Administrator account Locked/Disabled

Administrator account is locked or disabled due to password expiration or incorrect login attempts. For more details, refer to the administrator password policy.

Administrator password can be reset by another administrator using the GUI or CLI.

Backup Failed

The ISE backup operation failed.

Check the network connectivity between Cisco ISE and the repository. Ensure that:

• The credentials used for the repository is correct.

• There is sufficient disk space in the repository.

• The repository user has write privileges.

CA Server is down

CA server is down.

Check to make sure that the CA services are up and running on the CA server.

CA Server is Up

CA server is up.

A notification to inform the administrator that the CA server is up.

Certificate Expiration

This certificate will expire soon. When it expires, Cisco ISE may fail to establish secure communication with clients.

Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use Cisco ISE to extend the expiration date. You can delete the certificate if it is no longer used.

Certificate Revoked

Administrator has revoked the certificate issued to an Endpoint by the Internal CA.

Go through the BYOD flow from the beginning to be provisioned with a new certificate.

Certificate Provisioning Initialization Error

Certificate provisioning initialization failed

More than one certificate found with the same value of CN (CommonName) attribute in the subject, cannot build certificate chain. Check all the certificates in the system including those from the SCEP server.

Certificate Replication Failed

Certificate replication to secondary node failed

The certificate is not valid on the secondary node, or there is some other permanent error condition. Check the secondary node for a pre-existing, conflicting certificate. If found, delete the pre-existing certificate on the secondary node, and export the new certificate on the primary, delete it, and import it in order to reattempt replication.

Certificate Replication Temporarily Failed

Certificate replication to secondary node temporarily failed

The certificate was not replicated to a secondary node due to a temporary condition such as a network outage. The replication will be retried until it succeeds.

Certificate Expired

This certificate has expired. Cisco ISE may fail to establish secure communication with clients. Node-to-node communication may also be affected.

Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use Cisco ISE to extend the expiration date. You can delete the certificate if it is no longer used.

Certificate Request Forwarding Failed

Certificate request forwarding failed.

Make sure that the certification request coming in matches with attributes from the sender.

Configuration Changed

Cisco ISE configuration is updated. This alarm is not triggered for any configuration change in users and endpoints.

Check if the configuration change is expected.

CRL Retrieval Failed

Unable to retrieve CRL from the server. This could occur if the specified CRL is unavailable.

Ensure that the download URL is correct and is available for the service.

DNS Resolution Failure

DNS resolution failed on the node.

Check if the DNS server configured by the command ip name-server is reachable.

If you get the alarm as 'DNS Resolution failed for CNAME <hostname of the node>', then ensure that you create CNAME RR along with the A record for each Cisco ISE node.

Firmware Update Required

A firmware update is required on this host.

Contact Cisco Technical Assistance Center to obtain firmware update

Insufficient Virtual Machine Resources

Virtual Machine (VM) resources such as CPU, RAM, Disk Space, or IOPS are insufficient on this host.

Ensure that a minimum requirements for the VM host, as specified in the Cisco ISE Hardware Installation Guide.

NTP Service Failure

The NTP service is down on this node.

This could be because there is a large time difference between NTP server and Cisco ISE node( more than 1000s). Ensure that your NTP server is working properly and use the ntp server <servername> CLI command to restart the NTP service and fix the time gap.

NTP Sync Failure

All the NTP servers configured on this node are unreachable.

Execute show ntp command from the CLI for troubleshooting. Ensure that the NTP servers are reachable from Cisco ISE. If NTP authentication is configured, ensure that the key ID and value matches with that of the server.

No Configuration Backup Scheduled

No Cisco ISE configuration backup is scheduled.

Create a schedule for configuration backup.

Operations DB Purge Failed

Unable to purge older data from the operations database. This could occur if M&T nodes are busy.

Check the Data Purging Audit report and ensure that the used_space is lesser than the threshold_space. Login to M&T nodes using CLI and perform the purge operation manually.

Profiler SNMP Request Failure

Either the SNMP request timed out or the SNMP community or user authentication data is incorrect.

Ensure that SNMP is running on the NAD and verify that SNMP configuration on Cisco ISE matches with NAD.

Replication Failed

The secondary node failed to consume the replicated message.

Login to the Cisco ISE GUI and perform a manual syncup from the deployment page. De-register and register back the affected Cisco ISE node.

Restore Failed

Cisco ISE restore operation failed.

Ensure the network connectivity between Cisco ISE and the repository. Ensure that the credentials used for the repository is correct. Ensure that the backup file is not corrupted. Execute the reset-config command from the CLI and restore the last known good backup.

Patch Failure

A patch process has failed on the server.

Re-install the patch process on the server.

Patch Success

A patch process has succeeded on the server.

-

External MDM Server API Version Mismatch

External MDM server API version does not match with what is configured in Cisco ISE.

Ensure that the MDM server API version is the same as what is configured in Cisco ISE. Update Cisco ISE MDM server configuration if needed.

External MDM Server Connection Failure

Connection to the external MDM server failed.

Ensure that the MDM server is up and Cisco ISE-MDM API service is running on the MDM server.

External MDM Server Response Error

External MDM Server response error.

Ensure that the Cisco ISE-MDM API service is properly running on the MDM server.

Replication Stopped

ISE node could not replicate configuration data from the PAN.

Login to the Cisco ISE GUI to perform a manual syncup from the deployment page or de-register and register back the affected ISE node with required field.

Endpoint certificates expired

Endpoint certificates were marked expired by daily scheduled job.

Please re-enroll the endpoint device to get a new endpoint certificate.

Endpoint certificates purged

Expired endpoint certificates were purged by daily scheduled job.

No action needed - this was an administrator-initiated cleanup operation.

Endpoints Purge Activities

Purge activities on endpoints for the past 24 hours. This alarm is triggered at mid-night.

Review the purge activities under Operations > Reports > Endpoints and Users > Endpoint Purge Activities

Slow Replication Error

Slow or a stuck replication is detected .

Please verify that the node is reachable and part of the deployment.

Slow Replication Info

Slow or a stuck replication is detected .

Please verify that the node is reachable and part of the deployment.

Slow Replication Warning

Slow or a stuck replication is detected .

Please verify that the node is reachable and part of the deployment.

PAN Auto Failover - Failover Failed

Promotion request to the Secondary administration node failed.

Please refer to the alarm details for further action.

PAN Auto Failover - Failover Triggered

Successfully triggered the failover of the Secondary Administration node to Primary role.

Wait for promotion of secondary PAN to complete and bring up the old primary PAN.

PAN Auto Failover - Health Check Inactivity

PAN did not receive the health check monitoring request from the designated monitoring node.

Please verify if the reported monitoring node is down or out-of-sync and trigger a manual sync if needed.

PAN Auto Failover - Invalid Health Check

Invalid health check monitoring request received for auto-failover.

Please verify if the health check monitoring node is out-of-sync and trigger a manual sync if needed.

PAN Auto Failover - Primary Administration Node Down

Primary Admin node is down or is not reachable from the monitoring node.

Bring up the PAN or wait for failover to happen.

PAN Auto Failover - Rejected Failover Attempt

Secondary administration node rejected the promotion request made by the health check monitor node.

Please refer to the alarm details for further action.

AD Connector had to be restarted

AD Connector stopped unexpectedly and had to be restarted.

If this issue persists, contact the Cisco TAC for assistance.

Active Directory forest is unavailable

Active Directory forest GC (Global Catalog) is unavailable, and cannot be used for authentication, authorization and group and attribute retrieval.

Check DNS configuration, Kerberos configuration, error conditions, and network connectivity.

Authentication domain is unavailable

Authentication domain is unavailable, and cannot be used for authentication, authorization and group and attribute retrieval.

Check DNS configuration, Kerberos configuration, error conditions, and network connectivity.

ISE Authentication Inactivity

Cisco ISE policy service nodes are not receiving authentication requests from the network devices.

Check the ISE/NAD configuration. Check the network connectivity of the ISE/NAD infrastructure.

ID Map. Authentication Inactivity

No User Authentication events were collected by the Identity Mapping service in the last 15 minutes.

If this is a time when User Authentications are expected (e.g. work hours), then check the connection to Active Directory domain controllers.

COA Failed

Network device has denied the Change of Authorization (CoA) request issued by Cisco ISE policy service nodes.

Ensure that the network device is configured to accept Change of Authorization (CoA) from Cisco ISE. Ensure if CoA is issued on a valid session.

Configured nameserver is down

Configured nameserver is down or unavailable.

Check DNS configuration and network connectivity.

Supplicant Stopped Responding

Cisco ISE sent last message to the client 120 seconds ago but there is no response from the client.

Verify that the supplicant is configured properly to conduct a full EAP conversation with Cisco ISE. Verify that NAS is configured properly to transfer EAP messages to/from the supplicant. Verify that the supplicant or NAS does not have a short timeout for EAP conversation.

Excessive Authentication Attempts

Cisco ISE policy service nodes are experiencing higher than expected rate of authentications.

Check the re-auth timer in the network devices. Check the network connectivity of the Cisco ISE infrastructure.

Once the threshold is met, the Excessive Authentication Attempts and Excessive Failed Attempts alarms are triggered. The numbers displayed next to the Description column are the total number of authentications that are authenticated or failed against Cisco ISE in last 15 minutes.

Excessive Failed Attempts

Cisco ISE policy service nodes are experiencing higher than expected rate of failed authentications.

Check the authentication steps to identify the root cause. Check the Cisco ISE/NAD configuration for identity and secret mismatch.

Once the threshold is met, the Excessive Authentication Attempts and Excessive Failed Attempts alarms are triggered. The numbers displayed next to the Description column are the total number of authentications that are authenticated or failed against Cisco ISE in last 15 minutes.

AD: Machine TGT refresh failed

ISE server TGT (Ticket Granting Ticket) refresh has failed; it is used for AD connectivity and services.

Check that the ISE machine account exists and is valid. Also check for possible clock skew, replication, Kerberos configuration and/or network errors.

AD: ISE account password update failed

ISE server has failed to update it's AD machine account password.

Check that the ISE machine account password is not changed and that the machine account is not disabled or restricted. Check the connectivity to KDC.

Joined domain is unavailable

Joined domain is unavailable, and cannot be used for authentication, authorization and group and attribute retrieval.

Check DNS configuration, Kerberos configuration, error conditions, and network connectivity.

Identity Store Unavailable

Cisco ISE policy service nodes are unable to reach the configured identity stores.

Check the network connectivity between Cisco ISE and identity store.

Misconfigured Network Device Detected

Cisco ISE has detected too many RADIUS accounting information from NAS

Too many duplicate RADIUS accounting information has been sent to ISE from NAS. Configure NAS with accurate accounting frequency.

Misconfigured Supplicant Detected

Cisco ISE has detected mis-configured supplicant on the network

Ensure that the configuration on Supplicant is correct.

No Accounting Start

Cisco ISE policy service nodes have authorized a session but did not receive accounting start from the network device.

Ensure that RADIUS accounting is configured on the network device. Check the network device configuration for local authorization.

Unknown NAD

Cisco ISE policy service nodes are receiving authentication requests from a network device that is not configured in Cisco ISE.

Check if the network device is a genuine request and add it to the configuration. Ensure that the secret matches.

SGACL Drops

Secure Group Access (SGACL) drops occurred. This occurs if a Trustsec capable device drops packets due to SGACL policy violations.

Run the RBACL drop summary report and review the source causing the SGACL drops. Issue a CoA to the offending source to reauthorize or disconnect the session.

RADIUS Request Dropped

The authentication/accounting request from a NAD is silently discarded. This may occur due to unknown NAD, mismatched shared secrets, or invalid packet content per RFC.

Check that the NAD/AAA client has a valid configuration in Cisco ISE. Check whether the shared secrets on the NAD/AAA client and Cisco ISE matches. Ensure that the AAA client and the network device, have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to Cisco ISE has no hardware problems.

EAP Session Allocation Failed

A RADIUS request was dropped due to reaching EAP sessions limit. This condition can be caused by too many parallel EAP authentication requests.

Wait for a few seconds before invoking another RADIUS request with new EAP session. If system overload continues to occur, try restarting the ISE Server.

RADIUS Context Allocation Failed

A RADIUS request was dropped due to system overload. This condition can be caused by too many parallel authentication requests.

Wait for a few seconds before invoking a new RADIUS request. If system overload continues to occur, try restarting the ISE Server.

High Disk I/O Utilization

Cisco ISE system is experiencing high disk I/O utilization.

Check if the system has sufficient resources. Check the actual amount of work on the system for example, number of authentications, profiler activity etc. Add additional server to distribute the load.

High Disk Space Utilization

Cisco ISE system is experiencing high disk space utilization.

Check if the system has sufficient resources. Check the actual amount of work on the system for example, number of authentications, profiler activity etc. Add additional server to distribute the load.

High Load Average

Cisco ISE system is experiencing high load average.

Check if the system has sufficient resources. Check the actual amount of work on the system for example, number of authentications, profiler activity etc. Add additional server to distribute the load.

High Memory Utilization

Cisco ISE system is experiencing high memory utilization.

Check if the system has sufficient resources. Check the actual amount of work on the system for example, number of authentications, profiler activity etc. Add additional server to distribute the load.

High Operations DB Usage

Cisco ISE monitoring nodes are experiencing higher volume of syslog data than expected.

Check and reduce the purge configuration window for the operations data.

High Authentication Latency

Cisco ISE system is experiencing high authentication latency.

Check if the system has sufficient resources. Check the actual amount of work on the system for example, number of authentications, profiler activity etc. Add additional server to distribute the load.

Health Status Unavailable

The monitoring node has not received health status from the Cisco ISE node.

Ensure that Cisco ISE nodes are up and running. Ensure that Cisco ISE nodes are able to communicate with the monitoring nodes.

Process Down

One of the Cisco ISE processes is not running.

Restart the Cisco ISE application.

Profiler Queue Size Limit Reached

The ISE Profiler queue size limit has been reached. Events received after reaching the queue size limit will be dropped.

Check if the system has sufficient resources, and ensure EndPoint attribute filter is enabled.

OCSP Transaction Threshold Reached

The OCSP transaction threshold has been reached. This alarm is triggered when internal OCSP service reach high volume traffic.

Please check if the system has sufficient resources.

License About to Expire

License installed on the Cisco ISE nodes are about to expire.

View the Licencing page in Cisco ISE to view the license usage.

License Expired

License installed on the Cisco ISE nodes has expired.

Contact Cisco Accounts team to purchase new licenses.

License Violation

Cisco ISE nodes have detected that you are exceeding or about to exceed the allowed license count.

Contact Cisco Accounts team to purchase additional licenses.

Log Collection Error

Cisco ISE monitoring collector process is unable to persist the audit logs generated from the policy service nodes.

This will not impact the actual functionality of the Policy Service nodes. Contact TAC for further resolution.

Scheduled Report Export Failure

Unable to copy the exported report (CSV file) to configured repository.

Verify the configured repository. If it has been deleted, add it back. If it is not available or not reachable, reconfigure the repository to a valid one.