Showing results for 
Search instead for 
Did you mean: 
Marc Aemmer

Cisco DNAC - Error establishing trust with ISE

After deleted ISE Server in DNA-Center, I'm not able to add it anymore. The following error message appears:
dnac ise error.jpg

"Error establishing trust with ISE: Expected failure phrase received: Trust establishment Operation Failed. Check ISE node role or whether remote server x.x.x.x is reachable

Any ideas? Found a bug ID that sound like this issue but I've already deleted all sites and buildings:

Aravind Ravichandran


  1. Try deleting the DNA-C certificate from ISE trusted certificate,delete the dna-c subscriber entry from ISE pxgrid & try using different subscriber name in DNA-c while trying to integrate ISE.
  2. Make sure ISE & DNA-c certificates are signed by same CA.



The error message told me to check whether remote server is reachable. The IP provided in the error message was the IP Address of the DNA Center GUI Port. So I tried to Ping the IP Address from ISE PAN and no success! Although I used this IP address to successfully connect to the DNAC GUI. There was something wrong with the routing table in DNAC.


So I logged in to DNAC using CIMC and entered the network config again (sudo maglev-config update). Although the official installation guide marks the DNA Center GUI Port as required, I deleted the network config for the GUI Port to force DNAC to use the enterprise port instead to communicate with ISE. After this change, I was able to integrate ISE with DNAC.


This brings me to some questions:

- Why does DNAC use the GUI Port by default to communicate to ISE?

- Why was I able to remove the IP config on the GUI Port although the installation guide say's its mandatory?



 Marc Aemmer


Hi Marc,

In DNA-center installation guide,it is mentioned as GUI port provides access to the DNA Center graphic user interface. Its purpose is to enable users to manage your network using the DNA Center software.

GUI IP address is the one which communicates with ISE(pxgrid & ERS API) & other network devices.


Please refer this installation guide for further queries:


hi there,

i had a similar problem in my lab - but i used an other user to integrate dnac with ise. to achieve my goal i had to add the (ise) user to the ers admin group of the ise.




Alexandro Carrasquedo
Cisco Employee

thanks for opening up the TAC case. as we saw, the problem was related to bug CSCvg29584


Had this same problem. It turns out that DNA Center doesn't completely eliminate all of the artifacts from it's previous connection attempts with ISE. TAC can clear these for you and until they do you will never get the connection established.


Please note that when you generate a cert for DNA Center you must include all of the DNA-C IP addresses in the SAN of the cert. This cost us a week of trial and error before we figured it out.