topic Hi RG, I'm having the same in Network Access Control

Cisco Prime Infrastructure and ISE Integration

rgreville666 — Mon, 11 Mar 2019 06:05:40 GMT

Hi,

I'm current struggling to get PI and ISE to integrate, these are running:

ISE 1.3.0.876
PI 2.1.0.0.87

To integrate ISE with PI, on the PI server I browse to

Design > Management Tools >External Management Servers > ISE Servers

I enter all the correct details but I get an error message:

Error: Identity Service Engine with IP Address XXX.XXX.XXX.XXX is not reachable. Please check the network connectivity of the Identity Services Engine.

Both devices are in the same subnet, there’s no filtering taking place. Both servers can see each other without an issue. From the CLI I can confirm I can see an ARP and can ping each other without issue. Both the CPI primary and ISE Primary server are located on the same ESX host.

Any ideas?????

Is your ISE deployment single

Marvin Rhoads — Fri, 25 Sep 2015 12:30:58 GMT

Is your ISE deployment single node? If it's distributed, you should be pointing to the M&T server(s).

We recently discussed over in the Network Management forum where I showed some examples.

Hi Marvin,This was sourced

rgreville666 — Fri, 25 Sep 2015 12:49:39 GMT

Hi Marvin,

This was sourced from my primary MnT/PAN (Primary for both roles at present)

Do you think its a version conflict?

Thanks

I doubt it's a version

Marvin Rhoads — Fri, 25 Sep 2015 12:55:01 GMT

I doubt it's a version conflict. I've integrated ISE 1.2, 1.3 and 1.4 with PI 2.0, 2.1 and 2.2 at various times (though I can't say with certainty I've done your exact mix).

If I were troubleshooting I'd dig into the packets a bit to see what's going on (or open a TAC case). You can initiate a packet capture from either system - PI from the root shell or ISE from the troubleshooting tools in the GUI.

Just to confirm, I have also

rgreville666 — Fri, 25 Sep 2015 13:02:47 GMT

Just to confirm, I have also moved the roles over but still seeing the same error..

Host	PAN	MnT	PSN
DC1 Server 1	PRI	SEC
DC2 Server 1	SEC	PRI
DC1 Server 2			YES
DC2 Server 2			YES

Marvin,great shout on the

rgreville666 — Fri, 25 Sep 2015 13:18:26 GMT

Marvin,

great shout on the packet capture.. looks like I have a TLS/SSL issues which I think I known why.. I'll keep you posted.

Thanks

I thought the issue was due

rgreville666 — Mon, 28 Sep 2015 09:10:02 GMT

I thought the issue was due to a certificate issue.

I have updated the management certificates on all ISE and PI servers, these are allocated via our internal CA. The management certificates have been working not throwing errors since they were installed (my laptop has the CA certs installed via AD CS)

On the ISE servers I had uploaded the CA certs but missed this off the PI servers. I presumed it was due to the PI not trusting the certificate allocated to the ISE server (As it didn't have the CA certs). After updating the CA certs I still get the same issue.

I do see a TLSv1 Handshake error in the packet capture, this hasn't changed post CA cert upload.

Going to raise a TAC case.

Hi RG, I'm having the same

tjoliveira — Tue, 29 Sep 2015 08:06:06 GMT

Hi RG,

I'm having the same problem. A TCPDump on ISE shows that ISE is replying with a TLSv1 "handshake failure" to Prime's SSLv2 "client hello".

If possible, keep this post updated with TACs reply. My environment:

Prime: 2.1.0.0.87

ISE: 1.4.0.253 patch 3

Thanks in advance.

Regards,

Interesting. I wonder what

Marvin Rhoads — Tue, 29 Sep 2015 10:58:13 GMT

Interesting. I wonder what would happen if you imported the Prime Infrastructure server certificate into ISE's store as a trusted certificate.

Are both ISE and PI certificates issues from the same trusted root CA. Do you have any intermediate certificates loaded into ISE in addition to the root?

If I can answer with my case,

tjoliveira — Tue, 29 Sep 2015 15:50:33 GMT

If I can answer with my case, the SSL breaks just after the first client hello, the server certificate is not even changed.

I'm wondering if it's not because ISE don't accept any of the ciphers proposed by Prime (see attached).

TJ - that might very well be

Marvin Rhoads — Tue, 29 Sep 2015 16:13:23 GMT

TJ - that might very well be the case.

I came across a handy utility use for nmap to check supported cipher specs on a host. You might give it a whirl to check your hypothesis:

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

TAC have informed me this is

rgreville666 — Tue, 29 Sep 2015 16:53:32 GMT

TAC have informed me this is a bug, you need to upgrade via a patch which is downloadable from CCO.

The bug ID is CSCur43834

I have not completed the patch as yet, I will keep you posted.

Thanks

RG,

Marvin Rhoads — Thu, 03 Dec 2015 00:04:20 GMT

RG,

Were you ever able to get this patch?

Yes, installed and working

rgreville666 — Thu, 03 Dec 2015 00:34:44 GMT

Yes, installed and working without issue since.

Thanks

Thanks for the update. I'll

Marvin Rhoads — Thu, 03 Dec 2015 01:42:39 GMT

Thanks for the update. I'll open a TAC case myself to get it now that I've run across the same issue. I had forgotten this thread conversation until Google reminded me. 🙂

I see the same TLS 1.0 - 1.2 negotiation failure you ran across when I did a tcpdump from ISE 2.0. It even happens with PI 3.02. The BugID still isn't public. 😞

FYI the BugID you cited is

Marvin Rhoads — Sun, 13 Dec 2015 16:05:53 GMT

FYI the BugID you cited is only applicable to the ISE 1.x and PI2.x scenario.

The integration is broken (again) in ISE 2.0 - PI 3.0. There's an unpublished BugID on the issue.

My TAC engineer told me that PI 3.1 (ca. February 2016) will fix it.