Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5910
Views
0
Helpful
4
Replies

ISE is available but pxGRID is unavailable in DNAC

tom.barat@dimensiondata.com
Level 1
Level 1

‎10-23-2018 07:39 AM - edited ‎03-08-2019 05:27 PM

Hello,

I have an issue when trying to integrate DNA center with ISE.

After adding ISE as an AAA server in DNAC, the DNA briefly displays an error saying "expected trust phrase was not received" and a status of FAILED. Then this status immediately changes to ACTIVE.

On the DNA System 360 page, i see the ISE server itself as Available, but pxGRID is "unavailable" (see screenshot).

At no point during this process does the DNA client appear in the ISE pxGRID services (so i cannot approve it, and the ISE is not in auto approval mode).

 

I don't think this is a generic connectivity issue because i get proper errors when configuring DNA with wrong ISE password.

 

I know there are issues with certificates when trying to integrate ISE with DNA :

- ISE uses a self-signed certificate for pxGRID.

- DNA uses the default certificate (i did not perform any certificate configuration change on the DNA).

- The DNA certificate appears in the trusted certificates list on ISE.

 

 

ISE version : 2.3

DNA version : 1.1.7

 

 

Thank you in advance for your assistance,

regards.

 

1 person had this problem
Preview file
26 KB
0 Helpful
4 Replies 4

Gaur Samal
Cisco Employee
Cisco Employee

‎10-23-2018 08:59 AM

If ISE is showing active but pxgrid is showing unavailable and you do not see any client under ISE -> pxgrid services, then  you might want to raise TAC case, as we need to see what is going on with Pxgrid service within DNAC. 

there are multiple issues in 1.1.7 regarding DNAC-Pxgrid integration which is improved/fixed in dnac 1.2.x release line.

 

0 Helpful

kumaamit
Cisco Employee
Cisco Employee
In response to Gaur Samal

‎11-16-2018 04:19 AM - edited ‎11-16-2018 04:20 AM

Plz go through the following link:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj87924/?rfs=iqvred

0 Helpful

k.clarke
Level 1
Level 1
In response to kumaamit

‎11-16-2018 06:47 AM

Tom,

 

Take a look at my post 

 

https://community.cisco.com/t5/digital-network-architecture-dna/resilient-borders-and-connectivity/m-p/3747258

 

I have detailed the versions I was using for a pre-stage I have just completed. I did build a CA and have the ISE CSR signed by it. If DNA has ‘talked’ to ISE you should see the Koba cert from DNA in the ISE Trusted Cert Store but only 1.2.6 and 2.3 patch 5 worked successfully for me (4 ISE nodes show as available on DNA, with 2 running pxGrid.

0 Helpful

wwvan
Level 1
Level 1
In response to k.clarke

‎10-14-2019 11:45 AM

I made 3 upgrades to 1.3.1.2. On the single Cluster all went OK, but on both 3 node clusters I have now the same Status, ISE OK, but pxGrid unavailable...

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card