ISE bp tcpdump: unstoppable

Similar Messages

• Tcpdump doesn't work anymore in latest ISE ?

  ISE Version 1.2
  Patch 1 & Patch 2 installed.
  When i do a TCP dump in RAW format, Wireshark can't open the PCAP file ?? doh ??
  Dump of file shows it is in Text form, even when i specify "Raw format".
  Browser used: IE8
  >cat TCPdump.pcap | more
  10:34:40.435767 IP (tos 0x0, ttl  64, id 6848, offset 0, flags [DF], proto: TCP (6), length: 669) ise.https > xxxxxx.36152: P 22
  91174308:2291174937(629) ack 2847270850 win 60
  10:34:40.440341 IP (tos 0x0, ttl  64, id 37426, offset 0, flags [DF], proto: UDP (17), length: 71) ise.45102 > xxxxxxxm.
  domain:  39538+ PTR? 65.66.100.10.in-addr.arpa. (43)
  Anyone seen this also ?

  This is a known issue.  Patch 2 actually "broke" this functionality.  This is fixed in Patch 3
  CSCuj51094 - Captured TCPDump file is not working on Patch-2 Alpha
  120 patch 3 will be released towards end of this month.
  If you open the "raw" file in notepad, it's actually the human readable format.

• Logical Profiles in ISE 1.2

  I created a logical profiles group that is assigned with the Apple-ipad, Apple-iPhone and Apple-iDevice policies. Now ISE will not update the feed policies for the three devices. This is the message that I recieved from ISE when it does it Feed Polices update, I use the logical profiles group matching for authentication and authorization. Is there any way for me to update these feed polices? Thanks for the help!!
  Feed Version 1 policies downloaded.
  Total number of feed polices to apply are 3.
  Feed policies total 3 skipped.
  Feed policies warning message : Apple-Device has been changed by admin.
  Apple-Device:Apple-iDevice has been changed by admin.
  Apple-Device:Apple-iPad has been changed by admin.

  Hello Toua,
  Please Verify switch configuration for those network segments where endpoints are not being appropriately profiled to ensure that:
  •The required information to profile the endpoint is being sent to Cisco ISE for it to profile.
  •Probes are configured on the network Policy Service node entities.
  •Verify that packets are received at the Cisco ISE profiler module by running the tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General Tools > Tcpdump.
  Note If you are observing this issue with endpoints on a WAN collected by HTTP, Netflow, and NMAP, ensure that the endpoint IP address has been updated with a RADIUS/DHCP Probe before other attributes are updated using the above probes
  For more information, please visit the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192504

• ISE 1.2 does not do HTTP profiling ???

  Hi, guys.
  Has anyone ISE 1.2 Patch 1 successfully enabled to do profiling using HTTP on a monitor session/span port ???
  I have tried the following:
  - DMZ switch, which holds a vlan where (only) the central proxy server resides
  - ESX 5.1 host, one nic connected to the DMZ switch
  - configured a virtual switch/network on this host, which uses the nic connected to the DMZ switch (enabled promiscious mode on the vswitch and network)
  - ISE 1.2 Patch 1 installed on the ESX host, two interfaces (Gig 0 and 1), Gig 1 connected to the vswitch and virtual network
  - configured virtual ISE to do http profiling on Gig 1
  Here are some shows:
  #sh moni
  Session 1
  Type                   : Local Session
  Source VLANs           :
      Both               : xx
  Destination Ports      : Gi2/0/48
      Encapsulation      : Native
            Ingress      : Disabled
  #sh run int gig2/0/48
  interface GigabitEthernet2/0/48
  description *** ISE Proxy SPAN Port
  switchport access vlan xx
  The span destination port shows lots of outgoing packets:
  #sh int gig2/0/48
  GigabitEthernet2/0/48 is up, line protocol is down (monitoring)
    Hardware is Gigabit Ethernet, address is 588d.0941.7130 (bia 588d.0941.7130)
    Description: *** ISE-Riker Proxy SPAN Port
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
       reliability 255/255, txload 10/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
    input flow-control is off, output flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 00:22:36, output hang never
    Last clearing of "show interface" counters 03:03:20
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14352300
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 42962000 bits/sec, 13051 packets/sec
       33 packets input, 2436 bytes, 0 no buffer
       Received 33 broadcasts (18 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 18 multicast, 0 pause input
       0 input packets with dribble condition detected
      223104868 packets output, 98731284385 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  But the interface on ISE hardly shows any incoming packets:
  # sh int gig 1
  GigabitEthernet 1
            Link encap:Ethernet  HWaddr 00:50:56:8D:4A:C1
            inet6 addr: fe80::250:56ff:fe8d:4ac1/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:3810 errors:0 dropped:0 overruns:0 frame:0
            TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:347928 (339.7 KiB)  TX bytes:936 (936.0 b)
            Interrupt:67 Base address:0x20a4
  I have tested if the vmware virtual network makes the packets disappear, therefore I have connected a windows virtual machine to the same network as ISE 
  Running Wireshark on this windows machine shows me LOOOOOTS of http packets on this virtual network, seem like the ISE nic just doesn't see them ......
  Any ideas ???
  Rgs
  Frank

  1. it is vm, right?    
  Yepp !!
  can you get netstat -i?
  Executed where ?? On the esx host ?? On the ise vm ??
  What do you expect to see ??
  2. Did you configure an ip for the span receive interface?
  No, why should this be necessary ?? (switchport, wireshark, etc. don't need an ip to capture
  packets on a promiscuous interface, even ISE 1.1.4 didn't need one on the http profiling interface .....)
  Configuration guide doesn't say so anyway ......
  if not, you must configure one to make it work.
  looks like you don't have one,,, pls configure one...
  Ok, ok ..., configured an ip address, checked the profiling attributes ...
  Result: did not make any difference ..... (tadaaaahhhhh !!!)
  tcpdump: WARNING: eth1: no IPv4 address assigned
  Right, but tcpdump shows dozens of live packets as they arrive live on ise, they are just not reflected in the "sh int gig 1" counters
  and furthermore not picked up by the application, that is why I would suspect a nic driver malfunction on the underlying linux os ......
  3. on vswitch make sure the port is in promiscuous mode.
  As I already mentioned before in this thread, it is.
  If the vmware virtual network inbetween ise and the non-virtual network would swallow the packets, why would "tech dumptcp 1" show anything at all ??
  (see screenshots above)
  Rgs
  Frank

• ISE Guest Activity Report not working (1.2.0.899)

  Recently I upgraded an ISE to 1.2.0.899. I found the Guest Activity Report is not working. Before the upgrade it was working properly (with the limitation of 5000 records by report). Nothing in the ASA was modified, but nothing is reported in the ISE; also I use the tcpdump integrated in the ISE to validate the syslog messages are arriving from the ASA to the ISE. I already enable the Passed Authentication logging category.
  Do I need to modify something else,to have the report?

  Hi
  Please make sure these steps has configured correctly:
  Step 1 Create an alarm, as described in Creating, Editing, and Deleting Alarm Schedules.
  Step 2  Specify a rule for Passed Authentication, Failed Authentications, or Authentication Inactivity for all users of                 type guest, as described in Creating and Assigning an Alarm Rule.
  Step 3 Calculate guest user activity by Monitoring Live Authentications.

• IOS Device-Sensor and ISE profiling not working

  Hello,
  I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.
  Switchconfig:
  device-sensor filter-list dhcp list dhcp-list
   option name host-name
  device-sensor filter-spec dhcp include list dhcp-list
  device-sensor accounting
  device-sensor notify all-changes
  Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:
  Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
  Proto Type:Name                       Len Value
  DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                            38
  RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).
  I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.
  Is this supposed to work?

  That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.
  Couple of more things:
  1. What profiling probes do you have enabled?
  2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?
  3. Do you have the following commands entered on your switch:
  access-session template monitor
  no macro auto monitor
  device-sensor accounting
  device-sensor notify all-changes

• ISE TCP Dump not working?

  I have and Standalone installation running version 1.1.2.145. The feature of TCP Dump appears to not be working. Every time I open it indicates Status: Loading .... but nothing happen after serveral minutes ...
  If I click the Delete button a confirmation is requested but, an error is inmediately display.
  Does anyone have idea how to fix this issue?
  Regards
  Daniel Escalante

  In my research, I could only find that Inline posture node can't be chosen from GUI as a source for tcpdump utility.
  It generate the following meaningless error:
  Error: fault.faultCode
  Fault: fault.faultString
  Detail: fault.faultDetail
  If ISE is a VM, then make sure promiscuous mode is enabled on ESX for interface
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_mnt.html
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE - IOS bug!

  I am using a stange issue in my environment. I use ISE 1.2 fo as radius server for device management/authentication(Not NAC usage). I am having Cisco c6509E VSS as core device. The device was added to ISE and aaa auth was working fine. I changed IP address of switch during my DC migration. Since then AAA fail for thsi device. ISE report and TCPdump shows old IP. My wireshard capture(SPAN port) also showing old IP in packet header irrespective of radius source interface I use in switch. Debug (radius/aaa) output in switch showing the correct interface addres whcih I  use in 'ip radius source-interface'.
  Unfortunatly I am unable to restart switch as it is core device in a critical place. It looks like a stange IOS issue. Did any one faced this kind of issues? Please advise how to resolve without restart. Don't know why the switch is always using its old IP to frame radius packet.

  These have been virified. I tried difference source interfaces and even changed  MAC addresses of SVIs. I am sniffing interface of ISE appliance to capture radius packets. I wondering how C6509E switch can frame a IP packet with source address not belonging to it. MAC address belongs to the switch but source IP address not belonging to the switch(Its old IP address).

• Logical Profiles in ISE 1.2.1

  I´m having trouble understanding the Logical Profiles. 
  What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510
  for those to lazy to read: 
  You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.
  so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 
  But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 
  Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 
  Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D
  Thanks alot for your help!  

  Nice username! :)
  So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile
  Hope this helps!
  Thank you for rating helpful posts!

• Can't install the software for the Brother MFC-9440CN because it is not currently available from the Software Update server....how do I get the driver then..it ised to work in my old mac..but cant print to it in my new unit

  Can't install the software for the Brother MFC-9440CN because it is not currently available from the Software Update server....how do I get the driver then..it ised to work in my old mac..but cant print to it in my new unit

  Download the Brother Mountain Lion drivers here.

• Caching credentials for webauth in ISE 1.2?

  We are providing internet access through a Guest portal. The portal is provided by the ISE through webauth and the user is created through the ISE Sponsor Portal.
  When an account is created and the enduser logs in to it, I would like for the ISE to cache the credentials for that user for a period of time; at least 1 or more days before it prompts them to log back in again. Right now, if a user disconnects for a short period and then goes to reconnet, it prompts for the username/password again.
  Where (and how) in the ISE do you configure that?
  Thank you.                  

  Thanks for the quick reply Charles. I am reading through the details of it now.
  It looks like DRW basically registers the MAC of a connecting device in an identity store and then allows that device to connect. Does it still match the MAC to a guest user so that we can set time profiles against it and does it expire like the guest accounts do?
  Any ETA on the release of ISE 1.3?

• Intermittent AD Authentication failures in ISE 1.2

            Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
  Thanks
  Jef

  Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
  When you say Multicast to you AD...how did you check that? We do use multicast.

• Double lookup possible in ISE 1.2 ?

  I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.
  I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.
  After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.
  The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account xxx@ADdomain.
  Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.
  I wonder if it is possible to do the following:
  MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".
  When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?
  [NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]

  Too bad.
  I wish Cisco had implemented a property like this: RegisteredDevices:PortalUser:IdentityAccessRestricted
  (i am assuming PortalUser is an AD account here). Maybe a PER can help.....

• Max authz rules in ISE 1.2 ?

  Hi All,
  Is there any doco on what the current limit is on Auth Z rules in ISE 1.2
  I have read 1.1.x had a limit of 140 authz rules.
  I am also considering using policy sets if that increases the total authZ rules.
  Cheers

  Peter,
  Here are the numbers for both 1.1.x and 1.2.  Hope this helps.
  * ISE 1.1.x
  # ISE 1.2
  Authentication Policy Rules
  * 50
  # 400
  Conditions Per AuthC Policy Rule
  * 3
  # 8
  Authorization Policy Rules
  *140
  # 600
  Authorization Identity Groups
  * 20
  # 1000
  Conditions per AuthZ Policy Rule
  *6
  # 8
  Authorization Profiles
  * 30
  # 600
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Bug CSCup27305 in ISE 1.2.1.198 patch3

  Hi guys,
  I´m hitting bug CSCup27305 in version ISE 1.2.1.198 patch3 but cant find a fix version.
  Do you know what version can be applied, so DACL can start with permit IP Host 2.2.2.2 Host 1.1.1.1 = is NOT ok!
  Thanks a lot for your help.
  Erick Flamenco

  It is not resolved in any shipping version and will currently be in first release that ships post 1.3
  Note that this issue impacts DACL validator functionality in that does not detect the invalid DACL as it should but does not impact any end to end functionality and so may not get priortized for any earlier patch