topic Re: TCP timeouts for ISE and MobileIron? in Network Access Control

TCP timeouts for ISE and MobileIron?

Martin Kling — Thu, 24 Aug 2017 07:27:01 GMT

We have a ISE 2.2 deployment that is integrated with MobileIron MDM solution. We have seen intermittent failures in the communication between the solutions (the manual check is always successful). Now we have found a possible cause for the problems as we have found "Deny TCP (no connection..)" logs in the firewall (ASA) that are separating the systems.

Do we have to tweek the tcp timeout values in the firewall to successfully integrate ISE and MobileIron? Does anyone have experience from this?

Thanks

Re: TCP timeouts for ISE and MobileIron?

gbekmezi-DD — Thu, 24 Aug 2017 21:00:57 GMT

You shouldn’t have to. Are you seeing connections being terminated due to timeout? Do you have absolute timeouts configured in the ASA by chance?

Re: TCP timeouts for ISE and MobileIron?

Martin Kling — Fri, 25 Aug 2017 09:09:45 GMT

Thanks,

The firewall is not logging session termination and it is using default settings for tcp (no service-policy tweeks applied). Time out values:

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

Re: TCP timeouts for ISE and MobileIron?

gbekmezi-DD — Fri, 25 Aug 2017 17:04:21 GMT

I would take a packet capture to better understand when this happens. Take a capture on the inside and outside with an ACL to limit the capture to this traffic. The next time you see the no connection message, look at the capture to determine if ISE, MobileIron, or the ASA is responsible for killing the connection. Also, depending on what level your logs are being generated at, you may not see the timeout message. You should probably increase the log level to debug while you are troubleshooting this problem.

George

Re: TCP timeouts for ISE and MobileIron?

Martin Kling — Thu, 31 Aug 2017 07:01:40 GMT

The issue orginated from MobileIron. A upgrade from v9.1 to 9.4 solved the problem.

Thank you for your inputs

Re: TCP timeouts for ISE and MobileIron?

gbekmezi-DD — Thu, 31 Aug 2017 19:09:26 GMT

Thanks for closing the loop.

Re: TCP timeouts for ISE and MobileIron?

mike.jacobs — Wed, 17 Jan 2018 18:48:06 GMT

We are having a similar issue. We have ISE 2.1 patch 5 and MobileIron 9.2 in production and 9.5 for testing. The MDM setup in ISE for both MDM platforms reports successful tests, but when we compose conditions that check the 9.2 version for device status ISE just fails the call and moves on to new rules/conditions. The same checks to the 9.5 platform pass.

Does anyone have documentation regarding this bug or methodology for proving this bug condition?

Re: TCP timeouts for ISE and MobileIron?

Muthu Mani — Thu, 25 Jan 2018 07:17:12 GMT

There is know issue in Mobileiron API calls in Mobileiron 9.2 version and there was patch released by Mobileiron, the down side of the patch is when ever you reboot Mobileiron server the patch has to be re-applyed, and it is expected to fix in Mobileiron 9.5.

I tested ISE 2.1 with Mobileiron 9.2 and Mobileiorn patch and it worked for me

now i am testing ISE 2.1 with Mobileiron 9.5 so for it is not working, seems this combination worked for you , can you tell me what is the ISE and Mobileiron version you used including patch version please for both.

Thanks

V.Muthu