Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
5
Helpful
7
Replies

Cisco DNA Center ISE integration 'error retrieving PSN nodes from PAN'

Navs1963
Level 1
Level 1

‎09-07-2022 04:28 AM

We are attempting to integrate DNAC v2.2.3.4 with ISE 3.0.0. During the server integration we're coming up against this error. 

Navs1963_0-1662549845665.png

I'm struggling to find any information around it. Has anyone come across this error during integration, or know where to look to troubleshoot it?

TIA.

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Dan Rowe
Cisco Employee
Cisco Employee

‎09-07-2022 11:25 AM

Have you checked out the Cisco DNA Center & ISE Management infrastructure deployment guide?

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-dnac-ise-deploy-guide.html

Follow the steps provided in the document. If you still run into the same issue after following those steps, I would suggest opening a TAC case if you can to troubleshoot further. If you want to try and self-troubleshoot, you can view the network-design & pxgrid service logs in Cisco DNA Center using Kabana

0 Helpful

Martin Grimm
Level 1
Level 1

‎11-10-2022 09:58 PM - edited ‎11-10-2022 10:00 PM

Hi Navs,

did you solve the problem? I am facing the same and checked all Deployment Guides, so TAC would be the next step.

Regards,

Martin

0 Helpful

Navs1963
Level 1
Level 1
In response to Martin Grimm

‎11-11-2022 02:09 AM

In our case we opened a TAC. It looked like we had a bug. The DNA Center did not return to service after a re-boot during troubleshooting (I can't recall why we rebooted it). So, we rebuilt it. It was rebuilt on the next software version, 2.2.3.6, and after it came up and was reconfigured ISE integrated straight away. We never truly found the root cause, but TAC believed we'd hit a bug.

0 Helpful

Martin Grimm
Level 1
Level 1
In response to Navs1963

‎11-11-2022 02:29 AM

Thanks for your answer, do you have any Bug-ID?
Regards Martin
0 Helpful

Navs1963
Level 1
Level 1
In response to Martin Grimm

‎11-11-2022 02:36 AM

Unfortunately, not. The DNA-C fell over before we could get to the bottom of it. We were up against a fairly aggressive timeline so, we had to get it back up and working to move forward. Management made the, understandable, call to move to the newer software version rather than rebuild on the same version and continue root cause. 

0 Helpful

Martin Grimm
Level 1
Level 1
In response to Navs1963

‎11-11-2022 07:20 AM

We solved it:
The GUI Error Message stated nothing about Certificate trust.
With TAC we used this command to generate a log and started the integration process again, to log whats going on.
magctl service logs -rf network-design | lql > /home/maglev/networkdesignlogs

In the Log there was this line:
| 751 | Caused by: com.cisco.apicem.commonsettings.service.exception.ISETrustException: PRIMARY Certificate is UNTRUSTED

So we imported all the CA Certificates from the PKI which signed the Admin Certs and all was good.
Cisco should update there documentation, because in the linked Deployment Guides there nothing about that trust.

Navs1963
Level 1
Level 1
In response to Martin Grimm

‎11-11-2022 09:09 AM

Ah, yes. We were going down the cert route when it all fell over. However, we're using self-signed. I'll bear in mind what you found as we are about to move it to PKI.

0 Helpful
Customers Also Viewed These Support Documents