topic Re: PassiveID problems in Network Access Control

PassiveID problems

Janne K. — Wed, 14 Jan 2026 13:54:58 GMT

Hi there,

Im having som trouble setting up PassiveID in a new ISE install.
ise version 3.4 patch 4

I have 3 nodes, all of them have passiveid enabled, and i can see the service running in cli with 'sh app stat ise'

in the ise passiveid-agent.log i see this continuously:
2026-01-14 13:28:33,941 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Agent DC04.domain.dk did not set DCs status during the last 5 minutes - marking it down.
2026-01-14 13:28:33,942 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Make sure agent is up and running.. Identity Mapping.probe = Agent , Identity Mapping.dc-host = DC04.domain.dk , Identity Mapping.server = ISEPAN-01 ,
2026-01-14 13:28:33,942 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Make sure agent is up and running.. Identity Mapping.probe = Agent , Identity Mapping.dc-host = DC04.domain.dk , Identity Mapping.server = ISEPSN-01 ,
2026-01-14 13:28:33,942 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Make sure agent is up and running.. Identity Mapping.probe = Agent , Identity Mapping.dc-host = DC04.domain.dk , Identity Mapping.server = ISEMON-01 ,

and on the DC in the CiscoISEPICAgent log i see this:
2026-01-14 13:31:29,652 ERROR - Rest Client, Error getting configuration from https://ISEPAN-01.domain.dk:9095 : The operation has timed out
2026-01-14 13:31:29,652 ERROR - Rest Client, Error getting configuration from https://ISEPSN-01.domain.dk:9095 : The operation has timed out
2026-01-14 13:31:29,652 ERROR - Rest Client, Error getting configuration from https://ISEMON-01.domain.dk:9095 : The operation has timed out
2026-01-14 13:31:30,672 ERROR - Configuration , Received empty config

the pic service is running fine, also after a restart.

when i do a tcp dump from ISE i see that ISE closes the incoming connection on port 9095 from the DC: (picture)

And doing a 'show ports' on ise cli It does not show any port 9095 anywhere.

Reloading the nodes does not help either.

Should i just go ahead and contact TAC? or does anyone have had similar problems?

Re: PassiveID problems

Cristian Matei — Mon, 26 Jan 2026 19:47:13 GMT

Hi,

@Janne K. Did you figure it out? To me, it looks that because it fails to get the config, the socket is not opened, thus you don't see port 9095 opened, although the service is running.

Looks like you're hitting the bug, see the proposed WA:

https://bst.cisco.com/bugsearch/bug/CSCvy83653?rfs=qvlogin

If not, suggest to upgrade to the latest patch, however to avoid unnecessary bloat on the HDD, backups and taking all this crap with you in following upgrades, first rollback all patches, before applying only the latest patch:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215406-patch-installation-on-ise-and-faq-durin.html

Thanks,

Cristian.

Re: PassiveID problems

Stefan Mihajlov — Mon, 26 Jan 2026 20:24:44 GMT

@Janne K. since the port is not listening please verify in the GUI that a valid system certificate is assigned to the passive identity role.. if the certificate is correct, try disabling and then re-enabling the Passive Identity service checkbox under the Deployment settings to force the service to reload

Re: PassiveID problems

Janne K. — Tue, 27 Jan 2026 07:50:44 GMT

After uninstalling patch 4 it started working as intended.
I tried with patch 3 instead, but that nukes the ise application on the sns-3855, (no problem on the 3815 though...) even on a fresh 3.4 install and then i have to reimage the nodes.

Im gonna get TAC involved.

Re: PassiveID problems

Janne K. — Mon, 23 Mar 2026 08:44:19 GMT

I ran into a bug. https://bst.cisco.com/quickview/bug/CSCws65812

Bug is present from 3.3 p8 forwards. fix will likely com in 3.3 p11, 3.4 p6 and 3.5 p4

Re: PassiveID problems

jonathankarras — Mon, 04 May 2026 15:52:28 GMT

Looks like it didn't make the cut for 3.4 p6. Unless they just haven't updated the BugID yet.