topic Re: FMC 6.2 ISE 2.2 integration in Network Security

FMC 6.2 ISE 2.2 integration

hedhli.wael — Fri, 21 Feb 2020 14:29:16 GMT

Hi all ,

intergration between FMC and ISE fails when testing .

i see the below errors in the logs after a successful ssl handshake :

Captured Jabberwerx log:2017-10-13T10:37:52 [ INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://ISE-1.cn.aura:8910/pxgrid/mnt/sd/getSessionListByTime'
Captured Jabberwerx log:2017-10-13T10:37:52 [ ERROR]: curl_easy_perform() failed: (6) Couldn't resolve host name at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240

it seems a dns resolving problem but the FMC resolve ISE hostname .

a detailed log file is attached .

thank you for your help .

Re: FMC 6.2 ISE 2.2 integration

Tee Chin Poh — Sun, 12 Nov 2017 20:32:26 GMT

do you have any solution for this problem?

Re: FMC 6.2 ISE 2.2 integration

hedhli.wael — Sun, 12 Nov 2017 21:00:59 GMT

the problem disappeared after I sync the two (FMC and ISE) with the same ntp server

Re: FMC 6.2 ISE 2.2 integration

Tee Chin Poh — Mon, 13 Nov 2017 07:56:04 GMT

now i have this problem.currently i'm using self sign certificate on ISE and import to FMC.

Queried 1 bulk download hostnames:ISE.ddpg.com:8910
...successfully connected to ISE server.
Starting bulk download
Captured Jabberwerx log:2017-11-13T07:36:45 [ INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://ISE.ddpg.com:8910/pxgrid/mnt/sd/getSessionListByTime'
Starting SSL Handshake, SSL state:before/connect initialization
Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x5A0860370000000071E91C75D3E246CE', issued by 'CN = ISE.ddpg.com', to 'CN = ISE.ddpg.com'
...because SSL negotiation encountered error: self signed certificate
...while validating this entry in the certificate chain: Certificate with Serial Number '0x5A0860370000000071E91C75D3E246CE', issued by 'CN = ISE.ddpg.com', to 'CN = ISE.ddpg.com'
Sending SSL alert:unknown CA
Sending SSL alert:close notify
Captured Jabberwerx log:2017-11-13T07:36:45 [ ERROR]: curl_easy_perform() failed: (60) Peer certificate cannot be authenticated with given CA certificates at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240
bulk download iter next failed REST errorPeer certificate cannot be authenticated with given CA certificates
Failed to validate bulk download.
disconnecting pxgrid

Re: FMC 6.2 ISE 2.2 integration

hedhli.wael — Mon, 13 Nov 2017 08:24:17 GMT

It seems like a certification authentication problem, did you checked ISE/FMC docs about the integration using self signed certs?
it is recommended to use CA certs, you can generate one using the csr file retrieved from your ISE.
certs must be for both server and client authentication (in the enhanced key usage) .

Don't forget to upload the root certificate too .

Re: FMC 6.2 ISE 2.2 integration

Tee Chin Poh — Mon, 13 Nov 2017 09:18:18 GMT

actually i found out what is the problem. the CN for FMC side i need to set FQDN. so FMC and ISE only can communicate. thanks for your help too

Re: FMC 6.2 ISE 2.2 integration

hedhli.wael — Mon, 13 Nov 2017 09:22:28 GMT

Good 🙂