Monitoring ISE node as syslog destination

Hi Security Experts,
We are setting up Cisco ISE (Identity Services Engine) in our network.
I have the confusion if we need to configure monitoring node IP address as the syslog destination on the access switches. In what situations is this needed and in which situations is it not needed?
PS: I rate useful posts.
Thanks,
Kashish

Kashish,
When you look at the user authentication report, ISE also builds related syslog messages that pertain to the user connection.
This isnt mandatory but useful since it does help correlate syslog messages to the user authentication session. Here is an example of it in action:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050132
Thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • Cisco ISE and external syslog server

    Hi Security Experts,
    We are starting with deploying cisco ISE (Identity Services Engine) in our network. We have allocated 250GB space for (Admin+Monitor) ISE node.
    I want to know if we can send the logs from monitoring node to external syslog server after a defined time interval.
    For example, logs which are more than 10 days old should be sent to external syslog server. So basically our monitoring node will have logs which are at the max 9 days old. Is it possible? Could you point me to some doc which explains configuration of the same?
    Thanks,
    Kashish

    No this isnt possible via syslog. What you are looking for is database purging, so that the monitoring database is purged after a specific time interval. Here is a guide that will help shed some light on this:
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_mnt.html#wp1054328
    Tarik Admani
    *Please rate helpful posts*

  • ISE 1.1.1 to ISE 1.2 upgrade path for ISE node

    Hi,
    Currently in ISE deployment , we have  2 ISE nodes with 1.1.1.268 version  with latest patch,
    ISE nodes hold following  personas
    Node1 :  Admin, Monitoring ,  PSN
    Node 2 : PSN
    How will above deplyoment should be upgrade to 1.2 ?
    In which order they should be upgraded  ?   Any supporting doc covering above deployment for ISE 1.2 upgrade .

    Kindly check the following links for references
                   http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.pdf
                   http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.pdf
                   https://www.cisco.com/en/US/docs/security/ise/1.2/open_source_license/Cisco_Identity_Services_Engine_1.2_Open_Source_Documentation.pdf

  • Ise node not becoming standalone after deregistration

    I am seeing a weird problem.
    I deregistered secondary admin/monitor node from primary admin/monitor node. I see successfully deregistered message.
    But the deregistered node is still showing SEC(A) and SEC(M). It is not changing to standalone mode.
    This is disrupting the upgrade of distributed deployment of ISE nodes.
    Any clues?

    Bug details:
    Secondary node never becomes standalone after de-registration
    The secondary node is de-registered successfully but a "The following deregistered nodes are not currently reachable: . Be sure to reset the configuration on these nodes manually, as they may not revert to Standalone on their own." message appears to the administrator.
    Workaround   Log in to the administrator user interface with internal Cisco ISE administrator credentials when de-registering a node.
    Actually we had two accounts in web gui, nodes were registered using one account and during upgrade, i used different account , which triggered this bug.

  • Best Practise for rebooting ISE Nodes?

    Hello Community,
    I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.
    (Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)
    I would shutdown ISE02, move it to our new VMWare environment and start it again.
    Than I would do this with our ISE01 Node...
    Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?
    Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?
    Any tasks after reboot?
    Thank you for any answer!
    ISE01    
    Administration, Monitoring, Policy Service    
    PRI(A), SEC(M)
    ISE02    
    Administration, Monitoring, Policy Service    
    SEC(A), PRI(M)

    There is a lot to consider here.  If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things.  If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment.  Then spin-up a new Secondary node and register it on the Primary.  Once this is done, you can re-host the license from your old environment onto your new environment.  You can use this tool to re-host:
    https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999
    If IP Addressing is to remain the same, it gets simpler. 
    First, and always, perform a configuration and operational backup.
    If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes.  Transfer them to the New Environment and turn them on, Primary Node first, of course.
    If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment.  Start the Secondary Node and when it is up, shut down the Primary Node.  Once services on the primary node have stopped, promote the Secondary Node to Primary Node.
    Transfer the OLD Primary Node to the New Environment and turn it on.  It should assume the role of Secondary Node.  If it does not, assign that role through the GUI.
    Remember, the correct way to shut down an ISE node is:
    application stop ise
    halt
    By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Error while registering ISE node

    Getting this error while trying to register a newly built standalone VM node  on primary admin node.
    'admin' is not authorized to register ISE Node <node name>. Please check the credentials and/or privileges.
    admin is the only account on the newly built VM node and admin has full privileges on primary admin node as well. I have done the registering process before as well and this is the first time I have seen this error... Any thoughts?

    Hello Kashish,
    Though I assume its been almost a week's time and you might have solved this by now, but it may help others facing similar problem
    When a node is registered with the primary, the primary node would  connect with the node to be registered and the primary node itself needs  to authenticate against that node which is to be registered.
    You need to specify the Admin user password of the ISE node that you  want to register. Make sure by logging on to the Web UI of the ISE node  you want to register that you have the admin user password. Otherwise  you should create / reset admin user for web UI of the node to be  registered.
    Regards,
    Ashok

  • Syslog Destination Address

    Hi there,
    since my ABSE is constantly rebooting I'm trying to get some logs. I can't use the Airport Utility for that purpose since it's not streaming the logs. Also, as soon as the ABSE reboots it dumps the logs.
    So I'm trying to stream the logs to my MacBook using the Advanced/Logging & SNMP/Syslog Destination Address.
    In that field I've entered the IP address of my MacBook. I've connected it using Ethernet, disabled Airport. Syslog Level to "Debug" -> Update
    Then I open my Console and nothing, I've looked in the different Logs everywhere and can't find anything.
    Has anyone got it working?
    Micha

    Hi,
    I have not got it working, I would also like to do the same thing, but I believe it is quite tricky. By default I believe that OS X 10.4 is NOT configured to be able to receive syslog log messages over the network.
    The program that actually listens for log messages, from the network or from local apps, is called syslogd. www.macosxhintss.com hints has a somewhat confusing write-up on how to reconfigure it to receive messages from the network (http://www.macosxhints.com/article.php?story=20060327074531639). However, this involves tampering with files off of the /System/Library subdirectory, so I'd rather not risk it.
    MacBook Pro Mac OS X (10.4.9)
    MacBook Pro   Mac OS X (10.4.9)  

  • ISE Node Failure & Pre-Auth ACL

    Hi All,
    I would like to know that, what should be the best practice configuration for following points,
    1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.
    2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?
    Here is the port configuration and pre-auth ACL which I am using in my network,
    Interface Fa0/1
    switchport access vlan 30
    switchport mode access
    switchport voice vlan 40
    ip access-group ISE-ACL-DEFAULT in
    authentication event fail action authorize vlan 30
    authentication event server dead action authorize vlan 30
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation protect
    mab
      dot1x pae authenticator
    dot1x timeout tx-period 5
    ip access-list extended ISE-ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS and Domain Controllers
    permit ip any host 172.22.35.11
    permit ip any host 172.22.35.12
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Deny All
    deny   ip any any log
    Thanks & Regards,
    Mujeeb

    Hi,
    I am using following configuration on the ports,
    Interface Fa0/1
    switchport access vlan 30
    switchport mode access
    switchport voice vlan 40
    ip access-group ISE-ACL-DEFAULT in
    authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?
    authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
    authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
    authentication host-mode multi-domain
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation protect
    mab
      dot1x pae authenticator
    dot1x timeout tx-period 5
    Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??
    ip access-list extended ISE-ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS and Domain Controllers
    permit ip any host 172.22.35.11
    permit ip any host 172.22.35.12
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Deny All
    deny   ip any any log
    Thanks

  • ISE node group behind load balancer

    I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
    Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
    Q1:
    Node group config requires multicast.
    Cisco ACE LB doesn't support multicast, except in brige mode.
    How do people support distributed deployment in node group behind Ciso ACE?
    Q2:
    User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
    What if we need more than 4 PSN nodes to support our network & user base?
    Q3:
    Has anyone been able to implement distributed deployment between two datacenters behind GSS?
    If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
    thx!

    I have had close to zero experience with LBs so my answers will be limited:
    Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
    Q2: You will have to create a new node group with a new multicast address
    Q3: No help here
    Couple of other things to remember:
    1. The nodes must be layer 2 adjacent
    2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
    3. You must perform sticky
    4. The Load balancers must be listed as NADs in ISE
    Hope this provides some help to you.
    Thank you for rating!

  • Configuring the port of the syslog destination address

    Hello,
    Is there a way to configure not just the internet address, but also the port number, to which the AEBS sends logging information?
    The "Syslog Destination Address" field doesn't accept the ":port"-style address syntax. But I was wondering if there is a hidden workaround, like doing Option-click to expose a larger number frequencies selections.
    Why do I care? For diagnostic purposes, I would like to enable the logging feature on my AEBS 802.11n and receive the logs on an OS X box. The app LogMaster can act as a syslogd daemon. The problem is it can't listen at the default port 514, since OS X's built-in syslogd daemon uses that port. This is despite the fact the built-in syslogd doesn't listen for log messages from the network and cannot be configured to do so without hacking inside the /System directory.
    Any thoughts?

    The configurations for extend the CoS value to teh ip phone port looks rigth. The fact that you have to unplug the phone for it to work seems to suggest that this is an issue with the phone. Is it running the latest phone load? What kind of switch is this?

  • ISE node registering after change domain-name

    At Customer Site I changed the domain name of our 4 ISE server before they were registered to any deployment. I regenerated a self signed certificate and started to register the other nodes to the deployment. This went well for the 2 PSN nodes which have a ip address in a different subnet. I tried to register the presumed secondarry PAN/MnT node and got the following error message "
    Node beiing registerd has FQDN 'ISE-PAN-AP02.office.intern' which cannot be resolved. Please check your DNS configuration."
    My DNS config is in order.
    Can anyone please tell me want possible can be the cause of this?

    Please check these Prerequisites:
    The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
    •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
    •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
    •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
    •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
    •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
    •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
    •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

  • ISE....uh.......No response from ISE node again...

    What is up with No Response from ISE Node ??
    Even though it sounds like the PSN node can't communicate with AD, it does authenticate and retrieving Groups, and attrbitues.
    How can I fix this ?
    why is it saying 'No Response from ISE Node ?

    Hi,
    Communication is fine between all ISE nodes, replications is COMPLETE for all nodes.
    I am running 1.1.4.218 with Patch 4 on all servers.
    I have 4 servers in my 8 servers-deployment that are in that strange AD status.
    The command "show logging application ise tail" does not show bad things. The DisplayName is always equal to the HostName which is the same as the HostAlias (with the domain name). Please see below.é
    Any ideas ?
    David
    Wed Sep 04 11:49:44 CEST 2013 : Poller wakeup...
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gcncsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gcncsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 9cec53f0-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gcncsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gcncsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 9cec53f3-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 9cec53f2-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 9cec53f1-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.97.32.223
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 9cec53f4-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gcncsl0001ise.na.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gcncsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gjucsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gjucsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 346a29c0-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gjucsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gjucsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 346a29c1-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.32.67.223
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.254.0
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 346a29c2-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 346a29c3-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 346a29c4-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gjucsl0001ise.ap.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gjucsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gmicsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gmicsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : af067300-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gmicsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gmicsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : af067304-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : af067302-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : af067301-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.96.67.223
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.252.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : af067303-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gmicsl0001ise.na.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gmicsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gsrcsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gsrcsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 305e3f30-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gsrcsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gsrcsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 305e3f31-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.32.128.223
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 305e3f32-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 305e3f34-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 305e3f33-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gsrcsl0001ise.ap.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gsrcsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : cf0e4260-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0001ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : unknown
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : STANDBY
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PAP MNT
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : PRIMARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : cf0e4262-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : cf0e4263-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : cf0e4264-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : cf0e4261-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : 10.71.142.9
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com is an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com has HA status STANDBY
    Wed Sep 04 11:49:45 CEST 2013 : Enabling propagation...
    Wed Sep 04 11:49:45 CEST 2013 : Checking node configuration...
    Wed Sep 04 11:49:45 CEST 2013 : Enable MNT
    Wed Sep 04 11:49:45 CEST 2013 : Enable PAP
    Wed Sep 04 11:49:45 CEST 2013 : Disable PDP PROFILER SESSION
    Wed Sep 04 11:49:45 CEST 2013 : Current/new node role status is PRIMARY PRIMARY
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig for standby MNT node exists: gvecsl0001ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0002ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0002ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 11ffc710-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0002ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0002ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : unknown
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : ACTIVE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PAP MNT
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 11ffc712-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 11ffc713-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 11ffc711-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.71.142.10
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 11ffc714-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com is an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com has HA status ACTIVE
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0002ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig for active MNT node exists: gvecsl0002ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0003ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0003ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : c532d1c0-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0003ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0003ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : c532d1c4-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : c532d1c3-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : c532d1c1-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.71.142.2
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : c532d1c2-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0003ise.emea.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0003ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0004ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0004ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 86fe3b20-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0004ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0004ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 86fe3b21-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.71.142.3
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 86fe3b24-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 86fe3b23-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 86fe3b22-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0004ise.emea.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0004ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : Node configuration has not changed - nothing updated
    Wed Sep 04 11:49:45 CEST 2013 : Poller sleeping...

  • Getting Error while registering ISE Node

    Hi All,
    I am getting below error.
    Communication failure with the host 162.12.95.167. Please check the information for the target machine, or if the target machine is accessible and try again.                
    I am Able to ping as well from primary node
    Output of ping:
    PING 162.12.95.167 (162.12.95.167) 56(84) bytes of data.
    64 bytes from 162.12.95.167: icmp_seq=1 ttl=58 time=1.02 ms
    64 bytes from 162.12.95.167: icmp_seq=2 ttl=58 time=1.05 ms
    64 bytes from 162.12.95.167: icmp_seq=3 ttl=58 time=1.05 ms
    64 bytes from 162.12.95.167: icmp_seq=4 ttl=58 time=0.955 ms
    64 bytes from 162.12.95.167: icmp_seq=5 ttl=58 time=1.02 ms
    --- 162.12.95.167 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4000ms
    rtt min/avg/max/mdev = 0.955/1.019/1.051/0.053 ms

    Hello Sachin-
    Couple of questions:
    1. Is there a firewall between the two nodes that you are trying to cluster? If yes, then have you confirmed that all of the necessary ports and protocols are opened between them?
    2. What version of ISE are you using
    3. Can you confirm that both devices are added in DNS and that both devices can ping each other via their FQDNs
    On a side note here are the prerequisites for clustering nodes:
    • The fully qualified domain name (FQDN) of the standalone node that you are going to register, for
    example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.
    Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes
    that are part of your distributed deployment in the DNS server.
    • The primary Administration ISE node and the standalone node that you are about to register as a
    secondary node should be running the same version of Cisco ISE.
    • You must configure the Cisco ISE Admin password at the time you install the Cisco ISE. The
    previous Cisco ISE Admin default login credentials (admin/cisco) are no longer valid.
    • Use the username/password that was created during the initial Setup or the current password, if it
    was changed later.
    • The DB passwords of the primary and secondary nodes should be the same. If these passwords are
    set to be different during node installation, you can modify them using the following commands:
    – application reset-passwd ise internal-database-admin
    – application reset-passwd ise internal-database-user
    • You can alternatively create an administrator account on the node that is to be registered and use
    those credentials for registering that node. Every ISE administrator account is assigned one or more
    administrative roles. To register and configure a secondary node, you must have either the Super
    Admin or System Admin role assigned. See Cisco ISE Admin Group Roles and Responsibilities for
    more information on the various administrative roles and the privileges associated with each of
    them.
    • If you plan to register a secondary Administration ISE node for high availability, we recommend
    that you register the secondary Administration ISE node with the primary first before you register
    other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart
    the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
    • If you plan to register multiple Policy Service ISE nodes running Session services and you require
    mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group.
    You must create the node group first before you register the nodes because you must select the node
    group to be used on the registration page.
    “Creating, Editing, and Deleting Node Groups”
    section on page 9-21 for more information.
    • Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate
    Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the
    standalone node (that you are going to register as the secondary node).
    Thank you for rating!

  • Hi any advise on regarding bandwith for ISE nodes (DC & DR)

    Hi any advise on regarding bandwith for ISE nodes (DC & DR)

    Refer
    Bandwidth Requirements for Distributed Deployments
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_50_ise_deployment_tg.pdf

  • Primary administration ISE nodes failed

    Hi All,
    I'm going to implement 3 ISE with destributed deployment, 1 ISE will configured as Administration & Monitoring node, and the others as dedicated Policy Service node.
    My questions are :
    1. If the Administration & monitoring node failed, are the authentication, authorization and posture still can be running well on the client ?
    2. Can we promote the dedicated Policy Service Node as  the new administration & monitoring nodes ? If can, how the procedure for promoting it? it's just as simple as promoting the secondary nodes (in case we have primary and secondary nodes) or there is others effort, such as must restoring the database or etc?
    Thanks?
    Regards,
    Rian

    Hi,
    When the primary administration node fails. The psns will still continue to function and enforce policies.
    Since you have a single administration node and if the that node has to be rebuilt, all other nodes will also have to be reset to factory then re registered once the primary node is ready again.
    In that case you can open a tac case yo have them assist in pulling your database from one of the psn nodes.
    As always this is my observations and what I would do if I was in the situation, we can wait for a cisco engineer to respond or you can post this question in a tac case to make sure there isn't an upcoming feature which addresses this scenario.
    Sent from Cisco Technical Support Android App

Maybe you are looking for

  • Voicemail not working at all!

    I just upgraded from my original iPhone to the 16gb iPhone 3G and seem to be having issues with visual voicemail. I restored my iPhone from my old backup and everything else is working just fine(no connection issues or dropped calls for me thank good

  • Valuation area not yet productive with material ledger

    While doing goods receipt at MB1C,i got the below error: The description of the error is given below Valuation area XXX2 not yet productive with material ledger Message no. C+020 Diagnosis The material ledger has been activated for the valuation area

  • File generations doubt

    Hello Fellas ... I'm creating a file that must have 350 positions. The last field, that is called observation,  has a 45 postions. The problem is: If that field do not have 45 postions, the file is generated with with less than 350 postions. Look at

  • Collect usage in itab

    Hi Ihave some doubt in using the collect statement. I need to sum the qty field . I have done like this. loop at itab. select single sum( field1) into var from table1 join table2 on ( condition ) where table1~matnr = itab-matnr and . itab-field1 = va

  • Repair permissions what does all these errors mean?

    Repairing permissions for “mac” ACL found but not expected on "System/Library/User Template/English.lproj/Sites". Warning: SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg ent" has been modified and will not b