How to run URT bundle on ISE

URT bundle can be used to check if the upgrade will be successful or not.  We can fix the error and then can schedule a window to ugrade the ISE.

Step 1> Create a repository on the ISE node

Step 2> Download the URT bundle from ISE.

Step 3> Upload the URT bundle on repository.

Step 4> Run the URT bundle on secondary node or on standalone node.

application install <URT file name > <repository name>

If for some reason the URT fails it will create a file share that file with TAC for further troubleshooting.

URT-Fail

 

Advertisements
Posted in ISE | Leave a comment

Send ACL logs to syslog in ASA

If you want to log the traffic allowed by an ACL on ASA to syslog server.

Step 1> You need to create ACL and add log keyword in ACL entry

access-list vlan3-5 extended permit ip host 10.5.3.189 host 10.5.5.189 log debugging

Here I have used “log debugging” you can use as per your requirement.

Step 2> Configure ASA to send the logs to syslog server:

logging enable
logging timestamp
logging list syslogmsg message 106100
logging list syslogmsg message 302013
logging list syslogmsg message 302014
logging list syslogmsg message 302020
logging list syslogmsg message 302021
logging trap syslogmsg
logging host vlan3 10.3.3.247

302020 Build inbound ICMP
302021 Tear down ICMP
302013 Build inbound TCP
302014 Tear down TCP
302015 Build inbound UDP
302016 Tear down UDP

710003 TCP denied by ACL

Posted in ASA | Leave a comment

Shell Script basics

Special variable

Lets say you have a script “script.sh” Now if you run the script as “./script.sh par1 par2”

Following is the content of the script.sh. Here $0, $1, $2 are special variable.

echo $0
echo $1
echo $2

Output of the script:

./script.sh
par1
par2

Print date in shell script:

date +%Y_%m_%d_%H%M%S
2018_09_20_231816
Posted in Other, Shell | Leave a comment

How to in MAC book

In windows operating system you can log the putty session. Now to do the same in MAC you have to do following:

Step 1> Open terminal and go to preferences:

Screenshot at Sep 10 11-05-12

Step 2> Add following in run command under profile:

FORMATTED_DATE=`/bin/date “+%Y-%m-%d%H%M%S”`;/usr/bin/script ~/Desktop/Logs/Terminal/terminal_$FORMATTED_DATE.log

Screenshot at Sep 10 11-06-26

Posted in MAC | Leave a comment

Enable or disable debug on CISCO ISE (Identity service engine)

This post demonstrate how to enable or disable debug on CISCO ISE.

Disable all debug of a node:

Go to Administration > System > Logging > Debug Log configuration > Select the node and then click on Reset to default

Following screenshot is for standalone node however procedure will be the same for nodes in deployment.

Enable or disable debug

Enable or disable debug-a

Disable individual debug of a node.

Go to Administration > System > Logging > Debug Log configuration > Select the node and then click on the name of the node

Enable or disable debug-1

Once you click on the name of the node you will get following page. Now select the component for which you want to disable the debug and then click on Reset to default.

Enable or disable debug-4

Enable debug for a component:

Go to Administration > System > Logging > Debug Log configuration > Select the node and then click on the name of the node

Enable or disable debug-1

Find out the component for which you have to enable debug. Now double click on below highlighted

Enable or disable debug-2

Select the log level which you want to set and then click on save.

Enable or disable debug-3

Posted in CISCO, ISE, Other | Leave a comment

Create repository on CISCO ISE

Repository can be used to install patch, upgrade ISE, restore backup, export backup,logs . Repository can be create from GUI and from CLI. Repository create from CLI will be removed after reloading ISE.

To configure repository go to Administrator>System>Maintenance>Repository

Configuration backup GUI-1

Click on Add. You can use below highlighted protocol. If you use DISK backup will be stored on ISE disk locally.

Configuration backup GUI-2

Give a name to repository, Specify IP address of the server. In path you can specify “/”.
”/” mean home folder of the FTP server. Specify username and password.

Configuration backup GUI-3

To check if the repository is working or not: You have to run the command “show repository <name of the repository>”. If repository is configured properly then it will list the file present on the repository. If the traffic is being blocked by some network device or some issue the you will get error in the output of the command.

Configuration backup GUI-5

Equivalent CLI command: You need to go in configuration mode.

ise-2-2-b/pan# 
ise-2-2-b/pan# config t
Enter configuration commands, one per line. End with CNTL/Z.
ise-2-2-b/pan(config)# repository FTP_Backup
ise-2-2-b/pan(config-Repository)# url ftp://10.106.37.34/
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. 
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ise-2-2-b/pan(config-Repository)# user pantftp password plain p@ssword
ise-2-2-b/pan(config-Repository)#

Note: Repository created from CLI will not get reflected on GUI.

Posted in ISE | Leave a comment

Configuration backup CISCO ISE

This document explains how to take backup of configuration so that it can be used in case where ISE configuration needs to be restored. Backup can only be taken from primary node in case ISE is in deployment.  Taking configuration backup on ISE can take some couple of minutes to an hour. Backup can be taken from CLI or from GUI.

It is recommend to take configuration backup on external server (FTP,SFTP,TFTP…). Backup can also be take on ISE local disk.

Step 1> To take configuration backup you have to configure repository first. To configure repository use following link.

https://detailed.wordpress.com/2018/08/15/create-repository-on-cisco-ise/

Backup can be scheduled or can be taken on demand. Administrator>System>Backup and restore

Step 2> Click on Backup now and specify the name of the backup file, Select Configuration as type and select the repository which you have just created. Give an encryption key. Encryption key will be used to encrypt the backup file.

Configuration backup GUI-4

Step 3> Backup the Internal CA store using CLI command. You have to give repository name which you just created.

Configuration backup GUI-7

Equivalent CLI command:

backup  repository  ise-config encryption-key plain

 

 

Posted in CISCO, ISE | Leave a comment