THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
16-Feb-22 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Identity Services Engine System Software |
2 |
2.7.0 |
For 2.7.X, all patches up to and including patch 6 |
NON-IOS |
Identity Services Engine System Software |
3 |
3.0.0, 3.1.0 |
For 3.0.X, all patches up to and including patch 4 For 3.1.X, up to and including patch 1 |
Defect ID | Headline |
---|---|
CSCwa17718 | Session service unavailable for PxGrid Session Directory with dedicated MNT |
Cisco Identity Services Engine (ISE) pxGrid services might fail when the "Dedicated MnT" setting is enabled on Monitoring and Troubleshooting (MnT) nodes.
This issue occurs when the pxGrid feature is enabled, and one or both Monitoring nodes in the deployment are configured as Dedicated MnT nodes.
An example of the pxGrid feature enabled is shown in this image:
An example of a Monitoring node configured as Dedicated MnT is shown in this image:
Dedicated MnT is a configuration option that is used to improve the performance of the MnT node by replicating only the configuration data vital to the MnT operation. For the affected ISE software releases, the pxGrid configuration data is not replicated when Dedicated MnT is enabled and results in pxGrid integration failures.
When pxGrid clients (for example, Cisco Firewall Management Center, Secure Network Analytics, and so on) attempt to integrate with ISE, the integration might fail. Failure messages might be displayed on the client devices.
On the ISE management user interface, error messages might be seen in the "pxgrid-server.log" file of the MnT nodes.
For ISE Release 2.7, the "pxgrid-server.log" file can be downloaded under Operations > Troubleshoot > Download Logs > Debug Logs.
For ISE Releases 3.0 and later, the "pxgrid-server.log" file can be downloaded under Operations > Troubleshoot > Download Logs > Debug Logs.
In ISE Release 2.7, the error message will appear as:
cpm.pxgrid.ws.client.ServiceManager -:::::- Register failed for <pxGrid service name>, will retry
In ISE Releases 3.0 and later, the error message will appear as:
cpm.pxgrid.ws.client.ServiceManager -:::::- Register failed, will retry
Here is an example log message on Security Network Analytics:
Connection Status:FailedService com.cisco.ise.session cannot be found on this ISE cluster
Note: The error messages are not the only indications for this issue and the pxGrid integration might fail without the error messages present in the log files.
After the Monitoring nodes are configured as Dedicated MnT, pxGrid integration will fail for new clients that attempt to connect and any existing clients that are disconnected and attempt to reconnect. pxGrid clients that are successfully integrated and have established a connection with ISE prior to being configured as a Dedicated MnT node will continue to work without any issues.
Solution
In order to resolve this issue, upgrade the ISE system software to ISE Release 3.0 Patch 5 or later. For ISE Release 2.7 and ISE Release 3.1, no fix is currently available and the workaround must be used to resolve this issue.
Workaround
If an upgrade to a fixed release is not an option, uncheck the Dedicated MnT check box in the Monitoring persona.
When Dedicated MnT is disabled and the changes are saved, a full sync will be triggered and will restart all ISE services. Once the ISE services are up and running, pxGrid integration failures due to this issue will no longer occur. The workaround mentioned is applicable for all ISE Releases 2.7 and later.
The node status will show the completion of sync process.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.