Cisco Cisco Identity Services Engine 1.3
ISE Log File - Example
Given below is an example of the ISE log file that can be used for troubleshooting.
Thu Mar 12 20:41:29 2015 Info: Begin Logfile
Thu Mar 12 20:41:30 2015 Info: ISEService: Successfully loaded configuration from: /data/ise/ise_service.ini
Thu Mar 12 20:41:30 2015 Info: ISEService: RPC Server Socket :/tmp/ise_fastrpc.sock
Thu Mar 12 20:41:30 2015 Info: RPCServer: Starting at: /tmp/ise_fastrpc.sock
Thu Mar 12 20:41:30 2015 Info: ISEService: Running
Thu Mar 12 20:41:30 2015 Info: ISEDynamicConfigThread: Started Server..
Thu Mar 12 20:41:30 2015 Info: ISEService: Sending ready signal...
Thu Mar 12 20:41:31 2015 Info: ISEBulkDownloader: Downloaded 12 SGTs in 0.162157773972 seconds
Thu Mar 12 20:41:32 2015 Info: ISEBulkDownloader: Downloaded 0 sessions in 0.316617965698 seconds
Thu Mar 12 20:41:30 2015 Info: ISEService: Successfully loaded configuration from: /data/ise/ise_service.ini
Thu Mar 12 20:41:30 2015 Info: ISEService: RPC Server Socket :/tmp/ise_fastrpc.sock
Thu Mar 12 20:41:30 2015 Info: RPCServer: Starting at: /tmp/ise_fastrpc.sock
Thu Mar 12 20:41:30 2015 Info: ISEService: Running
Thu Mar 12 20:41:30 2015 Info: ISEDynamicConfigThread: Started Server..
Thu Mar 12 20:41:30 2015 Info: ISEService: Sending ready signal...
Thu Mar 12 20:41:31 2015 Info: ISEBulkDownloader: Downloaded 12 SGTs in 0.162157773972 seconds
Thu Mar 12 20:41:32 2015 Info: ISEBulkDownloader: Downloaded 0 sessions in 0.316617965698 seconds
Troubleshoot ISE-WSA Integration Issues - ISE Server Connectivity
This section describes problems that you may encounter while integrating ISE with WSA.
• Network Problem: You may encounter connectivity issues with the configured ISE server ports. For example, you may encounter
Firewall issues with Port 5222. You can debug the network problem by using telnet and tcpdump commands.
• Certificate Problems:
You may encounter an issue if
Certificate
• The Admin or pxGrid certificate root CA is not present
in the WSA.
• The root CA that signed the WSA client certificate is not
present in the ISE Trusted Certificates Store.
CA signed
• The WSA client certificate is not present in the ISE
Trusted Certificates Store.
• The ISE Admin or pxGrid certificate is not present in the
WSA.
Self-signed
• Certificates that were valid during upload have expired
on the current date.
All
• Identity Mapping Query Problems: You may encounter a problem in:
• Downloading SGTs from the ISE server, despite the successful SSL handshake on Port 443. You should debug the problem
on the ISE server.
• WSA denying access to a user who is authenticated by ISE. Use the isedata cache and isedata statistics commands.
• Packet Capture: You can capture and display TCP/IP and other packets being transmitted or received over the network to which
the appliance is attached. Refer to the Packet Capture page in the
• Policy Trace: Refer to the Tracing Client Requests page in the
18