In ISE (ise-3315) low reliability

Similar Messages

• ISE ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz fails

  Hi, folks.
  Anyone here who used "ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz" to upgrade his/hers ISE distributed deployment successfully ???
  I have tried it, using the procedure described in the Cisco ISE Upgrade Guide 1.2, it already fails at Step 1: Upgrading the secondary Administration Node first:
  - Data upgrade step 26/80, GuestUpgradeService(1.2.0.319)... Done in 0 seconds.
  - Data upgrade step 27/80, ProfilerUpgradeService(1.2.0.319)... Done in 6 seconds.
  - Data upgrade step 28/80, NetworkAccessUpgrade(1.2.0.326)... Done in 0 seconds.
  - Data upgrade step 29/80, GuestUpgradeService(1.2.0.341)... Done in 4 seconds.
  - Data upgrade step 30/80, NSFUpgradeService(1.2.0.344)... Done in 0 seconds.
  - Data upgrade step 31/80, RBACUpgradeService(1.2.0.344)... .Done in 96 seconds.
  - Data upgrade step 32/80, NSFUpgradeService(1.2.0.349)... Done in 0 seconds.
  - Data upgrade step 33/80, AuthzUpgradeService(1.2.0.351)... Done in 0 seconds.
  - Data upgrade step 34/80, RegisterPostureTypes(1.2.0.363)... ..........................Failed.
  Rolling back the configuration database...
  Starting application after rollback...
  % Warning: Do the following steps to revert node to its pre-upgrade state.
  -Register this node back to old Primary
  error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
  % Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
  The running version is 1.1.4 with latest patch:
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.4.120
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ise-worf
  Version information of installed applications
  Cisco Identity Services Engine
  Version      : 1.1.4.218
  Build Date   : Wed Apr 10 22:20:22 2013
  Install Date : Fri May  3 19:16:05 2013
  Cisco Identity Services Engine Patch
  Version      : 1
  Install Date : Wed May 29 08:16:58 2013
  Cisco Identity Services Engine Patch
  Version      : 2
  Install Date : Mon Jun 10 05:29:21 2013
  Cisco Identity Services Engine Patch
  Version      : 3
  Install Date : Wed Jul 17 08:45:02 2013  
  The script tells me to check the logs ... but for what ??? Local log file (sh logg) is packed with errors (java, eap, cert ...) .......
  Contacting TAC for support is no option, because this is a test deployment only .....
  The same thing also happens, when I switch both Admin nodes (switch the primary to secondary) and try to upgrade the "new" secondary ..
  Any ideas ???

  Frank,
  There is a known defect CSCui58123 for this issue and here is the workaround to fix this issue and upgrade to go smooth.
  In the below patch please check your requirement policy's conditions and set the valid condition for the policy which has "Select Conditions" option as shown below.
  Policy > Policy Elements > Results > Posture > Requirements
  The requirement policy has a condition that is not set.  Shows "Select Conditions"
  Even if you do a fresh install and restore the ISE 1.1.4 backup to ISE 1.2 you are prone to hit this issue. As this is related to data , the upgrade model of the data is one and the same when you restore the ISE 1.1.4 data backup to ISE 1.2 and when you trigger the upgrade on ISE 1.1.4.

• ISE - ISE-1.3.0.876-eval-2.ova login and password

  I downloaded the following ova file, but couldn't find any documentation for login and password.
  ISE-1.3.0.876-eval-2.ova
  - login and password
  Any help will be greatly appreciated. Thanks,

  It's an ova file. When I run it, it shows already installed and asks for a login and password. As mentioned in the download site, it is an evaluation installation for 100 devices. 
  I could not find any document on this file - ISE-1.3.0.876-eval-2.ova.
  Please let me know, if there is any document that provide a login and password for this ova pre-installed software.

• IMac having very low reliability with Hard Drive

  Hi, I recently had to replace the hard drive in my Early 2008 iMac. I replaced it with a 2 TB Seagate (pretty reliable) but my computer has been stuttering lately. It'll be fine for a couple days, and then it will just die (not permanently, just until I reboot).
  Anyway, I was trying to save a document, and Pages froze with a spinning wheel after I clicked "save as." I was ultimately forced to force quit and lose my document. I then went to search activity monitor in spotlight, but it froze too. I went through stacks to get to activity monitor, and it froze too when I went to look at disk activity. Mail also froze and forced me to quit it. Only after a hard shutdown (as it got stuck trying to shut down) did my computer go back to normal.
  Today, this happened again, and I'm becoming worried that I'm going to have to buy a new computer. I'm going to verify the disk tonight to look for problems, but I was wondering if you all could diagnose the problem.
  Thank You!
  On a side note: Mail has been unable to send any emails, and I've had trouble with some servers. I've had to redo them and they've worked, but at this time I can't send messages through mail on ANY outgoing server I have (multiple email addresses too).

  The HDD corruption is a symptom. It's caused by the iMac locking up and having to be booted. When mine locks, the HDD runs constantly while the screen is frozen or a solid color. I'm forced to power it off.
  Unfortunately, you are in the same boat as many others, and your issues are heat related. For me it was the HDD, then burn marks on the LCD, then GPU failures and now OS X is just unusable.
  I am able to run Windows through bootcamp since my GPU recovers in Windows but not OS X. I have the fans cranked to 6000rpm and it gets to 150 - 170 degrees then things get weird. Screen flashing, spinning beach ball, solid colors, graphic distortion.
  I've cleaned the vents, and fans and confirmed air flow. Be sure to try and keep your temps under control and check with Apple Store and let me know how it goes. I think mine is a goner.

• ISE 1.1.1.268 server not running

  Hi Folks,
  I have a old ISE appliance 3315, ISE application server is not running even after restart of ISE. ISE ver is 1.1.1.268 
  Not able to access this appliance through web also.
  Can anyone advise if I can upgarde this ISE directly to 1.2 through bootable DVD? Or do I need to upgrade this with latest patch?

  you can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
      Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
      Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
      Cisco ISE, Release 1.1.2, with the latest patch applied
      Cisco ISE, Release 1.1.3, with the latest patch applied
      Cisco ISE, Release 1.1.4, with the latest patch applied
  Upgrade Roadmap
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/upgrade_guide/b_ise_upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID7

• ISE Initial Configuration issue.....

  Do some body knows how is the default behaivior of the ISE device???
  I have to install and deploy a Wireless BYOD Environment, we unpacked the equipment and started to configure with the CLI Setup wizard, we the ip address, mask, etc etc, the ISE showed that the configuration was applied, started running and appeared a line where we have to add a database password with some specifications, here is where the problem started, because we couldn´t make the ISE to accpet thr password, we tried with upper case, lower case,number and at least 11 characters, but the ISE always shows us an error, we can´t add the password.
  After that we powered off the ISE and the device started, when we are promted in the CLI system and check the status of the ISE everything is down, when we try to start the ISE the system by itself shows an error saying that the system couldn´t start, and when we try to go to the ISE by GUI or browser we can´t, we can´t open the ISE any way.
  Do somebody have some experience about this device, do we have to install any additional software, or any license, or what can we do to solve this issue??
  Thank you very much.
  BEST REGARDS.     

  Hi Scott, thank you for your answer.
  Here the problem is that the ISE services are not running since the beginning and when we try to start them from the CLI the ISE sends an error.
  There´s a time in the confiiguration process at the end, that you have to add a database admin password, we can´t add this password, the system doesn´t accept any password, i don´t know if this password is neccesary to startup the ISE application.
  THANKS.
  ISE-WIRELESS/admin# show application status ise
  ISE Database listener is not running
  ISE Application Server process is not running.
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.
  ISE M&T Alert Process is not running.
  ISE-WIRELESS/admin# application start ise
  % Application failed to start
  ISE-WIRELESS/admin#
  Enter new database admin password:
  % Password should start with an alphabet.
  % Password does not meet minimum length requirement of 11 characters.
  % Password must contain at least one digit.
  % Password must contain at least one lower case letter.
  % Password must contain at least upper case letter.
  Enter new database admin password:
  % Password should start with an alphabet.
  % Password does not meet minimum length requirement of 11 characters.
  % Password must contain at least one digit.
  % Password must contain at least one lower case letter.
  % Password must contain at least upper case letter.

• Client Exclusion Policies on WLC not working with ISE as RADIUS Server

  Hi,
  for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
  Am I missing any settings here or do you have some tipps on how to troubleshoot this?
  Thanks very much!

  Hi Renata,
  If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
  If your Guest WLAN has the following:
  SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
  I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
  You can try and dull the noise a few ways.
  Option 1. create and ISE log filter on those alerts so they don't cluter the console.
  Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
  Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
  Option 4 - both 2 and 3
  The most effective option would be 3.
  Good Luck!

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE 1.3 / WLC 8.x + Server 2012 R2

  Hi All,
  Just wondering if anyone has seen this issue and if so – a solution or any advice would be great!
  Scenario.
  ISE 1.3 is connected to Server 2012(R2) AD – and this is showing as connected and all tests are successful.
  ISE is Connected to WLC 8.x  (Tests on attachment showing succesfull)
  The permissions of the service account I used for ISE to link in with AD – "domain admin" and also tried  "domain users" (using domain users now) and we can see AD security groups etc
  - WLC is succesfully connected to ISE
  SSID "Test" is configured to send to AAA - ISE
  ISE has a policy that permits "domain users" on the network.for web authentication
  Issue I am experiencing is when I connect to the SSID I get prompted for a login - this is my domain account it’s looking for
  (my account is a member of domain users only)
  ===============================================
  I get a message on BYOD Portal   (SEE ATTACHED SCREENSHOTS)
   “Unable to obtain the user information needed for network access. Try again”
  ===============================================
  If I use an account that has domain admin rights – everything works fine every time??  and I can start the process of registering my device on the network??
  I would like to rule out AD if i can. (Win Server 2012 R2) -
  everything looks ok from ISE as we can see AD groups etc when you select "retrieve AD groups"  - i can see all built in groups etc ....
  We get authenticated fine -  the issue appears to be in the web-redirect and it seems like you need to be a domain admin for us to get the correct registration page.
  Any help would be great
  Thanks
  James

  HI David
  Many thanks for your response.
  Yeah I have tried different users and also on ISE different groups and cross checked the SID on ISE groups to the SID on the AD group and seems both match.
  My colleague is doing the ISE part and I am doing the Windows 2012R2 part and all looks ok – the service account seems to be testing out fine when running tests on ISE and displaying groups etc when I "retrieve groups from AD" (from ISE)
  The finger at this time seems to be pointing at my AD …due to the domain admin accounts working and domain users not (I know these are both domain users but as my colleague is the “boss” I just need to make sure 110% that there is no special requirements that I need to add to the computer account & or the user account
  From the Cisco doc’s the service account just needs to be a domain user to read AD but is there anything special with the ISE computer account? – At this time the ISE computer account is in the default computer OU and the ISE service account is in the.
  After removing and re-adding and double checking the groups (External Identity Stores > Groups) both SIDs match on both domain users group
  When I connect to the SSID I initially get prompted for a username and password then –
  The BYOD Portal splash page just says BYOD Welcome “Unable to obtain the user information needed for access. Try again. (If I use a standard user account member of “domain users” only BUT if I use my domain admin account when joining the SSID (member of domain users + domain admin) I can start the process or registering my device and I can proceed through the required steps 1,2,3,4 until I access the web
  Standard “domain user” I can’t get by step 1 as I get the “Unable to obtain the user information needed for access. Try again” message
  The boss says this SSID is stripped back to just domain users and asks the question why does domain admins work??  - Hence Server AD getting a finger pointed at it.
  Regards
  James
  I have uploaded some picts that may assist & thanks again.

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• How does ISE choose which IP to put in URL redirect response?

  Hello,
  does anyone know how does ISE choose which IP to put in URL redirect response if it has more than one interface with an IP address and all interfaces are enabled in the portal configuration?
  I have a single ISE 1.3 PSN with all four interfaces configured, enabled, each on unique VLAN, and each with unique IP address.
  In the CWA portal configuration, all four interfaces are enabled.
  Wired clients connect to NAD, NAD sends RADIUS request to ISE, ISE responds with a RADIUS response including the URL-Redirect parameter which specifies the web redirect URL. ISE configuration uses "ip:port" in the URL. 
  My question is how does ISE choose which of its four interfaces to put in this URL? Is it always the same interface that RADIUS packets were received on? Or does it always choose the first portal enabled interface? Or is there another logic? Configurable or unconfigurable?
  Thanks!

  ISE uses the first interface enabled for that portal, so if want to use a specific interface, then only enable that interface.  If interface is GE0, then default behavior is to redirect with ip value set to node's FQDN.  If interface other than GE0, then default behavior is to return the IP address of the associated interface. 
  Aliases can be configured for each interface using the CLI 'ip host' command to associate a hostname/FQDN to the IP address of a given interface.  When configured, ISE will return that value rather than IP address in redirect.  This is critical if want to avoid certificate trust warning on connecting clients.
  Be sure that certificate assigned to interface includes the correct FQDN or optionally wilcard value in the CN or SAN fields to avoid cert warnings.

• ISE DashBoard Access issue

  Hi,
  I am running distributed deployment with mutiple PSNs,MONs & Admin Nodes are deployed.I was verifying crtical vlan access and radius server dead critera and a test case scenrios to reboot/power off the devices for sometime and trun them on back and verify the service. But after devices came up i lost dashboard access There is no more GUI access though I am still able to access all the devices through CLI.
  Could you please help me to identify the issue.
  follwoing output for the referance.
  isea001/admin# show application status ise
  ISE Database listener is running, PID: 4947
  ISE Database is running, number of processes: 29
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6173
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.
  isem001/admin# show application status ise
  ISE Database listener is running, PID: 4952
  ISE Database is running, number of processes: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6131
  ISE M&T Session Database is running, PID: 4646
  ISE M&T Log Collector is running, PID: 6625
  ISE M&T Log Processor is not running.
  isep001/admin# show application status ise
  ISE Database listener is running, PID: 4955
  ISE Database is running, number of processes: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6215
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.
  isep002/admin# show application status ise
  ISE Database listener is running, PID: 4953
  ISE Database is running, number of processes: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6171
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.

  Hi Neno, the BuG ID # CSCuo68012 

• Cisco ISE 1.1.4 Error Code 500

  Hello,
  I just installed the evaluation of Cisco ISE 1.1.4 on ESXi 5.1.
  My EXSi config is this:
  4GB RAM, 80GB HDD, 2 cores, Redhat 5 32bit
  I was able to install it with no problem, but when I tried to login using the web GUI, I am getting an error message stating:
  Internal Error
  Error Code 500.
  I am able to login using the console and SSH. I already set the correct timezone for both ISE and my computer.  I also tried different browsers, but I am still getting the same error and can't login at all via GUI.
  Any help would be greatly appreciated.
  Thanks

  Here is my show application status ise output
  KA-ISE/admin# show application status ise
  ISE Database listener is running, PID: 3960
  ISE Database is running, number of processes: 28
  ISE Application Server is still initializing.
  ISE M&T Session Database is running, PID: 3620
  ISE M&T Log Collector is running, PID: 5785
  ISE M&T Log Processor is running, PID: 6001
  ISE M&T Alert Process is running, PID: 5674
  % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
  % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 85 GB
  KA-ISE/admin#
  I have rebooted my ISE server, but I am still getting the same error message. Regarding the DNS, I have not set up my AD/DNS yet. But I am guessing I should be able to GUI to ISE server regardless of not having it connected to AD or DNS.

• Cisco ISE integration with SMS passcode Device

  HI Experts,
  i have a scenario where the requirement is to integrate the ISE device with SMSpasscode device which will trigger the OTP to the mobile devices 
  Currently i have my authentication configured to work with the AD 
  When my VPN users connects  its authenticates against AD and the users get the access . 
  Now as per the new requirement once the user is authenticate against AD ,  the user should be prompted for the OTP password send to the users  using SMS passcode device 
  Anyone had worked on similar requirement please help me to resolve the issue .
  Thanks in advance 
  Angus

  Hi all
  I am working exactly for a month on this topic with no success.
  I need to integrate VASCO OTP solution. But VASCO do not support any external authentication backend for virtual/SMS token. Only passcode or local authentication.
  I need to implement an external authentication against LDAP somewhere...
  Gunnar, do CISCO clearly says it is not able to participate to such setup?
  So, my need would be to be able to insert in the flow an authentication in ISE against the LDAP.
  The flow is:
  WebApplication send login+password (LDAP) to ISE
  ISE checks the credentials and if it is OK forward the request to VASCO
  VASCO does not check for password but generate the OTP and send it via SMS
  VASCO replies with a access-challenge
  ISE forward the challenge to Web Application
  WebApplication send login+OTP response to ISE
  ISE forward to VASCO
  VASCO checks for OTP and replies to ISE with accept
  ISE forward to Web Application
  User is logged in...
  All the flow is working if the user enters a passcode
  I would like to implement a Identity source sequences where the user is checked again all the entries not the first match
  First LDAP then VASCO...

• ISE 1.1 won't boot

  Powered down my ISE 1.1 server and booted it back up and now it won't start correctly.
  We have rebooted it multiple times and tried to manually start the services but no luck.  Any thoughts?
  ISE-1/admin# sh ap stat ise
  ISE Database listener is running, PID: 3356
  ISE Database is running, number of processes: 17
  ISE Application Server process is not running.
  ISE M&T Session Database is running, PID: 3013
  ISE M&T Log Collector is running, PID: 4485
  ISE M&T Log Processor is running, PID: 4594
  ISE M&T Alert Process is not running.

  It appears that the issue is with the code I am running.  Version 1.1.1.268 has this issue.  I backed up my data to an FTP server with the command
  backup backup-name repository repository-name application application-name encryption-key
  hash |plain encryption-key name
  Example 1
  ise/admin# configure termainal
  ise/admin(config)# repository myrepository
  ise/admin(config-Repository)# url ftp://starwars.test.com/repository/system1
  ise/admin(config-Repository)# user luke password skywalker
  ise/admin(config-Repository)# exit
  ise/admin(config)# exit
  ise/admin#
  then re-imaged the server.  
  Thanks