Fix Cisco ISE Messaging Service

Cisco Identity Services Engine 2.6 introduced the concept of the ISE Messaging Service as an encrypted, lightweight protocol to replace syslog communication between the ISE nodes for logging purposes.  The ISE Messaging Services runs over TCP/8671.  In 2.6 Patch 2 and later, the Cisco ISE Messaging Service is enabled by default.  

The overall implementation of the ISE Messaging Service has been buggy (but has gotten much better in recent versions) in both new ISE builds and upgrades.  One solution is simply to disable the ISE Messaging Service within Administration > System > Logging.  But then the ISE logging traffic isn't encrypted and the legacy syslog delivery method is not as efficient as the ISE Messaging Service so we will focus the rest of this article on how to identity and fix the ISE Messaging Service.

Problem Identification

Usually problems with the ISE Messaging Service involve a blank Live Logs page.  You know authentication is working as you have devices/users successfully authenticated via RADIUS, Guest, or TACACS+.  The best way to confirm this is to look for the Queue Link Alarms in the ISE dashboard Alarm section.  Specifically the details around this will mention a certificate issue, most commonly Unknown CA.


  1. Re-generate ISE Root CA Chain within Administration > System > Certificates > Certificate Management > Certificate Signing Request (CSR). Click Generate Certificate Request (CSR) and choose ISE Root CA in the drop-down list.  Finally, click Replace ISE root CA Certificate Chain.
  2. Re-generate the ISE Messaging Service Certificate.  Administration > System > Certificates > Certificate Management > Certificate Signing Request (CSR). Click Generate Certificate Request (CSR) and choose ISE Messaging Service in the drop-down listFinally click Generate CSR.
Live Logs should begin to appear in the Live Logs section and you should see no additional Queue Link Alarms in the Dashboard Alarms.  Note that the regeneration of the Root CA or ISE Messaging service does not cause a service restart on any of the ISE nodes.  



Popular posts from this blog

ClearPass MPSK per Device Type with Profiling

Cisco Designated VIP 2023