https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3210027#M905439 <P>It could be a bug / TLS compatibility issue. I'd recommend opening a TAC case since the ISE compatibility matrices don't list CSM (any version) as compatible despite what the CSM documentation indicates.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html" target="_blank">https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html</A></P> <P>&nbsp;</P> <P>We had the same thing a while back with ISE and Prime Infrastructure. ISE (2.0 if I recall correctly) locked down TLS to 1.2 only while PI was still only able to talk TLS 1.1. It wasn't until PI (3.0 or 3.1 if I recall correctly) added TLS 1.2 support that integration worked once again.</P> <P>&nbsp;</P> Fri, 03 Nov 2017 02:43:58 GMT Marvin Rhoads 2017-11-03T02:43:58Z https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3208770#M905437 <P>Hi,</P> <P>&nbsp;</P> <P>I am trying to&nbsp; integrate Cisco CSM to ISE so that I can resolve the security group tags from CSM.</P> <P>I understand that in order to to be able to retrieve the group tags with a search name/tag in "Security group selector" we need to configure ISE Settings under "CSM &gt;Tools &gt;Security Manager Administration &gt; ISE Settings"</P> <P>This is as per Cisco's Documention for CSM:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/syspage.html#34637" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/syspage.html#34637</A></P> <P>&nbsp;</P> <P>However, when I enter the ISE IP and Credentials in this page and click on Test Connectivity, it fails and give an error message "Unable to establish the connection. Please verify that the IP address, username, password are correct.&nbsp;</P> <P>&nbsp;</P> <P>My first thought was that CSM was failing to communicate with ISE. So, I checked if there was any firewall block for this communication. There wasn't any firewall block for this. I did a packet capture and found that CSM is trying to communicate with ISE on port 443. After the initial TCP handshake, I get a handshake failure for TLS v1.2 from ISE and then the connection is torn down.</P> <P>&nbsp;</P> <P>I am trying to understand if there is any configuration needed on ISE for this? Any help would be appreciated.&nbsp;</P> <P>&nbsp;</P> <P>Thank you,</P> <P>Rohit.</P> Fri, 21 Feb 2020 14:37:07 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3208770#M905437 rohitbhanu009 2020-02-21T14:37:07Z https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3210027#M905439 <P>It could be a bug / TLS compatibility issue. I'd recommend opening a TAC case since the ISE compatibility matrices don't list CSM (any version) as compatible despite what the CSM documentation indicates.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html" target="_blank">https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html</A></P> <P>&nbsp;</P> <P>We had the same thing a while back with ISE and Prime Infrastructure. ISE (2.0 if I recall correctly) locked down TLS to 1.2 only while PI was still only able to talk TLS 1.1. It wasn't until PI (3.0 or 3.1 if I recall correctly) added TLS 1.2 support that integration worked once again.</P> <P>&nbsp;</P> Fri, 03 Nov 2017 02:43:58 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3210027#M905439 Marvin Rhoads 2017-11-03T02:43:58Z https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3700250#M905442 <P>CSCvg18306</P> Tue, 04 Sep 2018 10:11:40 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3700250#M905442 Peter Koltl 2018-09-04T10:11:40Z https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3700255#M905445 <P>Thanks for providing the BugID&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/285490">@Peter Koltl</a></P> Tue, 04 Sep 2018 10:26:25 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/3700255#M905445 Marvin Rhoads 2018-09-04T10:26:25Z https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/4442070#M1082629 <P>Gents</P><P>i have similar problem with CSM 4.19 &amp; ISE 2.1.</P><P>i took capture &amp; found ISE talks to CSM with TLS1.2 but it always finish with session setup failure after Test button submission</P><P>i cant access bug id. so what is the pill to heal it?</P> Sun, 01 Aug 2021 18:17:10 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/4442070#M1082629 Andrii Oliinyk 2021-08-01T18:17:10Z https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/4442699#M1082646 <P>selfresolved. A&amp;UG for CSM 4.20:</P><TABLE border="1" cellspacing="0" cellpadding="3"><TBODY><TR><TD><P class="pB1_Body1">ISE Version</P></TD><TD><P class="pB1_Body1">Beginning with version 4.18, Cisco Security Manager supports integration of only ISE version 2.3.</P></TD></TR></TBODY></TABLE> Mon, 02 Aug 2021 07:50:39 GMT https://community.cisco.com/t5/network-security/cisco-security-manager-integration-with-cisco-ise-for-security/m-p/4442699#M1082646 Andrii Oliinyk 2021-08-02T07:50:39Z