schedule ISE Restart Time in HH:MM format.
- Modify cache timeout for ISE users. Specify a timeout value in hours, upto 24 hours
By default, the value for option 1 is 00:00 mid-night.

 

as Ken mentioned, If you need to edit the configuration file,

please generate a backup with encrypted passwords from GUI> system Administration > Configuration File 

download the .XML file , edit and then import it.

 

Side note : If you are using SMA, you can upload the edited configuration file to Configuration Master, and publish this to other WSAs.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

0 Helpful
Customers Also Viewed These Support Documents