This document describes how to configure and understand Simple Network Management Protocol (SNMP) traps in order to monitor the Cisco ISE.
SNMP traps are UDP messages sent from an SNMP-enabled device to a remote MIB Server. Identity Services Engine (ISE) can be configured to send traps to an SNMP server to monitor and troubleshoot. The objective of this document is to familiarize some of the basic checks to isolate issues and understand the limitations of ISE traps.
Cisco recommends that you have the knowledge of these topics:
The information in this document is based on these software and hardware versions:
Cisco ISE, Release 2.6
RHEL 7 server
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
ISE supports SNMP v1,v2, and v3. Check if SNMP is enabled on the ISE CLI, and the rest of the configuration.
Example, SNMP v3:
sotumu24/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
sotumu24/admin(config)# snmp-server enable
sotumu24/admin(config)# snmp-server trap dskThresholdLimit "75"
sotumu24/admin(config)# snmp-server community SNMP$tring ro
sotumu24/admin(config)# snmp-server user SNMPUSER v3 plain authpasswd privpasswd
>> The SNMP server might require the engineID if version 3 is being used and it can be dervied from the output of the command here :
sotumu24/admin# show snmp-server engineID
Local SNMP EngineID: GKIILIFNGIC >> This is the same as ISE Serial number, need not be configured.
sotumu24/admin# sh udi
Ports and Reachability
The remote server should be able to reach the ISE to query traps if required. Ensure that ISE allows the SNMP server in IP access (if configured).
If the SNMP service daemon is stuck or unable to restart, the errors are seen in the messages log file.
2020-04-27T12:28:45.326652+05:30 sotumu24 su: (to oracle) root on none
2020-04-27T12:29:48.391712+05:30 sotumu24 snmpd: Received TERM or STOP signal... shutting down...
2020-04-27T12:29:48.590240+05:30 sotumu24 snmpd: NET-SNMP version 5.7.2
2020-04-27T12:30:29.319929+05:30 sotumu24 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="20126" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Traps and queries
Generic SNMP Traps Generated by Default in Cisco ISE:
ISE does not have any MIB for process status or disk utilization. Cisco ISE uses OID HOST-RESOURCES-MIB::hrSWRunName for SNMP traps. snmp walk or snmp get command to query the process status or disk utilization cannot be used in ISE.
From these outputs, the disk utilization is calculated and when the value reaches 75, an SNMP Trap is sent to the configured SNMP-Sever HOST. There is no MIB Resource to calculate and display the disk utilization directly.
Further, the MIB process hrSWRunName is used to collect this information (as per the ISE Admin Guide):
A textual description of this running piece of software, including the manufacturer, revision, and the name by which it is commonly known. If this software was installed locally, this should be the same string as that used in the corresponding hrSWInstalledName. The services taken into consideration are app-server, rsyslog, redis-server, ad-connector, mnt-collector, mnt-processor, ca-server est-server, and elasticsearch.
ISE application is hosted on RHEL OS(Linux). However, as mentioned in the ISE admin guide, ISE uses Host Resources MIB to gather SNMP Trap information. This document has the list of Host Resources MIB that can be queried:
From the document, it can be inferred that there are no direct queries that can calculate and display the values of CPU, Memory, or Disk utilization. However, the data that is used to calculate the outputs is present in these tables:
Additional Pointers on Memory and Disk Utilization
There is a slight difference between the values collected in the SNMP Server and the ISE CLI root-bash. Memory utilization also has a difference in the values due to slab, which is not accounted for in the SNMP, and it shows the total value.
Free memory is a small amount of memory that is not currently used and causes this difference. This is the wasted part of the memory that the system is not able to utilize. ISE is hosted on a Linux OS and uses all physical memory that is not needed by current programs as a file cache, for efficiency. However, if programs need this physical memory, the kernel reallocates the file cache memory to the former. Hence, the memory used by the file cache is free but not utilized until it is needed by a program.