https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5259209#M1119492 <P>For the integration itself I don't believe you need SXP as ISE and FMC are integrated via pxGrid. However, the SXP could be required if you want to propagate the SGTs over L3 links where the devices in the path (ISP CPE for instance) do not keep or process the tag. In that case SXP would be required, but as I said not for the integration between ISE and FMC.</P> Tue, 11 Feb 2025 16:48:09 GMT Aref Alsouqi 2025-02-11T16:48:09Z https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5257415#M1119367 <P><SPAN class="tabs2_section tabs2_section_1 tabs2_section1 tab_section" data-header-only="false" data-section-id="1e9099580a0a3c0874ac17963aab6026" aria-hidden="false" aria-labelledby="section_tab.1e9099580a0a3c0874ac17963aab6026"><SPAN class="section state-closed" data-header-only="false"><SPAN>We were affected several times for an error that prevented us to continue with the deployment of any modifications in our Cisco Firepower, and the error seems to be related to ISE/SGT integration:<BR /><BR /><BR /><BR /><BR /><BR />At the moment, we are using the following workaround: uncheck “SXP Topic” -&gt; Save, then check back again “SXP Topic” -&gt; Save:<BR /></SPAN></SPAN></SPAN></P> <DIV id="tinyMceEditorAmen_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Amen_1-1738828280435.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/239376i2AC2CD373108C553/image-size/medium?v=v2&amp;px=400" role="button" title="Amen_1-1738828280435.png" alt="Amen_1-1738828280435.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Amen_2-1738828309318.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/239377iF6C477FD73D12120/image-size/medium?v=v2&amp;px=400" role="button" title="Amen_2-1738828309318.png" alt="Amen_2-1738828309318.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="tabs2_section tabs2_section_1 tabs2_section1 tab_section" data-header-only="false" data-section-id="1e9099580a0a3c0874ac17963aab6026" aria-hidden="false" aria-labelledby="section_tab.1e9099580a0a3c0874ac17963aab6026"><SPAN class="section state-closed" data-header-only="false"><SPAN><BR />After execution of this workaround, we can continue normally.<BR /><BR /><BR />is there anyway to avoid that? Is there any know bug or information about this? Perhaps some commands we can run to gather information to help troubleshoot next time?</SPAN></SPAN></SPAN></P> Thu, 06 Feb 2025 07:53:15 GMT https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5257415#M1119367 Amen 2025-02-06T07:53:15Z https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5257699#M1119378 <P>Are you using that security rule that has "DigIT_Infra" tag selected? if not, you can remove that rule. The error you shared seems to be talking about having that tag deleted, mabye there is an issue between ISE and your FMC that is preventing the synchronization from happening? Finally, if you are not using SXP then you can leave it off, you only need that if you are actually encapsulating the SGTs over L3 links.</P> Thu, 06 Feb 2025 17:42:19 GMT https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5257699#M1119378 Aref Alsouqi 2025-02-06T17:42:19Z https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5259207#M1119491 <P>Yes, we are using the “DigIT_Infra” SGT. That is the only one you can see in the screenshot, but the full list of all SGT is included in the scroll down window. This mans that is complaining about all of them.</P> <P>&nbsp;</P> <P>As far as I understand, I need SXP between Firepower an ISE server,&nbsp;Communications between them are over internal L3 links. right?</P> <P>&nbsp;</P> Tue, 11 Feb 2025 16:29:38 GMT https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5259207#M1119491 Amen 2025-02-11T16:29:38Z https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5259209#M1119492 <P>For the integration itself I don't believe you need SXP as ISE and FMC are integrated via pxGrid. However, the SXP could be required if you want to propagate the SGTs over L3 links where the devices in the path (ISP CPE for instance) do not keep or process the tag. In that case SXP would be required, but as I said not for the integration between ISE and FMC.</P> Tue, 11 Feb 2025 16:48:09 GMT https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5259209#M1119492 Aref Alsouqi 2025-02-11T16:48:09Z https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5259220#M1119495 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1171234">@Amen</a> the FMC will learn the SGT (and dynamic IP bindings) via the pxGrid integration to ISE. The SXP integration to ISE would be used if you are publishing static IP binding from ISE, optional not mandatory.</P> <P>From the FMC expert mode, you can r<SPAN>un the command <STRONG><EM>adi_cli session </EM></STRONG>will display the sessions sent from ISE to the FMC and&nbsp;run the command <STRONG><EM>cat /var/sf/run/adi-health</EM></STRONG> will provide information on the state to confirm this integration is working.</SPAN></P> Tue, 11 Feb 2025 17:00:41 GMT https://community.cisco.com/t5/network-security/cisco-firepower-deployment-issue/m-p/5259220#M1119495 Rob Ingram 2025-02-11T17:00:41Z