cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2200
Views
0
Helpful
7
Replies

ISE and DNAC integration issue

While attempting to integrate ISE with our dnac appliance, I run into this error message and for the life of me cannot figure this  errordnaise.JPG

7 Replies 7

Mike.Cifelli
VIP Alumni
VIP Alumni

I went through each one of these steps and the error message above is what I got. I enabled all required services etc...

Do you see a pending pxgrid session pending in ISE for dnac? Is the cert chain being used for auth trusted by ISE?

Ziv
Level 1
Level 1
Do you have use NAT between the DNAC and ISE?

Mike.Cifelli
VIP Alumni
VIP Alumni
Few things to check:
Can you ping ISE by IP and name from DNAC CLI?
Can you telnet and ssh to ISE from DNAC CLI with the username you use when setting up authentication and policy server in DNAC gui?
Please ensure in ISE under Administration->System->Admin Access->Settings->Access->IP Access that DNAC IP is allowed.
Take a look at this log that you generate from DNAC CLI to see if errors pop out to you: magctl service logs -r network-design | lql > net-des.log
You could attempt to reload the service: magctl service restart -d network-design
and then tail logs to gather more tshooting help: magctl service logs -rf network-design | lql
I just went through something similar and actually resolved the issue in the admin access area in ISE. Something was tweaked and I was seeing in DNAC a similar ISE trust issue.

Harish Chopra
Cisco Employee
Cisco Employee
Hi, Can you please specify the DNAC and ISE version. I hope you have already checked the compatibility matrix. (https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html) I have faced this integration issue in the previous versions several times and most of the cases, following were the steps I took - - ensure the NTP is in sync, clocks are matching for DNAC and ISE - no version mismatch - For ISE and DNAC to work, On ISE, ensure you have GUI and CLI password the same. If those are different then it will never work.

Benjamin-A
Level 1
Level 1

Hi,

I had the same issue because one of the firewall rules between DNAC and ISE is not documented in the Plan the installation Guide. 

For PxGrid the following have to be additionaly permited:

ISE > DNAC TCP/Port 443

DNAC > ISE TCP/Port 443


.:|:..:|:.Please rate helpful posts.:|:..:|:.

Review Cisco Networking for a $25 gift card