topic I'm using ISE 2.0.306 with in Network Access Control

Prime Infrastructure integration with ISE 2.0 issue

andrewswanson — Mon, 11 Mar 2019 06:12:57 GMT

Hello

I recently upgraded an ISE 1.4 (patch3) distributed deployment to version 2.0.0.306 to fix a known bug. The upgrade was successful in fixing the bug but seems to have broke Prime Infrastructure integration.

After the ISE upgrade, Prime Infrstructure's ISE server (the ISE deployment's primary pan/mnt node) is listed as unreachable.PI version is 2.2.

When I try and make changes to PI's ISE server I get the error:

Identity Services Engine update failed : Some unexpected internal error has occurred. If the problem persists please report to the Tech Support

I tried integrating PI 3.0 with the upgraded ISE but when I try and add the ISE 2.0 server I get the error:

Error(s): You must correct the following error(s) before proceeding:

Error: The connection to Identity Services Engine with IP Address <ISE_IP> has timed out. Please check the network connectivity and the user account status on the Identity Services Engine

A TCP dump on ISE for both PI 2.2 and 3.0 show a TLS 1.2 Handshake Failure (40). I found a similar issue in the following thread:

https://supportforums.cisco.com/discussion/12615841/cisco-prime-infrastructure-and-ise-integration

I don't have access to view the bug CSCur43834 - can anyone tell me if this affects my environment of ISE 2.0.0.306 and PI 2.2.0/3.0

Thanks
Andy

ps ISE uses 3rd party certificates for EAP/GUi and work fine - root/intermediate are listed in ISE as trusted

Tested this with latest

andrewswanson — Tue, 10 Nov 2015 07:21:21 GMT

Tested this with latest versions of PI (3.01 and 2.2.3) and saw the same issue. PI sends a client hello with TLS version 1.0 and ISE 2.0 responds with handshake failure with TLS version 1.2.

Contacted TAC - PI isn't currently compatible with ISE 2.0 for integration.

Cheers

Andy

I'm using ISE 2.0.306 with

cisco_tac_cr — Sat, 12 Dec 2015 14:39:48 GMT

I'm using ISE 2.0.306 with PI3 P1 and have the same issue. Any news from BU?

I spoke with the TAC on this

Marvin Rhoads — Sat, 12 Dec 2015 19:08:00 GMT

I spoke with the TAC on this issue just yesterday.

The issue is indeed arising from a TLS handshake error. I grabbed a packet capture from my lab system and see it as well. The TAC engineer confirmed this is the root cause.

BugID CSCur43834, while similar, is confirmed NOT to be the one affecting ISE 2.0. There is a new bugID (not published publicly yet) that covers this particular issue. I didn't get the ID from the TAC engineer.

The TAC engineer told me that BU that owns Prime Infrastructure has slated PI 3.1 to include a fix for this behavior. The projected release date is February 2016.

Still not supported. Cisco

Patrik Rapposch — Wed, 27 Jan 2016 06:54:26 GMT

Still not supported. Cisco software is getting worse and worse. Tried to upgrade a Cisco 3850 stack with PI to Denali and ended in a boot loop.

Prime/Ise/Denali feel like a beta test @the customer...

Good afternoon. There were

diesel315 — Thu, 25 Feb 2016 05:11:35 GMT

Good afternoon.
There were news? Same problem...

Ciao Andrew,

Marco Aresu — Wed, 02 Mar 2016 13:35:49 GMT

Ciao Andrew,

do you have BugID? Cannot associate ISE (2.0 patch 2) on PI (2.2).

thanks

Marco

Hi Marco. I didn't get a

andrewswanson — Wed, 02 Mar 2016 13:51:41 GMT

Hi Marco. I didn't get a BugID from TAC. I was told this would be fixed early 2016 in PI 3 (no mention of this being fixed with PI 2.X). Other posters indicate this will be fixed in the yet unreleased PI 3.1

hth

Andy

Just installed the newest

Cory Peterson — Fri, 18 Mar 2016 15:08:21 GMT

Just installed the newest update - Prime 3.0.3 released 15MAR2016 and the issue is still not resolved.

The BU had relayed in the past that the Fix for this issue would be out by the end of February and that Prime 3.1 would be released by the end of the First quarter. Needless to say this was also back in January so the timelines could have changed.

According to presentations

Marvin Rhoads — Sun, 20 Mar 2016 14:38:57 GMT

According to presentations given during Cisco Live Berlin, Prime 3.1 is due out this month.

See BRKNMS-2701, slide 199:

Prime Infrastructure 3.1 Highlights
Available March 2016

NEW SWIM Workflow– support for external 3rd party S/FTP servers for distributed distribution
Enhanced Config baseline Compliance –
Support for AirOS and the ability to e-mail reports/job results
Global Variable across all templates– Define configuration variables and use them across any/all templates
Global Search from Web Search Bar– search configs, clients, devices etc. e.g. search for serial numbers within search bar, search for every config that has "no aaa new-model"

On an unrelated note, the

Toivo Voll — Mon, 21 Mar 2016 13:02:29 GMT

On an unrelated note, the ability to search configs is a nice step in the right direction.

Hi

Craig Le-Butt — Sat, 02 Apr 2016 19:37:58 GMT

No Prime 3.1 yet. I asked our Cisco SE contact the other week when it is due, he said heard end of March, just watched the ciscolive presentation, now says April.

cheers

Don't bother with installing

Frank Lothar Weber — Tue, 26 Apr 2016 08:26:34 GMT

Don't bother with installing Prime 3.1, ISE 2.0 integration does not work with Prime 3.1 either:

Just upgraded Prime to 3.1.0.0.132 (via upgrade bundle),

Version information of installed applications
---------------------------------------------

Cisco Prime Infrastructure
********************************************************
Version : 3.1.0
Build : 3.1.0.0.132

still not able to connect to ISE 2.0:

Cisco Identity Services Engine
---------------------------------------------
Version : 2.0.1.130
Build Date : Thu Mar 3 02:38:48 2016

same error message as before: "Some unexpected internal error has occured. ....."

Rgs

Frank

UPS !!!

Frank Lothar Weber — Tue, 26 Apr 2016 08:44:24 GMT

UPS !!!

Seems that I was wrong with the last post, the user-id that is used by Prime to connect to ISE was disabled on ISE.... !!!!

Adding ISE monitoring nodes to Prime works now, nevertheless, the error message is quite confusing !!!

Hello Frank ,

uma dash — Thu, 12 May 2016 06:17:05 GMT

Hello Frank ,

Could you please elaborate how to enable the user-id on ISE and which user-id the PI was using to try to connect to ISE ? Is it the " web_root " user-id ?

Hi,

Frank Lothar Weber — Thu, 12 May 2016 13:32:25 GMT

Hi,

the userid which is used by PI to connect to ISE has to be configured on ISE as an "Admin User" account (Administration/Admin Access/Admin Users).

This would be a GUI Admin account, not a CLI admin ......!!!

In my case I have given this user an recognizable name (CPItoISE), gave a password to it, enabled it ("Change Status") and granted "Super Admin" role to it.

I don't know, if this would also work with a role with lesser rights (haven't checked that out yet, still a test deployment ....).

Rgs

Frank

Hi,

jedolphi — Wed, 06 Jul 2016 06:46:19 GMT

Hi,

ISE 2.0 requires PI 3.1.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/compatibility/ise_sdt.html#pgfId-216582

Re: Hi,

amolchavan — Fri, 02 Mar 2018 12:10:59 GMT

worked for me , thanks