Solved: Fail to pull scalable groups from ise

Kalika · ‎05-08-2020

After integration between the Cisco ISE and DNA-center, we cannot pull the scalable groups from ISE to DNA policy, there is reachability between them, and all services such as DNS record and NTP is a right.

Any help with that!

Mike.Cifelli · ‎05-08-2020

A few things to check:
In DNAC:
-Make sure you have ISE defined as an Authentication & Policy Server under System Settings->Settings->Authentication & Policy Servers
-View System settings->System 360. Is ISE showing as configured and available under externally connected systems?
In ISE:
-Ensure you have pxgrid enabled on at least one node
-Go to Administration->pxGrid Services do you see anything related to dnac that may be pending? You can manually approve it or configure settings to automatically allow it.
In General:
-Make sure the required services and ports are working as expected and allowed. See the below links to further troubleshoot:
https://community.cisco.com/t5/networking-documents/how-to-cisco-dna-center-ise-integration/ta-p/3896410
https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html
HTH!

View solution in original post

Mohamed Alhenawy · ‎05-09-2020

Hello @Kalika

I will mention some keys should you have to done,

- Should be enabled sshd on cisco ISE through # enable sshd services.

- Enable the Pxgride services from cisco ISE through Administrator -----> Deployment -----> Policy service node (PSN) -----> checkmark box of pxGrid (pxGrid facilitates the sharing of information between network elements in real-time and on-demand using XMPP technology.pxGrid requires Plus license.)

-As you mentioned I think you know steps to add cisco ISE on the DNAC, so one thing only here is requiring from you as my colleague @Mike.Cifelli mentioned check the pxGrid requests and approve manually.

- Also should be enabled ERS service on cisco ISE through Administrator -----> settings -----> Protocols -----> ERS settings -----> enable ERS read and write for primary administration node -----> Save

ERS (External RESTful Services (ERS) is a REST API based on HTTPS over port 9060.
The ERS service is disabled by default. An ISE Administrator with the "ERS-Admin" or "ERS-Operator" group assignment is required to use the API. ERS on the primary administration node or a stand-alone node will allow the ERS client to perform read/write operations. On all other nodes, it allows only read access. For more information, please visit the ERS SDK page at:
https://Cisco ISE IP address:9060/ers/SDK

- Also if there is a firewall should be open these ports-TCP 5222,7400,8910,1200,9060.

View solution in original post

Parthiv Shah · ‎05-08-2020

Hi

Thanks for reaching out.

Could you please share software version for Cisco DNAC and ISE?

It would be good if you can provide screenshot of dnac aaa server and pxgrid status screen as well as Pxgrid client status from ISE.

Thanks
Parthiv

Mike.Cifelli · ‎05-08-2020

A few things to check:
In DNAC:
-Make sure you have ISE defined as an Authentication & Policy Server under System Settings->Settings->Authentication & Policy Servers
-View System settings->System 360. Is ISE showing as configured and available under externally connected systems?
In ISE:
-Ensure you have pxgrid enabled on at least one node
-Go to Administration->pxGrid Services do you see anything related to dnac that may be pending? You can manually approve it or configure settings to automatically allow it.
In General:
-Make sure the required services and ports are working as expected and allowed. See the below links to further troubleshoot:
https://community.cisco.com/t5/networking-documents/how-to-cisco-dna-center-ise-integration/ta-p/3896410
https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html
HTH!

Mohamed Alhenawy · ‎05-09-2020

Hello @Kalika

I will mention some keys should you have to done,

- Should be enabled sshd on cisco ISE through # enable sshd services.

- Enable the Pxgride services from cisco ISE through Administrator -----> Deployment -----> Policy service node (PSN) -----> checkmark box of pxGrid (pxGrid facilitates the sharing of information between network elements in real-time and on-demand using XMPP technology.pxGrid requires Plus license.)

-As you mentioned I think you know steps to add cisco ISE on the DNAC, so one thing only here is requiring from you as my colleague @Mike.Cifelli mentioned check the pxGrid requests and approve manually.

- Also should be enabled ERS service on cisco ISE through Administrator -----> settings -----> Protocols -----> ERS settings -----> enable ERS read and write for primary administration node -----> Save

ERS (External RESTful Services (ERS) is a REST API based on HTTPS over port 9060.
The ERS service is disabled by default. An ISE Administrator with the "ERS-Admin" or "ERS-Operator" group assignment is required to use the API. ERS on the primary administration node or a stand-alone node will allow the ERS client to perform read/write operations. On all other nodes, it allows only read access. For more information, please visit the ERS SDK page at:
https://Cisco ISE IP address:9060/ers/SDK

- Also if there is a firewall should be open these ports-TCP 5222,7400,8910,1200,9060.