https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633323#M575546 <P>&nbsp;</P> <P>&nbsp; &nbsp;- FYI :&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-queue-link-error/ta-p/4625179" target="_blank">https://community.cisco.com/t5/security-documents/ise-queue-link-error/ta-p/4625179</A></P> <P>&nbsp;M.</P> Thu, 16 Jun 2022 16:35:38 GMT Mark Elsen 2022-06-16T16:35:38Z https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4631070#M575446 <P>I have a pair of ISE 3.1 patch-3 running as:</P><P>&nbsp;</P><P>node1:&nbsp; Primary Admin; Primary MNT; PSN</P><P>node2:&nbsp; Secondary Admin; Secondary MNT; PSN</P><P>&nbsp;</P><P>Everything is working fine until as security audit, the security team uses Qualys to scan these ISE devices.&nbsp; During the scan, I got the following these messages:</P><P>&nbsp;</P><P>Queue Link Error: Message=From node2 To node1; Cause={tls_alert;{unknown_ca;"tls Client: In State Certify At Ssl_handshake.erl:1887 Generated Client Alert: Fatal - Unknown Ca\n"}</P><P>Queue Link Error: Message=From node1 To node2; Cause={tls_alert;{unknown_ca;"tls Client: In State Certify At Ssl_handshake.erl:1887 Generated Client Alert: Fatal - Unknown Ca\n"}</P><P>&nbsp;</P><P>During the Qualys scan, both the radius &amp; tacacs logs came up empty, and the system is very slow responding.&nbsp;</P><P>&nbsp;</P><P>Is that expected?&nbsp; I thought SNS-3615 should be able to handle Qualys scan.&nbsp; Thoughts?</P> Mon, 13 Jun 2022 20:39:18 GMT https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4631070#M575446 adamscottmaster2013 2022-06-13T20:39:18Z https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4632471#M575504 <P>This has nothing to do with the Qualys scan.&nbsp; This is the ISE messaging certificate.&nbsp; You need to re-generate the ISE root CA and then re-generate the ISE messaging service certificate for all nodes.&nbsp;&nbsp;</P> Wed, 15 Jun 2022 15:16:00 GMT https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4632471#M575504 ahollifield 2022-06-15T15:16:00Z https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633198#M575535 <P>I resolved the issue by blocking Qualys from scanning this ISE and haven't seen this issue for the past few days.</P> Thu, 16 Jun 2022 13:52:26 GMT https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633198#M575535 adamscottmaster2013 2022-06-16T13:52:26Z https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633323#M575546 <P>&nbsp;</P> <P>&nbsp; &nbsp;- FYI :&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-queue-link-error/ta-p/4625179" target="_blank">https://community.cisco.com/t5/security-documents/ise-queue-link-error/ta-p/4625179</A></P> <P>&nbsp;M.</P> Thu, 16 Jun 2022 16:35:38 GMT https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633323#M575546 Mark Elsen 2022-06-16T16:35:38Z https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633611#M575567 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1191533">@adamscottmaster2013</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;interesting ... could you please double check your <STRONG>Qualys</STRONG> configuration via the&nbsp;<A href="https://www.youtube.com/watch?v=EVKXqqfJD_M" target="_blank" rel="noopener">ThreatCentric NAC with Qualys and ISE</A>.?</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Regards</P> Fri, 17 Jun 2022 06:50:00 GMT https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633611#M575567 Marcelo Morais 2022-06-17T06:50:00Z https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633848#M575581 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291804">@Mark Elsen</a>:&nbsp; As I've said before, I blocked qualys from scanning the ISE appliances and have not seen queue-link error since.&nbsp;</P> Fri, 17 Jun 2022 15:08:03 GMT https://community.cisco.com/t5/network-access-control/queue-link-error-message-from-primary-ise-to-secondary-ise-cause/m-p/4633848#M575581 adamscottmaster2013 2022-06-17T15:08:03Z