topic Re: ISE ERS API returns 502 in Network Security

ISE ERS API returns 502

ivanbadikov — Tue, 26 Sep 2023 08:05:22 GMT

Hello,

I've been tasked to create a script that replicates MAB entries from one deployment to another using the ciscoisesdk. In my case I have 3 source sites with 1 ISE node each and a target site with 2 ISE nodes in a distributed deployment. All of the nodes are running ISE 3.1. I followed the proper steps to enable the ERS API - enabling the API and creating an ERS admin account.

On the source nodes I have no problem using the API, everything works as expected. My problem is with the destination nodes. When I or the script make an API call to the destination node I always get the error:

{
"message": "An invalid response was received from the server",
"code": 502
}

The API call that I'm making is:

curl --location 'https://{primary_node}/ers/config/endpoint?filter=staticGroupAssignment.EQ.true' --header 'Accept: application/json' --header 'Authorization: Basic {credentials}' -k

I setup a Debug profile where the components ers, api-gateway and apiservices are all set to DEBUG, but in the respective logs there is no mentioning of the error. I tried digging through Google but I couldn't find any info regarding why this happens and I'm running out of ideas how to troubleshoot this... Any help will be much appreciated!

Thanks in advance,

Ivan

Re: ISE ERS API returns 502

Marcel Zehnder — Tue, 26 Sep 2023 09:09:49 GMT

Hi @ivanbadikov ERS API by default runs on port 9060, also the basic auth should be base64 encoded, try this:

curl -k -u YOUR_USERNAME:YOURPASSWORD "https://YOURNODE:9060/ers/config/endpoint?filter=staticGroupAssignment.EQ.true"

Re: ISE ERS API returns 502

ivanbadikov — Tue, 26 Sep 2023 09:50:04 GMT

Regarding the auth - my credentials are base64 encoded. When calling the API on port 9060 I get:
curl: (7) Failed connect to {ise_node}:9060; Connection refused
From the API Setting page:

The ERS and OpenAPI services are HTTPS-only REST APIs that operate over port 443.
Currently, ERS APIs also operate over port 9060. However, port 9060 might not be supported for ERS APIs in later Cisco ISE releases. We recommend that you only use port 443 for ERS APIs.

Re: ISE ERS API returns 502

ivanbadikov — Tue, 26 Sep 2023 09:54:11 GMT

Another this I just notices. When I navigate to https://{ise_node}/ers/sdk I get the following screen:

Re: ISE ERS API returns 502

Marcel Zehnder — Tue, 26 Sep 2023 10:53:19 GMT

Sorry, I missed the port note.

Re: ISE ERS API returns 502

thomas — Tue, 26 Sep 2023 12:31:20 GMT

This query works for me on ISE 3.3:

curl --include --insecure --location \
  --header 'Accept: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET "https://$ISE_HOSTNAME/ers/config/endpoint?filter=staticGroupAssignment.EQ.true"

HTTP/1.1 200

Be careful with your use of ' (single-quotes) vs " (double-quotes) since "'s allow variable interpolation but ''s do not.

We have examples in including Get All Endpoints in a Specifc Endpoint Identity Group. I also have many other curl examples in the ReadMe file @ https://github.com/1homas/20221004_ISE_REST_APIs_Introduction

If you are seeing "Application Server initializing..." it is because your ISE node is booting or restarting and the services that run the GUI and REST APIs are not yet available.

Re: ISE ERS API returns 502

ivanbadikov — Tue, 26 Sep 2023 13:23:30 GMT

Tried it your way and still get a 502... Seeing the "Application server is initializing." screen is strange to me because the GUI is working properly. Is there a way to check the status of the REST service or maybe restart it without restarting the whole ISE?

I think it's something related to the REST service because if I make the API call to the secodnary node it goes through without a problem.

Re: ISE ERS API returns 502

chyps — Thu, 22 Aug 2024 21:07:04 GMT

Experienced similar issue today. Processes all looked good (running) and web UI accessible, but ERS API stopped accepting requests on Primary PAN. Direct API calls from custom application and Postman resulted in a Connection Refused. Attempt to access the ers/sdk page from browser showed same Application Initializing message shown earlier in this thread. Server application services were running and the Web UI accessible. API admin account was enabled. For good measure, disabled and re-enabled admin account to ensure not an issue with account lockout but still unable to connect via API. Even tried accessing secondary PAN (also enabled for API) but received same error. Disabled and re-enabled the ERS API from Administration > System > Settings to see if something stuck but same result. Both nodes in the Deployment showed Active and in sync.

Ended up rebooting Primary PAN and API error resolved, but only Primary PAN API access was working again. To be thorough, I tried API against secondary PAN and again received connection error. Again, verified app server running under CLI (sh app status ise). Rebooted Secondary PAN, and once services back up the API was responding again. For reference, the servers were running ISE 3.1 P5.