ISE High availiblity issue

Similar Messages

• High Watermark issue with monitoring Service Manager 2012 R2

  Hi,
  Our customer has a Service Manager / Operations Manager 2012 R2 environment where SCOM will regularly generate an alarm related to High Watermark monitoring on the Service Manager data warehouse - not every day though. The alarm looks like this:
  Value of 3559 is not higher than 3559
  This value hasn't changed for weeks.
  Having done a lot of searching we have found nothing but reference to the same recurring flow of information where people keep mentioning different values but there is no conclusion of what this might be caused by and how to solve it. The solutions
  have become outdated anyway. Here is one example:
  http://social.technet.microsoft.com/forums/systemcenter/en-US/889af8f3-cdf8-4d88-ae99-5dbe18d529ef/service-manager-2012-data-warehouse-high-watermark-monitor
  The Service Manager Database Account in SCOM is our service account that has sysadmin in SQL. Basically, with regards to the security configuration, our customer should be covered.
  To my knowledge agent-based and agentless monitoring have both been supported since SCSM 2012 SP1. Also, we have the latest management pack for Service Manager monitoring in SCOM, at the moment this should be
  7.5.3079.0.
  As mentioned above the value has not been changing for quite some time and nor has it in the database.
  My questions are the following:
  - Is there anyone that has found a solution in the meantime, especially with regards to R2?
  - What is the purpose of High Watermark monitoring for the data warehouse? Why does this need to be monitored?
  - We would like to understand the nature of this value better. Should it be higher each day compared to the day before?
  - Could it just be overriden in SCOM?
  Many thanks in advance!

  Rather unexpectedly, the SCOM alarm disappeared overnight and when checking the workflow in the incident that was generated from the alarm, the incident got a Resolved status right before midnight at 23:59:58. We have a ConfigMgr connector that is scheduled
  to run at 23:00 which we had disabled a day ago to check something else. But I don't think it had anything to do with this. As the alarm has disappeared from the SCOM console, we have also checked the registry values. Now, instead of "3559 3559 3559"
  it says "3559 3559 3585". We have had the 3559 value since 18th July, and out of a sudden something must have been triggered, causing the value to increase. What was triggered and how, no idea... Not sure either what it means that only one of the
  Three numbers have been updated with a new value. When talking about the DW jobs, using the SMlets we can see every day that, MPSync, DWMaintenance and the ETL jobs are working well. What we have had though for a longer time is that the cube processing
  tends to have issues once a week, where processing won't finish and the cubes get hanging in a running state. We can fix that manually every time and often we don't even have to touch DWMaintenance or the ETL jobs, we don't need to go beyond manually
  working with the cube processing jobs themselves. So it might not have an impact on the ETL jobs themselves. Occasionally we do find ourselves in a situation where we we need to play around in the SQL database and manually set the required value (can't
  recall if it's 3, 6 or 7) cause we get an error in the DWMaintenance batch, but even though that's an occasional issue it's not constant and also something we can solve, and furthermore it's another known issue outside of the high watermark issue. So
  we are a bit uncertain but can at least see that something works sometimes that sometimes increases the high watermark value :). In our case.

• Intermittent high ping issues

  I've been having occasional high ping issues for quite a while now. They come and go at irregular times, and I'm not sure how to resolve this. Other computers on the network are showing similar latency.
  A traceroute to google's public DNS:
  Traceroute to (8.8.8.8)
  1 L100.LSANCA-DSL-23.verizon-gni.net (71.104.144.1) 1644 ms 1088 ms 1346 ms
  2 G10-2-2823.LSANCA-LCR-08.verizon-gni.net (130.81.45.208) 886 ms 1118 ms 716 ms
  3 so-7-0-1-0.LAX01-BB-RTR2.verizon-gni.net (130.81.29.142) 1352 ms 1096 ms 1366 ms
  4 0.so-2-2-0.XL4.LAX15.ALTER.NET (152.63.10.121) 1026 ms 1432 ms 1246 ms
  5 0.so-1-0-0.XT2.NYC4.ALTER.NET (152.63.64.126) 550 ms 792 ms 590 ms
  6 TenGigE0-7-0-0.GW8.NYC4.ALTER.NET (152.63.22.45) 846 ms 884 ms 312 ms
  7 Internet-gw.customer.alter.net (152.179.72.66) 134 ms 180 ms 444 ms
  8 * (72.14.238.232) 274 ms 94 ms 712 ms
  9 * (209.85.252.2) 530 ms 1114 ms 1276 ms
  10 * (72.14.239.93) 1294 ms 1406 ms 1418 ms
  11 * (72.14.236.200) 1586 ms 690 ms 106 ms
  12 * (216.239.49.145) 106 ms 108 ms 354 ms
  13 google-public-dns-a.google.com (8.8.8.8) 296 ms 104 ms 148 ms
  Transceiver statistics:
  Transceiver Revision:
  7.2.3.0
  Vendor ID Code:
  4
  Line Mode:
  G.DMT Mode
  Data Path:
  Interleaved
  Transceiver Information
  Downstream Path
  Upstream Path
  DSL Speed (Kbits/Sec)
  3360
  736
  Margin (dB)
  13.5
  10.0
  Line Attenuation (dB)
  55.0
  31.0
  Transmit Power (dBm)
  17.8
  11.8

  #1 Visit http://www.giganews.com/line_info.html and post up the Traceroute the page shows, if you wish. Be aware that the final hop (bottom-most line of the trace) will contain a hop with your IP address in it. Remove that line. What I'm looking for is a line that mentions "ERX" in it's name towards the end. If for some reason the trace does not complete (two lines full of Stars), keep the trace route intact.
  #2 Have you tried connecting your modem to the NID ?
  I point to http://www.dslreports.com/faq/1317
  #3 What is the brand and model of this DSL modem?
  #4 If you have a RJ-45 WAN port router: What is the brand and model of it?
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• High latency issue of an evening whilst gaming.

  Hiya`s Peeps, Having recently switched to BT from Virgin (this being only my third day as a customer) as the VM service for gaming in my area (Sth Manchester) on thier 50mb package was simply not viable due to over utilisation issues, I now find myself experiencing high latency issues with my BT service.
  All three evenings have been lost to me as my in game latency (World of Warcraft) has rose upto 3500ms with occasional disconnections.
  Also strange was that was after the BB was first switched on I had a consistent in-game latency of 24ms home and 24ms world, this lasted around 8 hours until I experienced my first lag spike, I was disconnected and when I eventually was able to get back in game, some 20 minutes or so later, my home and world latency had changed to 42/45 (still playable ) but every 10 to 15 minutes the world latency would again rise to around 3k and above and I would again be disconnected from the server.
  I do apologise for the lack of any technical detail within this post as I simply do not understand such and struggle terribly with it, I am very happy with both my speed and ping tests, both being excellent in comparison to that that I would see when using the VM service. 
  What I am after I guess is advice from the community on how to get the best from BT bb for playing my online game, this connection is only used for World of Warcraft and very light reading on the www, I do not have a phone connected to this line and use no wireless connections with it at all, this PC (hard wired) is the only contraption connected.
  Any help and advice will be greatly appreciated, Thankyou
  Les

  welcome to the forum
  there is a 10 day training period after your connection is activated during which time you need to leave the router connected with no manual resets.  The router may reset (often) during training but that is normal as the equipment in the exchnage tries to find the best stable connection for your line.
  after the training period is complete and you have a stable connection then you can get the latency changed to 'fast' if yours latency is 'interleaved'  changing to fast can make your line less stable than interleaved but it is the choice of gamers
  If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• ISE installation - reimaging issue

  Hi,
  Today I was installing ISE on 3355 appliances those will run all services (standalone), when  installation completed I was not able to login to the CLI. I think the  keyboard I used had issue (typed extra charachter or something). This was a pre-loaded OS.
  I downloaded (ise-ipep-1.2.0-899.i386.iso) and tried password recovery booting appliance with (ise-ipep-1.2.0-899.i386.iso), after changing the password I saved configs and tried  logging using the new password. But I could not login again.
  Then I tried to re-install ISE using (ise-ipep-1.2.0-899.i386.iso).  After the installation was completed, I entered setup command and an error  poped up on the screen. "input/output errors occured while installation".
  Question 1: Is the following iso only for a posture node installation or I could use this for ISE standalone deployment?
  ise-ipep-1.2.0-899.i386.iso
  Cisco Identity Services Engine Software Version 1.2.0 full  installation (IPN functionality only). This ISO file can be used for  installing ISE IPN (Inline Posture Node) on ISE-33x5 and NAC-33x5  Appliances, SNS-3415 server and CSACS-1121.
  Question:2 What could have caused "input/output errors occured while installation". And how should I proceed with the installation?
  I am in really bad situation, your help and support will be highly appreciated.
  Regards

  Hi Ravi, Thanks for the reply but my questions were following..
  Question 1: Is the following iso only for a posture node installation or I could use this for ISE standalone deployment?
  Can I use this ise-ipep-1.2.0-899.i386.iso for fresh installation on 3355 appliance?
  Question:2 What could have caused "input/output errors occured while  installation". And how should I proceed with the installation?
  Answer: Download the latest version 1.2 and check the MD5 checksum.

• WLC, ISE certificate authentication issue

  Hi Folks,
  This is the setup:
  Redundant pair of WLC 5508 (version 7.5.102.0)
  Redundant Pair of ISE (Version 1.2.0.899)
       The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
       There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
  A corporate WLAN is configured on the WLC:
  L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
  This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
  The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
  I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
  The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
  Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
  I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
  After I did this, I could no longer associate to the Corp WLAN.  
  My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
  The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
  Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
  It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
  Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
  Thanks in advance,
  Darragh

  Hi,
  I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
  Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
  If this does not work, try to import the CA into another system and export it, then import into ISE.
  Regards,

• ISE 1.2 issue with CWA (Error : Your session has expired)

  Hii
  we have ISE deployment with two administration nodes and two service policy nodes running 1.2.1.198 , with CWA for wireless guest users (Cisco WLC) . Suddenly , many guest users faced an issue where login page is redirected but after inserting user/password  it gave ""Your session has expired. Sign on again""
  authentication logs on ISE shows:
  Event  5418 Guest Authentication Failed
  Failure Reason  86017 Session Missing
  Resolution  Please contact your Administrator
  Root cause  SessionID is missing. Please contact your System Administrator
  we suspected the bug CSCul10677 , but it is fixed in 1.2.1.198 . We reloaded the two service policy nodes and that resolved the issue temporarily , but it showed back after couple of hours . The issue appeared with some users not all , and with no specific devies or operating systems.
  Any idea ?
  Regards,
  Mohammad

  Please refer the link : https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
  Workaround:
  Terminate session from admin UI and type in the original URL to redirect to guest portal with a new session-id.
  Disconnect SSID, wait for a few minutes, reconnect and enter the original URL to redirect to guest portal with the new session-id.

• ISE / Active Directory: issue to get users group

  Hello,
  We have a strange issue:
  - ISE 1.2 patch 8
  - no WLC, autonomous AP
  In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
  We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
  In one more rules to grant authentication from APs to register in WDS: user in local database.
  In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
  (so 3 rules), and one more to authorise the internal base for WDS.
  We have something strange:
  - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
  Exemple:
  1- OK:
  Authentication Details
  Source Timestamp
  2014-05-15 11:43:19.064
  Received Timestamp
  2014-05-15 11:43:19.065
  Policy Server
  radius
  Event
  5200 Authentication succeeded 
  All the GROUPS of user are seen:
  false
  AD ExternalGroups
  xx/users/admexch
  AD ExternalGroups
  xx/users/glkdp
  AD ExternalGroups
  x/users/gl revue écriture
  AD ExternalGroups
  xx/users/pcanywhere
  AD ExternalGroups
  xx/users/wifidata
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa informatique
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa entreprises et cités
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa campus
  AD ExternalGroups
  xx/users/aiga_creches
  AD ExternalGroups
  xx/users/admins du domaine
  AD ExternalGroups
  xx/users/utilisa. du domaine
  AD ExternalGroups
  xx/users/groupe de réplication dont le mot de passe rodc est refusé
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange view-only administrators
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange public folder administrators
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/administrateurs
  AD ExternalGroups
  xx/builtin/utilisateurs
  AD ExternalGroups
  xx/builtin/opérateurs de compte
  AD ExternalGroups
  xx/builtin/opérateurs de serveur
  AD ExternalGroups
  xx/builtin/utilisateurs du bureau à distance
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  RADIUS Username
  xx\cennelin
  Device IP Address
  172.25.2.87
  Called-Station-ID
  00:3A:98:A5:3E:20
  CiscoAVPair
  ssid=CAMPUS
  ssid
  campus 
  2- NO OK later:
  Authentication Details
  Source Timestamp
  2014-05-15 16:17:35.69
  Received Timestamp
  2014-05-15 16:17:35.69
  Policy Server
  radius
  Event
  5434 Endpoint conducted several failed authentications of the same scenario
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Root cause
  Selected Authorization Profile contains ACCESS_REJECT attribute 
  Only 3 Groups of the user are seen:
  Other Attributes
  ConfigVersionId
  5
  Device Port
  1645
  DestinationPort
  1812
  RadiusPacketType
  AccessRequest
  UserName
  host/xxxxxxxxxxxx
  Protocol
  Radius
  NAS-IP-Address
  172.25.2.80
  NAS-Port
  51517
  Framed-MTU
  1400
  State
  37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
  cisco-nas-port
  51517
  IsEndpointInRejectMode
  false
  AcsSessionID
  radius/189518899/49890
  DetailedInfo
  Authentication succeed
  SelectedAuthenticationIdentityStores
  AD1
  ADDomain
  xxxxxxxxxxx
  AuthorizationPolicyMatchedRule
  Default
  CPMSessionID
  b0140a6f0000C2E15374CC7F
  EndPointMACAddress
  00-xxxxxxxxxxxx
  ISEPolicySetName
  Default
  AllowedProtocolMatchedRule
  MDP-PC-PEAP
  IdentitySelectionMatchedRule
  Default
  HostIdentityGroup
  Endpoint Identity Groups:Profiled:Workstation
  Model Name
  Cisco
  Location
  Location#All Locations#Site-MDP
  Device Type
  Device Type#All Device Types#Cisco-Bornes
  IdentityAccessRestricted
  false
  AD ExternalGroups
  xx/users/ordinateurs du domaine
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  Called-Station-ID
  54:75:D0:DC:5B:7C
  CiscoAVPair
  ssid=CAMPUS 
  If you have an idea, thanks so much,
  Regards,

  To configure debug logs via the Cisco ISE user interface, complete the following steps
  :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
  You can use the Filter button to search for a specific node, particularly if the node list is large.
  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

• ISE - Authorization Profile issue

  I'm running a trial of ISE and I'm attempting to create the authorization profile with the following settings:
  Name: Posture_Remediation
  Access Type: Access_Accept
  Common Tools:
  Posture Discovery, Enabled
  Posture Discovery, ACL ACL-POSTURE-REDIRECT
  The documentation says Common Tools, but in the screen shot it shows Common Tasks which is accurate to my install. Doc: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic19
  The issue is that I do not see a Posture Discovery option in the Common Tasks area. Can I add these the attributes using the Advanced Attributes settings or is there something I need to enable to display the Posture Discovery option within Common Tasks?
  Any help would be appriceated.
  Andrew

  Hello Andrew,
  As per your query i can suggest you-
  Creating a New Authorization Policy
  Use this procedure to create a new authorization policy.
  To create a new authorization policy, complete the following steps:
  Step 1 Choose Policy > Authorization > Standard.
  Step 2 Click to select either Insert New Rule Above or Insert New Rule Below.
  A new policy entry appears in the position you designated in the Standard panel of the Authorization Policy window.
  Step 3 Enter values for the following authorization policy fields:
  •Rule Name—You need to define a rule name for the new policy.
  •Identity Groups—Choose a name for the identity group that you want associated with the policy.
  –Click + ("plus" sign) next to the word "Any" to display a drop-down list of group choices, or choose Any for the policy for this identity group to include all users.
  •Condition(s)—Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:
  –Select a Condition Name option from the drop-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.
  –Select one of the Attribute options as needed. This displays a list of dictionaries that contain specific attributes related to the dictionary type.
  When you select an attribute, you can define it as Equals, Not Equals, or Matches using a pull-down list of operator options, and select an AND or OR directive using a pull-down directive option.
  For more information please refer to the link -
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

• ISE DashBoard Access issue

  Hi,
  I am running distributed deployment with mutiple PSNs,MONs & Admin Nodes are deployed.I was verifying crtical vlan access and radius server dead critera and a test case scenrios to reboot/power off the devices for sometime and trun them on back and verify the service. But after devices came up i lost dashboard access There is no more GUI access though I am still able to access all the devices through CLI.
  Could you please help me to identify the issue.
  follwoing output for the referance.
  isea001/admin# show application status ise
  ISE Database listener is running, PID: 4947
  ISE Database is running, number of processes: 29
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6173
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.
  isem001/admin# show application status ise
  ISE Database listener is running, PID: 4952
  ISE Database is running, number of processes: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6131
  ISE M&T Session Database is running, PID: 4646
  ISE M&T Log Collector is running, PID: 6625
  ISE M&T Log Processor is not running.
  isep001/admin# show application status ise
  ISE Database listener is running, PID: 4955
  ISE Database is running, number of processes: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6215
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.
  isep002/admin# show application status ise
  ISE Database listener is running, PID: 4953
  ISE Database is running, number of processes: 23
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 6171
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.

  Hi Neno, the BuG ID # CSCuo68012 

• ISE WLC Integration issues

  We are in the process of integrating ISE into our WLC and are planning on implementing HReap (Flexconnect) local switching.  We have setup the ISE server as a Radius entry in the WLC and added WLC to ISE, same shared secret.  We have a test SSID configured on the WLC and it is using the entry to ISE for AAA.  We have used "none" for layer 2 security as well as WPA.......but we never see any activity on the ISE server.  Also from the WLC if we do a show radius auth stat there doesn't appear to be any traffic sent from the WLC to ISE.
  (Cisco Controller) >show radius auth sta
  Authentication Servers:
  <Output Ommited>
  Server Index..................................... 4
  Server Address................................... IP ADDRESS OF ISE
  Msg Round Trip Time.............................. 0 (msec)
  First Requests................................... 0
  Retry Requests................................... 0
  Accept Responses................................. 0
  Reject Responses................................. 0
  Challenge Responses.............................. 0
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Pending Requests................................. 0
  Timeout Requests................................. 0
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0
  We have integrated ISE with swtich and ASA and have always been able to get some activity on the ISE authentication monitor.
  Thanks,
  Joe

  Wireless will not do dACLs with or without FlexConnect.  In centrally switched networks you can use Named ACLs which are differnt than dACLs.  
  But you are correct with FlexConnect (pre-7.5*) you can use FlexConnect ACLs tied to the VLAN.  Then you can use ISE to set the VLAN.
  *As of 7.5 version of code you can now user named ACLs on Locally Switched users, but it is still a named ACL and not a dACL.
  From the release notes
  In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.
  In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
  There are some other limitations when using FlexConnect that you should be aware about.
  This guide will show you how to use Centrally Authenticated with Locally Switched
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
  This document will show you the feature matrix for ISE and FlexConnect
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml
  If you are using Active Directory I would recommend against using LDAP because there are more features when using the native AD integration.  If you not using AD then the issue with the Secure LDAP is probably related to the CA certificate not being installed correctly. 

• ISE Initial Configuration issue.....

  Do some body knows how is the default behaivior of the ISE device???
  I have to install and deploy a Wireless BYOD Environment, we unpacked the equipment and started to configure with the CLI Setup wizard, we the ip address, mask, etc etc, the ISE showed that the configuration was applied, started running and appeared a line where we have to add a database password with some specifications, here is where the problem started, because we couldn´t make the ISE to accpet thr password, we tried with upper case, lower case,number and at least 11 characters, but the ISE always shows us an error, we can´t add the password.
  After that we powered off the ISE and the device started, when we are promted in the CLI system and check the status of the ISE everything is down, when we try to start the ISE the system by itself shows an error saying that the system couldn´t start, and when we try to go to the ISE by GUI or browser we can´t, we can´t open the ISE any way.
  Do somebody have some experience about this device, do we have to install any additional software, or any license, or what can we do to solve this issue??
  Thank you very much.
  BEST REGARDS.     

  Hi Scott, thank you for your answer.
  Here the problem is that the ISE services are not running since the beginning and when we try to start them from the CLI the ISE sends an error.
  There´s a time in the confiiguration process at the end, that you have to add a database admin password, we can´t add this password, the system doesn´t accept any password, i don´t know if this password is neccesary to startup the ISE application.
  THANKS.
  ISE-WIRELESS/admin# show application status ise
  ISE Database listener is not running
  ISE Application Server process is not running.
  ISE M&T Session Database is not running.
  ISE M&T Log Collector is not running.
  ISE M&T Log Processor is not running.
  ISE M&T Alert Process is not running.
  ISE-WIRELESS/admin# application start ise
  % Application failed to start
  ISE-WIRELESS/admin#
  Enter new database admin password:
  % Password should start with an alphabet.
  % Password does not meet minimum length requirement of 11 characters.
  % Password must contain at least one digit.
  % Password must contain at least one lower case letter.
  % Password must contain at least upper case letter.
  Enter new database admin password:
  % Password should start with an alphabet.
  % Password does not meet minimum length requirement of 11 characters.
  % Password must contain at least one digit.
  % Password must contain at least one lower case letter.
  % Password must contain at least upper case letter.

• ISE web login Issue.

  Hi all:
       Here is  the scenario.My ISE is a vmare version,and works normal,now here comes an issue, my computer can't login the ISE web interface.
  The other computer can login the ISE web interface.
       I think it maybe the cert's issue,cause when I login the web interface,the website give me the vmare's cert, but I think It should be my AD's cert.
       Any help or suggestion will be appreciated.

  There is the problem in the browser  you are using. So please remove all the pre added certificate from your browser  and try to connect to ISE using HTTPS. ISE will issue a certificate to you. Add  this certificate and you will get the GUI of ISE.
  (Remove certificate from browser:  tools --> options --> content --> certificates --> remove then  restart it.)

• ISE Android certificate issue

  Hello team,
  I am facing issue with ISE after changing the domain name, new default certificate was generated and also the old cert is available, because of 2 group certs facing issue, any facing the same issue.

  changing domain of ISE
  https://supportforums.cisco.com/discussion/11593841/changing-domain-ise-after-post-setup

• Sun Solaris 10,Upgrade 8 or higher,having issues with VxFS,for Oracle 11gr2

  A while ago, we tried doing a prototype upgrade of our main Oracle 10g db to Oracle 11gr2.
  The OS on which our Oracle 10g is running is Sun Solaris 10, upgrade 4.
  According to Oracle 11gr2 documentation, we need Sun Solaris 10, upgrade 6 or higher for Oracle 11g2.
  The filesystem we are using is VxFS, Veritas File System.
  According to our system administrator, we had issues , making Sun Solar 10, upgrade 8 , work with the VxFS filesystem.
  I was wondering if anybody is running Oracle 11g2 on Sun Solaris 10 upgrade 6 or higher with VxFS file system.
  At present, our Oracle db upgrade project is on a hold, because of the above issue. So your help on this , can really help us in figuring out if there is an issue between VxFS filesystem and Sun Solaris 10 OS.
  Thanks
  Ashish

  Hi Ashish,
  We are not running Veritas Cluster file system.
  We tried moving our Oracle 10g r2 db on ZFS ,before doing the upgrade and performance on ZFS was worst.
  ZFS has certain memory parameter setting. If you did not configure that then ZFS will eat your complete system memory.
  My system administrator, has gotten a copy of Solaris 10 upgrade 9 and will try that with VxFS.
  I was curious to find out if folks are running Oracle 11g on Sun Solaris 10 with VxFS file system and if they had experienced any issue.If you can Install Vxfs on Oracle Soalris 10 U9, then according to me there sholudn't be any limitations for an oracle database.
  Recently i installed Oracle database 11.2.0.2 on one of my test server. I have created two databases - one on ZFS and another on ASM.
  Refer:
  http://appsdbaworkshop.blogspot.com/2010/10/installation-of-11202-on-oracle-solaris.html
  We dont have any performance issues. We are testing it for the performance benchmarks on both of the filesystem.
  If you can Install Vxfs on Oracle Soalris 10 U9, then according to me there sholudn't be any limitations for an oracle database.
  Regards,
  X A H E E R