Once in a while the Cisco ISE web service doesn’t start after a reboot of the server, and though less frequent, sometimes the service just stops in a running production server. This means the Admin portal is unavailable, though ISE may be working properly otherwise. In this post I’ll go over a couple commands that can help.
First, I’ve found that the web service takes a few minutes to start after the server boots. Even if you might be able to ping ISE, give it a couple more minutes. If the Admin portal still doesn’t load, log into the console and run this command to see which applications are still initializing or not running:
ISE-LAB/admin# show application status ise
If the server just rebooted, many of the services will still be in a “not running” state. If this is the case, give it a few more minutes.
On many occasions I’ve had all the processes start just fine except the Application Server. For some reason it gets stuck at Initializing.
One option is to simply restart the server with a reload command. But rather than restart the server, you can stop or start a single process from the command line. To restart the Application Server, use the following command:
ISE-LAB/admin# application start ise
A variation of this command starts the application in safe mode:
ISE-LAB/admin# application start ise safe
From the Cisco documentation, the purpose of safe mode is
“…to bypass access restrictions that may have been caused inadvertently. When the safe mode is used to start Cisco ISE services, the following behavior is observed:
- IP access restriction is temporarily disabled to allow administrators logging into correct IP access restrictions if they inadvertently lock themselves.
- On FIPS enabled hosts, if the ‘safe’ option is passed on application startup, the FIPS integrity check is temporarily disabled. Normally, if FIPS integrity check fails, Cisco ISE services are not started. Users can bypass the FIPS integrity check with the ‘safe’ option on application start.
- On FIPS enabled hosts, if the ‘safe’ option is passed on application startup, the hardware random number generator integrity check is disabled.
- If certificate-based authentication is used, the ‘safe’ option on application start will temporarily use username and password based authentication.”
In a highly available ISE cluster you can restart a single ISE server without any issue or interruption to end-user authentication, but I don’t prefer to do that if I can help it. It takes about two or three minutes for the service to start after running the command at which point it should be in a running state and the Admin portal available.