Here is the issue.. Cisco ISE 2.1 patch 3 context visibility page gives the following exception
Unable to load Context Visibility page. Exception: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];
Cisco document says its a bug and clear solution is not given , the biggest challenge now is to add static end points ? Any one with similar issue give me ideas for updating endpoints.
Context visibility is working now , work around was to generate self-signed certificate for the admin personas and import the secondary admin self-signed cert to the trusted certificate store.
Now admin console has certificate error. , otherwise everything works fine.
Thanks for sharing....But, I think it is not a solution for me. I have certificates provided by an External CA, two ISE appliances in cluster. I will need to broke the cluster, set a self-signed certificate, recreate the cluster and I have no sure it will solve the problem over this scenario.
I fixed this by making sure my root and intermediate 3rd party certificates in the "trusted certificates" had "Trust for authentication of Cisco Services" selected. After doing that, I had to restart the Primary Admin node to get the problem to clear.
i have run into the same issue on our 2.2 deployment. we are using an external CA with the SANs filled out for every concieveable policy node name and URL. the system will function fine for a while and then out of the blue all context visibility disappears. i can usually get things running again with a reboot of the primary admin node but not today it seems.
i have tried enabling the "trust for auth of Cisco Services" the root and intermediate CAs for my external cert, no dice.
i have tried setting the admin node's self-signed cert for admin use, no dice.
i have tried rebooting the monitor nodes. same issue.
i have tried setting the admin nodes as the monitoring nodes as well (double duty on the same box). issue persists.
this is getting annoying. might call TAC...
desperate measures were called for. we run 8 nodes in our deployment. i had to go to EACH one and set the self-signed cert for each as for the admin job. because they were already in a cluster and i had already added each one as a trusted cert they all trusted each other. and low and behold the context vis area works again.
this is ridiculous.
I am running into same issue after upgrade to 2.3.
I also use external certificates.
Did you manage to get this fixed in the end?
no we still have issues with this. in-fact it seems to have broken once again today while i was updating some certs on the deployment.
we do have reverse dns setup properly so i can resolve the name of each node via the IP address, so that's not the problem.
the 2 admin and 2 monitor nodes are all using their self-signed certs for the admin role. also i have imported those same self-signed certs into the trusted cert store to ensure that all nodes in the deployment trust those certs. almost tempted to try switching back to using our globalsign external cert that we use almost everything else in this deployment for admin and see what happens.
i have a slightly different error message when i go to context visibility > endpoints. the error message which is displayed is:
"Unable to load context visibility page. Ensure that full certificate chain of admin certificate is installed..."
i have uploaded the certificate chain for admin certificate and all checks out.
i have resolved this. In my environment, i am running version 2.3 patch 1 and i had obtained an MS internal CA cert for admin. All i had to do was disable the self signed admin certificate from the trusted cert list and restarted the application. That solved the issue for me.
Also make sure the certificate being used for admin portal has Cisco services enabled on it. then run application ise stop/start command from CLI. this should solve this issue