07-25-2022 05:14 PM
Hello all,
DNAC integration with ISE giving error of "Error retrieving PSN nodes from PAN" in the discovering nodes state during integration. All pre-requisites of same GUI and CLI admin credentials on ISE are met including FQDN, reachability, etc. When checked on Kibana in DNAC GUI as well as Maglev, error states "Error fetching AAAServerSetting for CiscoIse null". I tried searching around the community and Cisco Live docs but couldn't find anything relevant to error in my environment. Anyone who faced the same issue? Any help appreciated
DNAC Version 2.2.3.5 , ISE 3.0 patch 4
Attached error snap!
Thanks!
11-10-2022 09:56 PM
Hi Pranav,
did you solve the problem? I am facing the same and checked all Deployment Guides, so TAC would be the next step.
Regards,
Martin
04-23-2023 11:38 PM
Hi, I have exactly the same issue error message, after running this connectivity over a long period. My DNAC is 2.2.2.9, my ISE is 2.7 Patch 2. I checked the whole config again and startet the services new, but get still the message. Anyone have some hints?
04-24-2023 01:03 AM - edited 04-24-2023 02:34 AM
We got this action Plan from TAC: We discovered in Logs, that a Certificate was missing in DNAC from the Chain of Trust so after that, the issue was fixed:
Also, please proceed with the below action:
-restart the pxgrid and network-design services from the DNA cli using the below commands:
magctl service restart --hard pxgrid
magctl service restart --hard network-design
-Then on two sessions, please execute the below two commands:
on the first session:
magctl service logs -rf network-design | lql > /home/maglev/networkdesignlogs
on the second session:
magctl service logs -rf pxgrid | lql > /home/maglev/pxgridlogs
- Then please proceed with the integration again.
After the integration, please stop the logging that we run on both sessions by “ctrl+c” and provide me with the files that will be placed under home/maglev/ files name: networkdesignlogs and pxgridlogs
In the Log there was this line:
| 751 | Caused by: com.cisco.apicem.commonsettings.service.exception.ISETrustException: PRIMARY Certificate is UNTRUSTED
So we imported all the CA Certificates from the PKI which signed the Admin Certs and all was good.
Cisco should update there documentation, because in the linked Deployment Guides there nothing about that trust.
04-24-2023 06:55 AM
The restart of the service pxgrid and network-design solved my issue. I did not had to change the certificates because there wasn't an "UNTRUSTED" message in the log.
Many thanks @Martin Grimm
04-25-2023 10:42 PM - edited 04-25-2023 10:42 PM
Great to read that. So service restart is a solution too. @pranav: how did you solve the problem? I think this thread can be marked as "Solved".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide