Solved: Re: Cannot get PXGrid to come available between ISE and DNAC

frederick.mercado · ‎10-27-2023

Both can ping each other through ICMP, NO FW/ACL in between. The ISE shows available but PXGrid unavailable. External auth works. Both ISE and DNA certs replaced with trusted inter and root. Look fine. Unsure what else to check, as I deleted and re-added ISE server on DNAC?

Authentication and Policy Servers shows ISE server ACTIVE.

frederick.mercado · ‎12-13-2023

This was an issue with version mismatch. Upgrading DNAC solved.

View solution in original post

frederick.mercado · ‎10-27-2023

Running health check on ISE:
27-Oct-2023 16:55:15 [INFO] ************** pxGrid Session Directory Test ***************
27-Oct-2023 16:55:15 [INFO] ----------------- Starting Connection Test -----------------
27-Oct-2023 16:55:15 [INFO] pxGrid Node: ***
27-Oct-2023 16:55:16 [INFO] wsPubsubServiceName=com.cisco.ise.pubsub
27-Oct-2023 16:55:16 [INFO] sessionTopic=/topic/com.cisco.ise.session
27-Oct-2023 16:55:16 [INFO] sessionRestBaseUrl=https://***:8910/pxgrid/mnt/sd
27-Oct-2023 16:55:16 [INFO] wsUrl=wss://***:8910/pxgrid/ise/pubsub
27-Oct-2023 16:55:16 [INFO] ---------------- Connection Test Completed -----------------
27-Oct-2023 16:55:16 [INFO] ------------------ Starting Download Test ------------------
27-Oct-2023 16:55:16 [INFO] Downloading sessions since 2023-10-26T16:55:16.411-05:00
27-Oct-2023 16:55:16 [INFO] Response status=200
27-Oct-2023 16:55:16 [INFO] Number of sessions read: 1
27-Oct-2023 16:55:16 [INFO] ----------------- Download Test Completed ------------------
27-Oct-2023 16:55:16 [INFO] ----------------- Starting Subscribe Test ------------------
27-Oct-2023 16:55:17 [INFO] STOMP CONNECT host=***
27-Oct-2023 16:55:17 [INFO] STOMP SUBSCRIBE topic=/topic/com.cisco.ise.session
27-Oct-2023 16:55:17 [INFO] STOMP CONNECTED version=1.2
27-Oct-2023 16:59:17 [INFO] A total of 0 notifications were received.
27-Oct-2023 16:59:17 [INFO] STOMP RECEIPT id=77
27-Oct-2023 16:59:20 [INFO] ----------------- Subscribe Test Completed -----------------
27-Oct-2023 16:59:20 [INFO] ********** pxGrid Session Directory Test Complete **********

2023-10-27 17:59 -04:00

lsl***01

Test session completed with result=SUCCESS

Plus all web sockets show connected.

frederick.mercado · ‎10-30-2023

Hoping someone could chime in!

Torbjørn · ‎10-30-2023

The connection timeout makes me think this is strictly related to the ERS API. Has it been enabled on ISE under: Administration > Settings > API Settings and toggle ERS (Read/Write) enabled? Can you telnet port 9060 from DNAC?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

frederick.mercado · ‎10-30-2023

Yes, enabled.

Here is confirmation:

[Mon Oct 30 16:21:37 UTC] maglev@10.74.xx.35 (maglev-master-10-74-xx-1) ~
$ telnet 10.74.xx.15 9060
Trying 10.74.xx.15...
Connected to 10.74.xx.15.
Escape character is '^]'.

Torbjørn · ‎10-30-2023

That's odd. A few control questions: Have you tried rebooting the DNAC? Are these lab or prod systems? What versions are you running?

Since the ERS port is clearly available this doesn't make a lot of sense to me: "SocketTimeoutException: connect timed out"

I also find it curious that the pxgrid node list is as long as it is: "ipaddress present in pxgrid nodes list 10.74.35.15 ...."

If this is a lab environment I would try to delete the identity-manager-pxgrid-service pod(s) and see if this resolves the problem.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

frederick.mercado · ‎12-13-2023

This was an issue with version mismatch. Upgrading DNAC solved.