Loss Detection

Sequence IDs on pxGrid topics provide Loss detection. If there is a break in transmission, the subscriber can detect a gap in the sequence of IDs and ask for data based on the time of the last sequence number. If the publisher restarts for some reason, the topic sequence ID starts at 0. If the subscriber sees the sequence ID 0, the subscriber should ask for data from the time of the last correctly received sequence ID. If the subscriber's connection goes down, the publisher keeps assigning the IDs sequentially. When the subscriber reconnects, and detects a gap in the sequence IDs, the subscriber should ask for data from the time of the last correctly received sequence ID. Loss detection currently works with the Session Directory and TrustSec Configuration topics.

If you have an existing application that doesn’t use sequence IDs, you don’t have to use them, but using them provides benefits of loss detection and recovery from loss.

Note: Loss Detection is only supported on pxGrid 2.0 from Cisco ISE 3.0 and later, and is enabled by default.

Session Directory sessions are batched and published by the Monitoring node (MnT node) asynchronously for every notify interval to: /topic/com.cisco.ise.session.

Changes to TrustSec Config Security Group are published to: /topic/com.cisco.ise.config.trustsec.security.group.

Sample code for how to work with both of the above topics may be found at https://github.com/cisco-pxgrid/pxgrid-rest-ws, with more details in https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki.

For further details on these topics see:

https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/Session-Directory https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/TrustSec-configuration

Responding to a Skipped Sequence

Each topic that supports loss detection also supports the ability to get information in bulk, via a get Objects call (specific call will vary per object type). If you detect a gap in the sequence numbers, or suspect that a topic may be inactive, use a get Objects call with the latest message time if it is supported. As of writing, only the session directory topic supports queries with timestamps. See the following links for details:

https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/Session-Directory#post-restbaseurlgetsessions https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/Session-Directory#post-restbaseurlgetsessionsforrecovery-since-ise-30

See the Session Directory messages sample to learn about responses. That sample is in /topic/com.cisco.ise.session.

Sample Messages

MnT publisher batches and publishes sessions asynchronously for every notify interval as shown in the following messages:

{
  "sessions": [
    {
      "timestamp": "2020-06-20T22:44:08.987Z",
      "state": "STARTED",
      "userName": "sequence_id_user@cisco.com",
      "callingStationId": "33:33:33:33:33:00",
      "auditSessionId": "00",
      "ipAddresses": [
        "1.2.3.0"
      ],
      "macAddress": "33:33:33:33:33:00",
      "nasIpAddress": "10.0.0.1",
      "nasPortId": "eth0",
      "nasPortType": "Sync",
      "adNormalizedUser": "sequence_id_user",
      "providers": [
        "None"
      ],
      "endpointCheckResult": "none",
      "identitySourcePortStart": 0,
      "identitySourcePortEnd": 0,
      "identitySourcePortFirst": 0,
      "networkDeviceProfileName": "Cisco",
      "mdmRegistered": false,
      "mdmCompliant": false,
      "mdmDiskEncrypted": false,
      "mdmJailBroken": false,
      "mdmPinLocked": false,
      "selectedAuthzProfiles": [
        "PermitAccess"
      ],
      "virtualNetwork": ""
    }
  ],
  "sequence": 0
}
{
  "sessions": [
    {
      "timestamp": "2020-06-20T22:45:08.987Z",
      "state": "STARTED",
      "userName": "sequence_id_user@cisco.com",
      "callingStationId": "33:33:33:33:33:00",
      "auditSessionId": "00",
      "ipAddresses": [
        "1.2.3.0"
      ],
      "macAddress": "33:33:33:33:33:00",
      "nasIpAddress": "10.0.0.1",
      "nasPortId": "eth0",
      "nasPortType": "Sync",
      "adNormalizedUser": "sequence_id_user",
      "providers": [
        "None"
      ],
      "endpointCheckResult": "none",
      "identitySourcePortStart": 0,
      "identitySourcePortEnd": 0,
      "identitySourcePortFirst": 0,
      "networkDeviceProfileName": "Cisco",
      "mdmRegistered": false,
      "mdmCompliant": false,
      "mdmDiskEncrypted": false,
      "mdmJailBroken": false,
      "mdmPinLocked": false,
      "selectedAuthzProfiles": [
        "PermitAccess"
      ],
      "virtualNetwork": ""
    }
  ],
  "sequence": 1
}
{
  "sessions": [
    {
      "timestamp": "2020-06-20T22:55:08.987Z",
      "state": "STARTED",
      "userName": "sequence_id_user@cisco.com",
      "callingStationId": "33:33:33:33:33:00",
      "auditSessionId": "00",
      "ipAddresses": [
        "1.2.3.0"
      ],
      "macAddress": "33:33:33:33:33:00",
      "nasIpAddress": "10.0.0.1",
      "nasPortId": "eth0",
      "nasPortType": "Sync",
      "adNormalizedUser": "sequence_id_user",
      "providers": [
        "None"
      ],
      "endpointCheckResult": "none",
      "identitySourcePortStart": 0,
      "identitySourcePortEnd": 0,
      "identitySourcePortFirst": 0,
      "networkDeviceProfileName": "Cisco",
      "mdmRegistered": false,
      "mdmCompliant": false,
      "mdmDiskEncrypted": false,
      "mdmJailBroken": false,
      "mdmPinLocked": false,
      "selectedAuthzProfiles": [
        "PermitAccess"
      ],
      "virtualNetwork": ""
    }
  ],
  "sequence": 6
}
{
  "sessions": [
    {
      "timestamp": "2020-06-20T22:54:08.987Z",
      "state": "STARTED",
      "userName": "sequence_id_user@cisco.com",
      "callingStationId": "33:33:33:33:33:00",
      "auditSessionId": "00",
      "ipAddresses": [
        "1.2.3.0"
      ],
      "macAddress": "33:33:33:33:33:00",
      "nasIpAddress": "10.0.0.1",
      "nasPortId": "eth0",
      "nasPortType": "Sync",
      "adNormalizedUser": "sequence_id_user",
      "providers": [
        "None"
      ],
      "endpointCheckResult": "none",
      "identitySourcePortStart": 0,
      "identitySourcePortEnd": 0,
      "identitySourcePortFirst": 0,
      "networkDeviceProfileName": "Cisco",
      "mdmRegistered": false,
      "mdmCompliant": false,
      "mdmDiskEncrypted": false,
      "mdmJailBroken": false,
      "mdmPinLocked": false,
      "selectedAuthzProfiles": [
        "PermitAccess"
      ],
      "virtualNetwork": ""
    }
  ],
  "sequence": 7
}

Use the REST API for Bulk Download Session Directory data.

Rest URL: /mnt/sd/getSessionsForRecovery

Request Body:

{
  'startTimestamp': 20T22:45:08.987Z,   
  'endTimestamp': 20T22:55:08.987Z
}

The following messages shows a Security Group message sample that is published on /topic/com.cisco.ise.config.trustsec.security.group

{
  "operation":"CREATE",
  "securityGroup":
    {
      "id":"5560d470-b356-11ea-960d-52c483a0eaac",
      "name":"automation_security_group",
      "description":"",
      "tag":16,
      "isReadOnly":false,
      "defaultSgaclIds":[]
    },
  "sequence":1
 }
{
  "operation":"DELETE",
  "securityGroup":
    {
      "id":"5560d470-b356-11ea-960d-52c483a0eaac",
      "name":"automation_security_group",
      "description":"",
      "tag":16,
      "isReadOnly":false,
      "defaultSgaclIds":[]
    },
  "sequence":3
}

Code Samples

Code samples for the subscriber to detect loss and recover from the loss are available in Github. https://wwwin-gitlab-sjc.cisco.com/pxgrid/pxgrid-rest-ws-tools/tree/Loss_Detection/java/src/main/java/com/cisco/pxgrid/samples/ise/lossdetection