topic Re: Issue with SXP between ASAv and ISE in Network Access Control

Issue with SXP between ASAv and ISE

Anders Fredriksson — Wed, 21 Feb 2024 09:42:42 GMT

Hi all,

I’m experiencing an annoying problem when configuring SXP between ASA and ISE for a PoC environment. I have configured Radius and basic Trustsec and ‘everything’ works fine until SXP is configured. SXP (ASA) won’t connect regardless settings on ASA. Status is either “Pending On” or “Off”.

ASA debug shows this message:
[cts sxp message error]: trp_socket_read: socket_recv failed; fd = 4, errno = 13, err_msg = Permission denied

Technically, I might not need SXP as this ASA is intended for RA VPN only. If ISE return attributes ASA can use those will not change for the duration of the VPN session, or am I missing something? Does anyone have any ideas on why ASA logs a Permission Denied?

There is a firewall between ASA and ISE but that literally has an “allow any any” rule for now.

*** VERSIONS ***
ASAv: 9.20(2)2
ISE: 3.2.0.542, patch:5

*** ASA DEBUG ***
debug cts all
debug cts sxp all

[cts sxp message error]: trp_socket_read: socket_recv failed; fd = 4, errno = 13, err_msg = Permission denied

*** ASA CONFIGURATION ***
ssh 10.2.2.0 255.255.255.0 inside
aaa-server ISE-RADIUS protocol radius
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE-RADIUS (inside) host ise-node01.mydomain.com
timeout 8
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa-server ISE-RADIUS (inside) host ise-node02.mydomain.com
timeout 8
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
cts server-group ISE-RADIUS
cts sxp enable
cts sxp default password *****
cts sxp default source-ip 10.1.1.5
cts sxp connection peer 10.2.2.43 password default mode local listener
cts sxp connection peer 10.2.2.44 password default mode local listener

/Anders

Re: Issue with SXP between ASAv and ISE

Rob Ingram — Wed, 21 Feb 2024 12:34:17 GMT

@Anders Fredriksson

I assume the SXP service is enabled on the ISE PSN?

Is the firewall in between ISE performing NAT, that could cause a problem.

From the ASA take a packet capture of the SXP traffic to confirm communication to/from ISE (or not), filter on TCP port 64999 for SXP.

Re: Issue with SXP between ASAv and ISE

Anders Fredriksson — Wed, 21 Feb 2024 14:41:36 GMT

@Rob Ingram

Thank you for pointing me in the right direction!
The capture showed that both ISE and ASA were mutually ignoring each other by not responding to connection requests (SYN packets -> wait 120 sec -> try again).
5 x ASA -> ISE TCP/64999 SYN
5 x ISE -> ASA TCP/64999 SYN
…
…

Enter weirdness,
I changed password type to “None” on both devices and then it worked. But how can an SXP setting take effect before a session is established? Shouldn’t that be something to convey in the session after establishment? Obviously, I have some reading to do!

/Anders