ise troubleshoot

Download ISE Troubleshoot

Post on 23-Dec-2015

101 views

Category:

Documents

3 download

Embed Size (px)

DESCRIPTION

ISE Troubleshoot

TRANSCRIPT

  • F I NAL REV IEW D RAFTCI SCO CON F IDENT IAL

    C-1Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

    OL-22972-01

    A P P E N D I X CTroubleshooting Cisco ISE

    This appendix addresses several categories of troubleshooting information related to identifying and resolving problems you may experience using Cisco ISE.

    Installation and Network Connection Issues, page C-2

    Licensing and Administrator Access, page C-12

    Configuration and Operation (Including High Availability), page C-13

    External Authentication Sources, page C-16

    Client Access, Authentication, and Authorization, page C-21

    Error Messages, page C-34

    Troubleshooting APIs, page C-38

    Contacting the Cisco Technical Assistance Center, page C-38

  • F I NAL REV IEW D RAFTCI SCO CON F IDENT IAL

    C-2Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

    OL-22972-01

    Appendix C Troubleshooting Cisco ISEInstallation and Network Connection Issues

    Installation and Network Connection IssuesIf you believe you are experiencing hardware-related complications, first verify the following on all of your deployed Cisco ISE nodes:

    The external power cable is connected, and the proper power source is being applied.

    The external cables connecting the appliance to the network are all secure and in good order.

    The appliance fan and blower are operating.

    Inadequate ventilation, blocked air circulation, excessive dust or dirt, fan failures, or any environmental conditions that might affect the power or cooling systems.

    The appliance software boots successfully.

    The adapter cards (if installed) are properly installed in their slots, and each card initializes (and is enabled by the appliance software) without problems. Check status LEDs on the adapter card that can aid you identifying a potential problem.

    For more information on Cisco ISE hardware installation and operational troubleshooting, including power and cooling requirements and LED behavior, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.

    Tip For issues regarding potential Network Access Device (NAD) configuration issues including AAA, RADIUS, Profiler, and Web Authentication, you can perform a number of validation analyses using Cisco ISEs Monitor > Troubleshoot > Diagnostic Tools > General Tools > Evaluate Configuration Validator options.

    Current Installation and Network Connection Troubleshooting Topics Unknown Network Device, page C-3

    No Default ACL, page C-3

    Bad SNMP Community String, page C-4

    Change of Authorization Misconfigured, page C-5

    No VLANs, page C-6

    No IP HTTP Server/Secure Server, page C-7

    No IP DHCP Snooping, page C-7

    No IP Device Tracking, page C-8

    No RADIUS-Server VSA Send Accounting, page C-9

    Cisco ISE Deployed as Inline Posture Node Not Passing Traffic, page C-9

    Registered Nodes in Cisco ISE Managed List Following Stand-Alone Reinstallation, page C-10

    Primary and Secondary Inline Posture Nodes Heartbeat Link Not Working, page C-10

    http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_ig.htmlhttp://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_ig.html

  • F I NAL REV IEW D RAFTCI SCO CON F IDENT IAL

    C-3Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

    OL-22972-01

    Appendix C Troubleshooting Cisco ISEInstallation and Network Connection Issues

    Unknown Network DeviceStill requires TME input

    No Default ACLStill requires TME input

    Symptoms/Issue What are the common errors/obstacles the user encounters? Tests user can perform to see if they are experiencing a common issue?

    Conditions Click the magnifying glass icon in Livelog to display the steps in the Authentication Report. The logs display the following error message:

    11007 Could not locate Network Device or AAA Client ResolutionPossible Causes The administrator did not correctly configure the Network Access Device (NAD)

    type in Cisco ISE.Resolution Add the Network Access Device in Cisco ISE.

    Symptoms/Issue What are the common errors/obstacles the user encounters? Tests user can perform to see if they are experiencing a common issue?

    Conditions Click on Livelog's magnifying glass to launch the Authentication Details. The session event section of the authentication report should have the following lines

    %AUTHMGR-5-FAIL: Authorization failed for client (001b.a912.3782) on Interface Gi0/3 AuditSessionID 0A000A760000008D4C69994E

    %EPM-4-POLICY_APP_FAILURE REASON Interface ACL not configured Possible Causes No default ACL is configured for the port in questionResolution You can go through the troubleshooting workflow for the authentication, which

    compares the Cisco ISE configuration with authentication responses for the ACL that RADIUS sends back to the switch, and compare them to the switch message database. (This process includes looking at sh ip access-lists, show run, and check ip access-group of the port.)

    For example, you could see the following Logging Configuration (global) details:

    Mandatory Expected Configuration Found On Device

    logging monitor informational Missing

    logging origin-id ip Missing

    logging source-interface Missing

    logging transport udp port 20514 Missing

    Note Note: Ensure the network device is sending syslog messages to the Monitoring and Troubleshooting server port 20514.

  • F I NAL REV IEW D RAFTCI SCO CON F IDENT IAL

    C-4Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

    OL-22972-01

    Appendix C Troubleshooting Cisco ISEInstallation and Network Connection Issues

    Note Missing ip access-config is one of the checks done by the NAD config validator (which checks readiness for NPF1.x-SAS) that users can run to check NAD config.

    Bad SNMP Community StringStill requires TME input

    Symptoms/Issue What are the common errors/obstacles the user encounters? Tests user can perform to see if they are experiencing a common issue?

    Conditions (This needs input from Inline Posture team to indicate impact to Inline Posture and what is indicate on Monitoring persona)

    Cisco ISE checks the monitoring and troubleshooting configuration validator workflow for this potential situation. Go to Monitoring > Troubleshooting > General Tools > Profiler Configuration (global) details where you may see the following:

    Mandatory Expected Configuration Found On Device

    snmp-server community -- RO snmp-server community profiler RO

    snmp-server community -- RW snmp-server community public RW

    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart -- snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

    snmp-server host public -- Missing

    snmp-server host public mac-notification snmp -- Missing

    mac address-table notification change -- mac address-table notification change

    mac address-table notification change interval 0 -- Missing Possible Causes There could be an SNMP community string mismatch between Cisco ISE and the

    remote node.Resolution One or more answers to the problem that the user should try to

    help solve it.

  • F I NAL REV IEW D RAFTCI SCO CON F IDENT IAL

    C-5Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

    OL-22972-01

    Appendix C Troubleshooting Cisco ISEInstallation and Network Connection Issues

    Change of Authorization MisconfiguredStill requires TME input

    Symptoms/Issue What are the common errors/obstacles the user encounters? Tests user can perform to see if they are experiencing a common issue?

    Conditions Cisco ISE uses port 1799 for communicating RADIUS Change of Authorization (CoA) requests to supported network devices.

    aaa server radius dynamic-author

    port 3799

    server-key cisco123

    Engineering: Does ISE require port 1700 or 3799 for CoA? Is it configurable?

    This scenario needs to be checked by the Monitoring and Troubleshooting configuration validator for the specific information indicated above.

    Possible Causes The remote node may be missing the commands, have the wrong port (1799 vs. 3900) or have the wrong/mistyped key.

    Resolution One or more answers to the problem that the user should try to help solve it.

  • F I NAL REV IEW D RAFTCI SCO CON F IDENT IAL

    C-6Cisco Identity Services Engine User Guide, Release 1.0-FINAL REVIEW

    OL-22972-01

    Appendix C Troubleshooting Cisco ISEInstallation and Network Connection Issues

    No VLANsStill requires TME input

    Symptoms/Issue What are the common errors/obstacles the user encounters? Tests user can perform to see if they are experiencing a common issue?

    Conditions Click on the magnifying glass icon in Livelog to launch the Authentication Details. The session event section of the authentication report should have the following lines:

    %AUTHMGR-5-FAIL: Authorization failed for client (001b.a912.3782) on Interface Gi0/3 AuditSessionID 0A000A760000008D4C69994E

    %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN 666 to 802.1x port FastEthernet1/9

    You can also run the troubleshooting workflow for the authentication, which compares the ISE config and authentication log for the ACL that RADIUS responses to the switch with the switch message database. Logging Configuration (global) details may be displayed:

    Mandatory Expected Configuration Found On Device

    logging monitor informational Mi