Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CHAPTER 25 Monitoring and Troubleshooting •MonitoringandTroubleshootingServiceinCiscoISE,page625 •DeviceConfigurationforMonitoring,page627 •NetworkProcessStatus,page627 •NetworkAuthentications,page628 •ProfilerActivityandProfiledEndpoints,page628 •TroubleshootingtheProfilerFeed,page629 •PostureCompliance,page629 •CiscoISEAlarms,page630 •LogCollection,page641 •LiveAuthentications,page641 •GlobalSearchforEndpoints,page643 •SessionTraceforanEndpoint,page644 •AuthenticationSummaryReport,page646 •DiagnosticTroubleshootingTools,page647 •TCPDumpUtilitytoValidatetheIncomingTraffic,page650 •ObtainingAdditionalTroubleshootingInformation,page653 •MonitoringDatabase,page658 Monitoring and Troubleshooting Service in Cisco ISE TheMonitoringandtroubleshootingserviceisacomprehensiveidentitysolutionforallCiscoISErun-time servicesandusesthefollowingcomponents: •Monitoring—Providesareal-timepresentationofmeaningfuldatarepresentingthestateofaccess activitiesonanetwork.Thisinsightallowsyoutoeasilyinterpretandaffectoperationalconditions. Cisco Identity Services Engine Administrator Guide, Release 1.3 625
•Troubleshooting—Providescontextualguidanceforresolvingaccessissuesonnetworks.Youcanthen addressuserconcernsandprovidearesolutioninatimelymanner. •Reporting—Providesacatalogofstandardreportsthatyoucanusetoanalyzetrendsandmonitorsystem performanceandnetworkactivities.Youcancustomizereportsinvariouswaysandsavethemforfuture use. Cisco ISE Dashboard TheCiscoISEdashboard,orhomepage(Home>Summary),isthelandingpagethatappearsafteryoulog intotheCiscoISEadministrationconsole.Thedashboardisacentralizedmanagementconsoleconsistingof metricmetersalongthetopofthewindow,withdashletsbelow.ThedefaultdashboardsareSummary, Endpoints,Guests,Vulnerability,andThreat. Thedashboard’sreal-timedataprovidesanat-a-glancestatusofthedevicesandusersthatareaccessingyour networkaswellasthesystemhealthoverview. YoumusthaveAdobeFlashPlayerinstalledinyourbrowsertobeabletoviewthedashletsandallthe correspondingdrilldownpagesproperly. Note Network Privilege Framework ThedashboardshowstheactivityontheNetworkPrivilegeFramework(NPF),andprovidesdetailedinformation onthevariouscomponents. TheNPFiscomposedofthethreetiersoutlinedinthefollowingtable: Table 52: NPF Tiers SpecificationsTier Accesscontrolbasedonidentityusing802.1x,MACauthenticationbypass(MAB),theCisco ISEProfilerservice 1 Accesscontrolbasedonidentityusing802.1x,MAB,Profiler,guestprovisioningoftheNetwork AdmissionControl(NAC)manager,centralwebauthentication 2 Accesscontrolbasedonidentityandpostureusing802.1x,MAB,Profiler,guestprovisioning oftheNACmanager,centralwebauthentication 3 NPFauthenticationandauthorizationgeneratesaflowofevents.Theeventsfromthedifferentsourcesare thencollectedbyCiscoISEmonitoringandtroubleshootingtoolsandsummarized.Youcanviewthe authenticationandauthorizationresultsonthedashboardorchoosetorunanynumberofreports. NPF Event Flow Process TheNPFauthenticationandauthorizationeventflowusestheprocessdescribedinthefollowingtable: Cisco Identity Services Engine Administrator Guide, Release 1.3 626 Monitoring and Troubleshooting Service in Cisco ISE
DescriptionProcess Stage NADperformsanauthorizationorflexauthorization.1 Anunknownagentlessidentityisprofiledwithwebauthorization.2 RADIUSserverauthenticatesandauthorizestheidentity.3 Authorizationisprovisionedfortheidentityattheport.4 Unauthorizedendpointtrafficisdropped.5 User Roles and Permissions for Monitoring and Troubleshooting Capabilities Monitoringandtroubleshootingcapabilitiesareassociatedwithdefaultuserroles.Thetasksyouareallowed toperformaredirectlyrelatedtoyourassigneduserrole. Data Stored in Monitoring Database TheCiscoISEmonitoringservicecollectsandstoresdatainaspecializedmonitoringdatabase.Therateand amountofdatautilizedtomonitornetworkfunctionsmayrequireanodededicatedsolelytomonitoring.If yourCiscoISEnetworkcollectsloggingdataatahighratefromPolicyServicenodesornetworkdevices,a CiscoISEnodededicatedtomonitoringisrecommended. TomanagetheinformationstoredintheMonitoringdatabase,youarerequiredtoperformfullandincremental backupsofthedatabase.Thisincludespurgingunwanteddata,andthenrestoringthedatabase. Device Configuration for Monitoring TheMonitoringnodereceivesandusesdatafromdevicesonthenetworktopopulatethedashboarddisplay. ToenablecommunicationbetweentheMonitoringnodeandthenetworkdevices,switchesandNetwork AccessDevices(NADs)mustbeconfiguredproperly. Network Process Status YoucanviewprocessstatusforthenetworkfromtheCiscoISEdashboardusingtheSystemSummarydashlet. Forexample,whenprocessesliketheapplicationserverordatabasefail,analarmisgeneratedandyoucan viewtheresultsusingtheSystemSummarydashlet. Thecolorofthesystemstatusiconindicatesthehealthofyoursystem: •Green=Healthy •Yellow=Warning •Red=Critical •Gray=Noinformation Cisco Identity Services Engine Administrator Guide, Release 1.3 627 Device Configuration for Monitoring
Monitor Network Process Status Procedure Step 1GototheCiscoISEDashboard. Step 2ExpandtheSystemSummarydashlet.Adetailedreal-timereportappears. Step 3Reviewthefollowinginformationfortheprocessesthatarerunningonthenetwork: •Nameoftheprocess •CPUandmemoryutilization •Timesinceprocessstartedrunning Network Authentications YoucanviewthepassedandfailednetworkauthenticationsfromtheAuthenticationsdashlet.Itprovidesdata ontheuserortypeofdevice,location,andtheidentitygrouptowhichtheuserordevicebelongs.Thesparklines alongthetopofthedashletrepresentdistributionoverthelast24hoursandthelast60minutes. Monitor Network Authentications Procedure Step 1GototheCiscoISEDashboard. Step 2ExpandtheAuthenticationsdashlet. Adetailedreal-timereportappears. Step 3Reviewtheinformationfortheusersordevicesthatareauthenticatedonthenetwork. Step 4Expandthedatacategoriesformoreinformation. Profiler Activity and Profiled Endpoints TheProfiledEndpointdashletfocusesontheendpointsonthenetworkthathavematchedprofiles,providing profiledataforeachendpoint.Forexample,thestatisticsallowyoutodeterminethetypeofdevice,itslocation, anditsIPaddress.Thesparklinesalongthetopofthedashletrepresentendpointactivityoverthelast24hours andlast60minutes. TheProfiledEndpointdashletrepresentsthetotalnumberofendpointsthathavebeenprofiledonthenetwork forthelast24hours,includingthosethatareunknown.Itisnotarepresentationofhowmanyendpointsare Cisco Identity Services Engine Administrator Guide, Release 1.3 628 Network Authentications
currentlyactiveonthenetwork.Sparklinemetricsatthetopofthedashletshowtimespecificvaluesforthe last24hoursand60minutes. Determine Profiler Activity and Profiled Endpoints Procedure Step 1GototheCiscoISEDashboard. Step 2IntheProfilerActivitydashlet,hoveryourcursoroverastackbarorsparkline. Atooltipprovidesdetailedinformation. Step 3Expandthedatacategoriesformoreinformation. Step 4ExpandtheProfilerActivitydashlet. Adetailedreal-timereportappears. Troubleshooting the Profiler Feed IftheTestwasabletoconnecttotheCiscoFeedserver,thenyouwillseeapopupthatsaysthatthetest connectionwassuccessful. Iftheconnectionfailed,thetestbuttonareawillcontainaresponsefromtheserver,similartothefollowing example,wheretheboldpartofthemessageshowstheimportantpartofthemessage: Testresult:Failure:FeedServicetestconnectionfailed:FeedServiceunavailable:SocketTimeoutException invokinghttps://ise.cisco.com:8443/feedserver/feed/serverinfo:sun.security.validator.ValidatorException:PKIX pathbuildingfailed:Sun.security.provider.certpath.SunCertPathBuilderExceptionUnabletofindvalid certificationpathtorequestedtarget Herearesomepossibleerrormessagesandactionstotake: •Unabletofindvalidcertificationpathtorequestedtarget-ThecertificatethattheFeedserverusedis notvalid.VerifythatyouhaveenabledtheVerisigncertificates. •Noroutetohost-VerifythatyouhaveaworkingconnectiontoanoutsidenetworkfromtheISEserver. •UnknownHostException(atthebeginningoftheerrormessage)-Verifythatyouhaveaworking connectiontoanoutsidenetworkfromtheISEserver. Posture Compliance ThePostureCompliancedashletprovidesinformationontheuserswhoareaccessingthenetworkandwhether theymeetposturecompliance.Dataisshownonthedevicesthatarecurrentlyconnectedtothenetwork.The stackbarsshownoncompliancestatisticsthatarearrangedaccordingtooperatingsystemandothercriteria. Sparklinesrepresentthepercentageofcompliantversusnoncompliantpostureattempts. Cisco Identity Services Engine Administrator Guide, Release 1.3 629 Troubleshooting the Profiler Feed
Check Posture Compliance Procedure Step 1GototheCiscoISEDashboard. Step 2InthePostureCompliancedashlet,hoveryourcursoroverastackbarorsparkline. Atooltipprovidesdetailedinformation. Step 3Expandthedatacategoriesformoreinformation. Step 4ExpandthePostureCompliancedashlet. Adetailedreal-timereportappears. Cisco ISE Alarms AlarmsnotifyyouofcriticalconditionsonanetworkandaredisplayedintheAlarmsdashlet.Theyalso provideinformationonsystemactivities,suchasdatapurgeevents.Youcanconfigurehowyouwanttobe notifiedaboutsystemactivities,ordisablethementirely.Youcanalsoconfigurethethresholdforcertain alarms. Mostalarmsdonothaveanassociatedscheduleandaresentimmediatelyafteraneventoccurs.Atanygiven pointintime,onlythelatest15,000alarmsareretained. Iftheeventre-occurs,thenthesamealarmsaresuppressedforaminimumdurationoftwohours.Duringthe timethattheeventre-occurs,dependinguponthetrigger,itmaytakeuptothreehoursforthealarmsto re-appear. ThefollowingtablelistsalltheCiscoISEalarms,descriptionsandtheirresolution. Table 53: Cisco ISE Alarms Alarm ResolutionAlarm DescriptionAlarm Name AdministrativeandOperationalAuditManagement Administratorpasswordcanbereset byanotheradministratorusingtheGUI orCLI. Administratoraccountislockedor disabledduetopasswordexpirationor incorrectloginattempts.Formore details,refertotheadministrator passwordpolicy. Administratoraccount Locked/Disabled Cisco Identity Services Engine Administrator Guide, Release 1.3 630 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name Checkthenetworkconnectivity betweenCiscoISEandtherepository. Ensurethat: •Thecredentialsusedforthe repositoryiscorrect. •Thereissufficientdiskspacein therepository. •Therepositoryuserhaswrite privileges. TheISEbackupoperationfailed.BackupFailed ChecktomakesurethattheCA servicesareupandrunningontheCA server. CAserverisdown.CAServerisdown Anotificationtoinformthe administratorthattheCAserverisup. CAserverisup.CAServerisUp Replacethecertificate.Foratrust certificate,contacttheissuing CertificateAuthority(CA).Fora CA-signedlocalcertificate,generatea CSRandhavetheCAcreateanew certificate.Foraself-signedlocal certificate,useCiscoISEtoextendthe expirationdate.Youcandeletethe certificateifitisnolongerused. Thiscertificatewillexpiresoon.When itexpires,CiscoISEmayfailtoestablish securecommunicationwithclients. CertificateExpiration GothroughtheBYODflowfromthe beginningtobeprovisionedwithanew certificate. Administratorhasrevokedthecertificate issuedtoanEndpointbytheInternal CA. CertificateRevoked Morethanonecertificatefoundwith thesamevalueofCN(CommonName) attributeinthesubject,cannotbuild certificatechain.Checkallthe certificatesinthesystemincluding thosefromtheSCEPserver. Certificateprovisioninginitialization failed CertificateProvisioning InitializationError Cisco Identity Services Engine Administrator Guide, Release 1.3 631 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name Thecertificateisnotvalidonthe secondarynode,orthereissomeother permanenterrorcondition.Checkthe secondarynodeforapre-existing, conflictingcertificate.Iffound,delete thepre-existingcertificateonthe secondarynode,andexportthenew certificateontheprimary,deleteit,and importitinordertoreattempt replication. Certificatereplicationtosecondarynode failed CertificateReplication Failed Thecertificatewasnotreplicatedtoa secondarynodeduetoatemporary conditionsuchasanetworkoutage. Thereplicationwillberetrieduntilit succeeds. Certificatereplicationtosecondarynode temporarilyfailed CertificateReplication TemporarilyFailed Replacethecertificate.Foratrust certificate,contacttheissuing CertificateAuthority(CA).Fora CA-signedlocalcertificate,generatea CSRandhavetheCAcreateanew certificate.Foraself-signedlocal certificate,useCiscoISEtoextendthe expirationdate.Youcandeletethe certificateifitisnolongerused. Thiscertificatehasexpired.CiscoISE mayfailtoestablishsecure communicationwithclients. Node-to-nodecommunicationmayalso beaffected. CertificateExpired Makesurethatthecertificationrequest cominginmatcheswithattributesfrom thesender. Certificaterequestforwardingfailed.CertificateRequest ForwardingFailed Checkiftheconfigurationchangeis expected. CiscoISEconfigurationisupdated.This alarmisnottriggeredforany configurationchangeinusersand endpoints. ConfigurationChanged EnsurethatthedownloadURLis correctandisavailablefortheservice. UnabletoretrieveCRLfromtheserver. ThiscouldoccurifthespecifiedCRLis unavailable. CRLRetrievalFailed CheckiftheDNSserverconfiguredby thecommandipname-serveris reachable. Ifyougetthealarmas'DNSResolution failedforCNAME',thenensurethatyoucreate CNAMERRalongwiththeArecord foreachCiscoISEnode. DNSresolutionfailedonthenode.DNSResolutionFailure Cisco Identity Services Engine Administrator Guide, Release 1.3 632 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name ContactCiscoTechnicalAssistance Centertoobtainfirmwareupdate Afirmwareupdateisrequiredonthis host. FirmwareUpdate Required Ensurethataminimumrequirements fortheVMhost,asspecifiedinthe CiscoISEHardwareInstallationGuide. VirtualMachine(VM)resourcessuch asCPU,RAM,DiskSpace,orIOPSare insufficientonthishost. InsufficientVirtual MachineResources Thiscouldbebecausethereisalarge timedifferencebetweenNTPserver andCiscoISEnode(morethan1000s). EnsurethatyourNTPserverisworking properlyandusethentpserver CLIcommandto restarttheNTPserviceandfixthetime gap. TheNTPserviceisdownonthisnode.NTPServiceFailure Executeshowntpcommandfromthe CLIfortroubleshooting.Ensurethat theNTPserversarereachablefrom CiscoISE.IfNTPauthenticationis configured,ensurethatthekeyIDand valuematcheswiththatoftheserver. AlltheNTPserversconfiguredonthis nodeareunreachable. NTPSyncFailure Createascheduleforconfiguration backup. NoCiscoISEconfigurationbackupis scheduled. NoConfigurationBackup Scheduled ChecktheDataPurgingAuditreport andensurethattheused_spaceislesser thanthethreshold_space.Loginto M&TnodesusingCLIandperformthe purgeoperationmanually. Unabletopurgeolderdatafromthe operationsdatabase.Thiscouldoccurif M&Tnodesarebusy. OperationsDBPurge Failed EnsurethatSNMPisrunningonthe NADandverifythatSNMP configurationonCiscoISEmatches withNAD. EithertheSNMPrequesttimedoutor theSNMPcommunityoruser authenticationdataisincorrect. ProfilerSNMPRequest Failure LogintotheCiscoISEGUIand performamanualsyncupfromthe deploymentpage.De-registerand registerbacktheaffectedCiscoISE node. Thesecondarynodefailedtoconsume thereplicatedmessage. ReplicationFailed Cisco Identity Services Engine Administrator Guide, Release 1.3 633 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name Ensurethenetworkconnectivity betweenCiscoISEandtherepository. Ensurethatthecredentialsusedforthe repositoryiscorrect.Ensurethatthe backupfileisnotcorrupted.Execute thereset-configcommandfromthe CLIandrestorethelastknowngood backup. CiscoISErestoreoperationfailed.RestoreFailed Re-installthepatchprocessonthe server. Apatchprocesshasfailedontheserver.PatchFailure -Apatchprocesshassucceededonthe server. PatchSuccess EnsurethattheMDMserverAPI versionisthesameaswhatis configuredinCiscoISE.UpdateCisco ISEMDMserverconfigurationif needed. ExternalMDMserverAPIversiondoes notmatchwithwhatisconfiguredin CiscoISE. ExternalMDMServer APIVersionMismatch EnsurethattheMDMserverisupand CiscoISE-MDMAPIserviceis runningontheMDMserver. ConnectiontotheexternalMDMserver failed. ExternalMDMServer ConnectionFailure EnsurethattheCiscoISE-MDMAPI serviceisproperlyrunningonthe MDMserver. ExternalMDMServerresponseerror.ExternalMDMServer ResponseError LogintotheCiscoISEGUItoperform amanualsyncupfromthedeployment pageorde-registerandregisterback theaffectedISEnodewithrequired field. ISEnodecouldnotreplicate configurationdatafromthePAN. ReplicationStopped Pleasere-enrolltheendpointdeviceto getanewendpointcertificate. Endpointcertificatesweremarked expiredbydailyscheduledjob. Endpointcertificates expired Noactionneeded-thiswasan administrator-initiatedcleanup operation. Expiredendpointcertificateswere purgedbydailyscheduledjob. Endpointcertificates purged Reviewthepurgeactivitiesunder Operations>Reports>Endpoints andUsers>EndpointPurge Activities Purgeactivitiesonendpointsforthepast 24hours.Thisalarmistriggeredat mid-night. EndpointsPurge Activities Pleaseverifythatthenodeisreachable andpartofthedeployment. Sloworastuckreplicationisdetected.SlowReplicationError Cisco Identity Services Engine Administrator Guide, Release 1.3 634 Cisco ISE Alarms