ISE 3.0 Patch 4 - PxGrid Broken

Louis Gonzales — Wed, 15 Dec 2021 22:04:36 GMT

Anyone else having issues with pxGrid not working on ISE 3.0 Patch 4 in a distributed deployment? All of my integrations between ISE and our WSA, FMC and Stealthwatch are broken. Even running the Health Monitor Test for pxGrid fails with the log output below. I have a TAC case open but just wondering if anyone else has pxGrid issues with 3.0

15-Dec-2021 20:40:04 [INFO] ************** pxGrid Session Directory Test ***************
15-Dec-2021 20:40:04 [INFO] ----------------- Starting Connection Test -----------------
15-Dec-2021 20:40:04 [INFO] pxGrid Node: [PAN Node Name Removed]
15-Dec-2021 20:40:04 [ERROR] Test set up failed due to internal error. Exception: {}
javax.net.ssl.SSLProtocolException: The size of the handshake message (34086) exceeds the maximum allowed size (32768)
at sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:309)
at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:190)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1383)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1291)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264)
at com.cisco.cpm.pxgrid.connection.TestSessionDirectoryHelper.sendRequest(TestSessionDirectoryHelper.java:114)
at com.cisco.cpm.pxgrid.connection.TestSessionDirectoryHelper.serviceLookup(TestSessionDirectoryHelper.java:62)
at com.cisco.cpm.pxgrid.connection.TestSessionDirectory.testConnection(TestSessionDirectory.java:153)
at com.cisco.cpm.pxgrid.connection.TestSessionDirectory.runTest(TestSessionDirectory.java:118)
at com.cisco.cpm.pxgrid.connection.TestSessionDirectory.main(TestSessionDirectory.java:95)
15-Dec-2021 20:40:04 [INFO] ------------------ Connection Test FAILED ------------------
15-Dec-2021 20:40:04 [INFO] ********** pxGrid Session Directory Test Complete **********

Re: ISE 3.0 Patch 4 - PxGrid Broken

hslai — Mon, 20 Dec 2021 01:49:11 GMT

Yes, we have seen some customer deployments with lots of stale certificates in the database. Please ask TAC to clean them up or escalate to our BE teams as needed.

topic Re: ISE 3.0 Patch 4 - PxGrid Broken in Network Access Control

ISE 3.0 Patch 4 - PxGrid Broken

Re: ISE 3.0 Patch 4 - PxGrid Broken