Collect Support Bundle on the Identity Services Engine

Introduction

This document describes how to gather Support Bundle from Cisco ISE 3.x via CLI or GUI, which contains vital data needed for ISE troubleshooting.

Collect Support Bundle on Cisco ISE

Step 1. Enable Debugs for ISE Components

Various issues on ISE require different sets of logs to troubleshoot. A full list of needed debugs must be provided by the TAC engineer. However, ISE 3.x has preconfigured categories of debugs which you can use to collect initial logos to speed up case resolution.

The list of debugs requested by the TAC engineer must always take priority over this list.

In order to find these preconfigured debugs navigate to  Operations > Troubleshoot > Debug Wizard > Debug Profile Configuration.

Choose the feature for which debugs must be enabled with the choice of the proper check box at the beginning of each row, for example, 802.1x (red), and navigate to node selection (green):

Then choose nodes for which these debugs must be enabled with the choice of the proper checkbox at the beginning of each row (red) and save changes (green):

The page is moved back to Debug Profile Configuration and debug status changes to ENABLED with information about nodes that run these debugs.

Step 2. Recreate the Issue

When all needed debugs are enabled, re-create the issue in order to generate logs.

If the issue cannot be triggered manually, then you must wait for the next occurrence.

If the issue occurred before debugs were enabled, there is not enough information to troubleshoot.

Ideally, the support bundle must be collected right after the issue occurred. Note the auxiliary information needed for log analysis:

• timestamp of recreation
• any unique ids for the event like MAC address, IP address, username, or session ID (which depends on the circumstances, usually MAC/IP + username is enough)

Step 3. Disable Debugs

Right after the issue is recreated, disable the debugs in order to prevent the newly generated logs from being overwritten by excessive logging.

In order to do that, repeat actions from Step 1., however, on the node selection page, uncheck the proper checkboxes and save like previously.

Step 4. Collect Support Bundle

Navigate to  Operations > Troubleshooting > Download Logs and choose the ISE node (the one, where debugs were enabled). On the tab of each node, there are two options: Collect Support Bundle (red) or download specific log file - Debug Logs (orange).

For the Debug Logs, a full list of all available log files is displayed. After you click the name of the file, it is downloaded.

The Support Bundle is a package that contains all logs from the selected groups.

• full configuration database attaches full ISE configuration to the Support Bundle
• debug logs are most used since they contain all the debugs from all ISE components
• local logs contain log that shows Radius authentications for this node in the deployment
• core files can cause the Support Bundle to grow, but it is required during crash troubleshooting
• monitoring and reporting logs contain operational data
• system logs contain system-specific logs (for troubleshooting services provided by OS)
• policy configuration - xml  version of configured policies on ISE

For most of the scenarios, the inclusion of the debug logs and local logs is enough. For stability and performance issues also, the core and system logs are needed.

If you choose public-key encryption only, TAC is able to decrypt this bundle with the use of a Cisco private key. The shared key allows you to set passwords that are needed to decrypt the logs.

In the case of a shared key, ensure that the TAC engineer has access to it so that bundle can be decrypted on the Cisco side.

When everything is set, click the  Create Support Bundle button and wait.

When the process to create the Support Bundle is completed, it is available for download. After you click  Download , the Support Bundle is saved on the local disk of the PC and can be uploaded to TAC in order to troubleshoot.

If the Web interface is not available, you can collect the Support Bundle from CLI. In order to do this, log in with the use of SSH or console access and use the command:

backup-logs name repository ftp {encryption-key plain key | public-key}

name - the name of your Support Bundle

ftp - the name of the repository configured on ISE 

key - is the key used for encrypting/decrypting the Support Bundle

The official tool to upload the Support Bundle is https://mycase.cloudapps.cisco.com/case.

Do not zip or change the extension of the Support Bundle file. It must be uploaded in the same exact state as it was downloaded from ISE.