Troubleshoot the ISE/ISE-PIC or Cisco TrustSec Issues

Troubleshoot Cisco TrustSec issues

A device interface can be configured to propagate Security Group Tags (SGTs) either from ISE/ISE-PIC or from a Cisco device on the network (referred to as Cisco TrustSec.) On the device management page (Devices > Device Management), the Propagate Security Group Tag check box for an interface is checked after a device reboot. If you do not want the interface to propagate TrustSec data, uncheck the box.

Troubleshoot ISE/ISE-PIC issues

For other related troubleshooting information, see Troubleshoot Realms and User Downloads and Troubleshoot User Control.

If you experience issues with the ISE or ISE-PIC connection, check the following:

  • The pxGrid Identity Mapping feature in ISE must be enabled before you can successfully integrate ISE with the system.

  • When the primary server fails, you must manually promote the secondary to primary; there is no automatic failover.

  • Before a connection between the ISE server and the CDO succeeds, you must manually approve the clients in ISE. (Typically, there are two clients: one for the connection test and another for ISE agent.)

    You can also enable Automatically approve new accounts in ISE as discussed in the chapter on Managing users and external identity sources in the Cisco Identity Services Engine Administrator Guide.

  • The FMC Server Certificate must include the clientAuth extended key usage value, or it must not include any extended key usage values.

  • The time on your ISE server must be synchronized with the time on the Cisco Defense Orchestrator. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.

  • If your deployment includes a primary and a secondary pxGrid node,

    • The certificates for both nodes must be signed by the same certificate authority.

    • The ports used by the host name must be reachable by both the ISE server and by the CDO.

  • If your deployment includes a primary and a secondary MNT node, the certificates for both nodes must be signed by the same certificate authority.

To exclude subnets from receiving user-to-IP and Security Group Tag (SGT)-to-IP mappings from ISE, use the configure identity-subnet-filter { add | remove} command. You should typically do this for lower-memory managed devices to prevent Snort identity health monitor memory errors.

If you experience issues with user data reported by ISE or ISE-PIC, note the following:

  • After the system detects activity from an ISE user whose data is not yet in the database, the system retrieves information about them from the server. Activity seen by the ISE user is not handled by access control rules, and is not displayed in the web interface until the system successfully retrieves information about them in a user download.

  • You cannot perform user control on ISE users who were authenticated by an LDAP, RADIUS, or RSA domain controller.

  • The CDO does not receive user data for ISE Guest Services users.

  • If ISE monitors the same users as TS Agent, the CDO prioritizes the TS Agent data. If the TS Agent and ISE report identical activity from the same IP address, only the TS Agent data is logged to the CDO.

  • Your ISE version and configuration impact how you can use ISE in the system. For more information, see The ISE/ISE-PIC Identity Source.

  • If you have CDO high availability configured and the primary fails, see the section on ISE and High Availability in ISE/ISE-PIC Guidelines and Limitations.

  • ISE-PIC does not provide ISE attribute data.

  • ISE-PIC cannot perform ISE ANC remediations.

  • Active FTP sessions are displayed as the Unknown user in events. This is normal because, in active FTP, the server (not the client) initiates the connection and the FTP server should not have an associated user name. For more information about active FTP, see RFC 959.

If you experience issues with supported functionality, see The ISE/ISE-PIC Identity Source for more information about version compatibility.