Cisco Bug: CSCvs01844 - All SGTs in author node are "not in sync state"
Jun 03, 2020
- Cisco DNA Center
Known Affected Releases
DNAC-Wolverine DNAC22.214.171.124 DNAC1.3.2
Symptom: Security group tags (SGTs) may show up in Cisco DNA Center with a status "Sync not started," even after performing the policy migration process that's suggested in the Cisco DNA Center GUI. When an SGT is created in Cisco DNA Center, the SGT may be created in ISE, but no virtual network (VN) information is pushed to ISE. Under normal circumstances, this problem should not arise; however, there are 2 different ways this situation can arise that Cisco is aware of. Scenario 1: A user has created VNs and IP address pools, and has associated these with scalable groups, and has created references in to those scalable groups in ISE (in Authorization Profiles or Authorization Rules), and then at some later time, deletes one or more of the IP address pools and/or VNs (without first removing the corresponding SG-VN association or removing the references in ISE). The Cisco DNA Center/ACA operation to sync the changed VN/IP address pool data to ISE (to remove data) will fail due to the ISE referential integrity check. This could come up in a customer environment. Scenario 2: This is a scenario we have seen in our labs (presumed to be unlikely in a customer environment), where there is an operational Cisco DNA Center-ISE integration, where VNs and IP address pools have been created, SGs associated with these VNs, and authorization profiles created on the ISE side, and then at a later time, a new Cisco DNA Center image is installed on Cisco DNA Center (clean install, NOT an upgrade). This is pretty common in labs. If this is done, the new Cisco DNA Center will obviously NOT have any of the VNs or IP Pools that were there previously, so when initial policy migration has been done, the ACA run-time sync (that is normally triggered after the initial migration) is blocked by the referential integrity check. Conditions: The root cause of this issue is the combination of 1) The set of VNs and associated IP address pools in Cisco DNA Center do not match the VN and IP address pool information previously synced to ISE from Cisco DNA Center. 2) ISE has references (in Authorization profiles or Authorization rules) to Scalable Groups associated with VNs/IP address pools which do not exist in Cisco DNA Center.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases