ISE - TrustSec errors

Quintin.Mayo — Fri, 21 Feb 2020 19:10:57 GMT

Oct 14 13:37:16.181: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.
Oct 14 13:39:16.182: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.
Oct 14 13:41:16.183: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.
Oct 14 13:43:16.235: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.

There is ALSO errors on 67 DHCP on the core…this may need digging into as well…the SGTs change with these errors:
permit udp 67
^
% Invalid input detected at '^' marker.

Oct 14 13:48:54.738: %RBM-SW2-3-RBM_PARSE_ACE: Could not parse command for adding ACE 'permit udp 67' to IP Role-Based Access List 'Deny_All-80'
Oct 14 13:48:54.738: %CTS-SW2-3-AUTHZ_POLICY_SGACL_ACE_FAILED: Failed to install IP SGACL 'Deny_All-80' for SGT=292:EW189 due to ACE 'permit udp 67' error
Oct 14 13:48:54.785: %RBM-SW1_STBY-3-RBM_PARSE_CMD: Could not parse command. See command output and errors below

permit udp 67
^
% Invalid input detected at '^' marker.

Oct 14 13:48:54.785: %RBM-SW1_STBY-3-RBM_PARSE_ACE: Could not parse command for adding ACE 'permit udp 67' to IP Role-Based Access List 'Deny_All-80'
Oct 14 13:48:54.785: %CTS-SW1_STBY-3-AUTHZ_POLICY_SGACL_ACE_FAILED: Failed to install IP SGACL 'Deny_All-80' for SGT=292:EW189 due to ACE 'permit udp 67' error

Re: ISE - TrustSec errors

Mike.Cifelli — Tue, 15 Oct 2019 12:47:35 GMT

For the DHCP SGACL try changing the syntax to: permit udp dst eq 67
For the sxp connection error, has anything changed in regard to comms between ISE and your device? Firewall? SVI ACL?

Re: ISE - TrustSec errors

Jason Kunst — Mon, 21 Oct 2019 10:36:38 GMT

Please work through tac

topic Re: ISE - TrustSec errors in Network Access Control

ISE - TrustSec errors

Re: ISE - TrustSec errors

Re: ISE - TrustSec errors