Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2223
Views
10
Helpful
1
Replies

MnT Node not receiving logs from PSN

Go to solution
GRANT3779
Spotlight
Spotlight

‎01-17-2022 08:36 AM

Hi CSC,

 

I have a 2 Node deployment -

 

Node A - Admin (Pri) MnT (Sec), PSN

Node B - Admin (Sec) MnT (Pri), PSN

 

When using Node A for TACACs - all logs visible within ISE

When using Node B for TACACs - Authentication etc.. is all good but logs are not being sent to the primary MnT node.

 

Using self signed certificates for messaging service. Does each node require the others Messaging Service Certificate to be exported and installed to each other?

 

I'm assuming it is indeed the messaging service responsible for this logging element that isn't working?

 

Also have the following checked -

 

"Use "ISE Messaging Service" for UDP Syslogs delivery to MnT"

 

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-22-2022 12:07 PM

Yes, each ISE node needs to trust the others so the other nodes' self-signed certificate(s) and must be in the other node's Trusted Certificates store.  This is one of the many reasons why you should never use self-signed certificates in a production deployment. When you joined the Secondary node to the primary, you had to accept the following ⚠ Warning:

The node you are trying to register uses a self-signed certificate which is not trusted.
Are you sure you want to trust this certificate and proceed with registration?
If you are unsure, please click 'Cancel Registration'. Manually import relevant certificate chain of Node that is being registered into 'Trusted Certificates' and ensure 'Trust within ISE' checkbox is selected.
Please note that this certificate will by default be trusted only for authentication within ISE. If the same certificate needs to be used for other purposes (e.g. client authentication and syslog), please enable those options by editing the certificate under the 'Trusted Certificates' page.

 

Additionally, I don't know what your datacenter colocation or distribution setup is but in the ISE Admin Guide, Syslog over Cisco ISE Messaging Service provides guidance for which ports are used to communicate :

Syslog over Cisco ISE Messaging Service

Cisco ISE, Release 2.6, offers MnT WAN survivability for the default, built-in UDP syslog collection targets, LogCollector and LogCollector2. This survivability can be enabled by the option Use "ISE Messaging Service" for UDP Syslogs delivery to MnT (In the Cisco ISE GUI, click the Menu icon (𑁔) and choose System > Logging > Log Settings). After you enable this option, the UDP syslogs are protected by Transport Layer Security (TLS).

The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE, Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE, Release 2.6, Cumulative Patch 2 and later releases.

Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN survivability period is approximately 2 hours and 30 mins.

This service uses TCP port 8671. Configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in the Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue. .

You may also refer to the Cisco ISE Ports Reference for other required ports.

View solution in original post

1 Reply 1

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-22-2022 12:07 PM

Yes, each ISE node needs to trust the others so the other nodes' self-signed certificate(s) and must be in the other node's Trusted Certificates store.  This is one of the many reasons why you should never use self-signed certificates in a production deployment. When you joined the Secondary node to the primary, you had to accept the following ⚠ Warning:

The node you are trying to register uses a self-signed certificate which is not trusted.
Are you sure you want to trust this certificate and proceed with registration?
If you are unsure, please click 'Cancel Registration'. Manually import relevant certificate chain of Node that is being registered into 'Trusted Certificates' and ensure 'Trust within ISE' checkbox is selected.
Please note that this certificate will by default be trusted only for authentication within ISE. If the same certificate needs to be used for other purposes (e.g. client authentication and syslog), please enable those options by editing the certificate under the 'Trusted Certificates' page.

 

Additionally, I don't know what your datacenter colocation or distribution setup is but in the ISE Admin Guide, Syslog over Cisco ISE Messaging Service provides guidance for which ports are used to communicate :

Syslog over Cisco ISE Messaging Service

Cisco ISE, Release 2.6, offers MnT WAN survivability for the default, built-in UDP syslog collection targets, LogCollector and LogCollector2. This survivability can be enabled by the option Use "ISE Messaging Service" for UDP Syslogs delivery to MnT (In the Cisco ISE GUI, click the Menu icon (𑁔) and choose System > Logging > Log Settings). After you enable this option, the UDP syslogs are protected by Transport Layer Security (TLS).

The Use "ISE Messaging Service" for UDP Syslogs delivery to MnT option is disabled by default in Cisco ISE, Release 2.6, First Customer Ship (FCS). This option is enabled by default in Cisco ISE, Release 2.6, Cumulative Patch 2 and later releases.

Using the Cisco ISE messaging service for UDP syslogs retains the operational data for a finite duration even when the MnT node is unreachable. The MnT WAN survivability period is approximately 2 hours and 30 mins.

This service uses TCP port 8671. Configure your network accordingly and allow the connections to TCP port 8671 on each Cisco ISE node from all other Cisco ISE nodes in the deployment. The following features also use Cisco ISE messaging service: Light Session Directory (see the section "Light Session Directory" in Chapter "Set Up Cisco ISE in a Distributed Environment" in the Cisco Identity Service Engine Administrator Guide , and Profiler Persistence Queue. .

You may also refer to the Cisco ISE Ports Reference for other required ports.

Customers Also Viewed These Support Documents