cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
10425
Views
10
Helpful
6
Replies

Cisco DNAC - Error establishing trust with ISE

Marc Aemmer
Level 1
Level 1

After deleted ISE Server in DNA-Center, I'm not able to add it anymore. The following error message appears:
dnac ise error.jpg

"Error establishing trust with ISE: Expected failure phrase received: Trust establishment Operation Failed. Check ISE node role or whether remote server x.x.x.x is reachable

Any ideas? Found a bug ID that sound like this issue but I've already deleted all sites and buildings:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23375/?rfs=iqvred

6 Replies 6

Hi,

  1. Try deleting the DNA-C certificate from ISE trusted certificate,delete the dna-c subscriber entry from ISE pxgrid & try using different subscriber name in DNA-c while trying to integrate ISE.
  2. Make sure ISE & DNA-c certificates are signed by same CA.

 

-Aravind

spitalfmi
Level 1
Level 1

The error message told me to check whether remote server is reachable. The IP provided in the error message was the IP Address of the DNA Center GUI Port. So I tried to Ping the IP Address from ISE PAN and no success! Although I used this IP address to successfully connect to the DNAC GUI. There was something wrong with the routing table in DNAC.

 

So I logged in to DNAC using CIMC and entered the network config again (sudo maglev-config update). Although the official installation guide marks the DNA Center GUI Port as required, I deleted the network config for the GUI Port to force DNAC to use the enterprise port instead to communicate with ISE. After this change, I was able to integrate ISE with DNAC.

 

This brings me to some questions:

- Why does DNAC use the GUI Port by default to communicate to ISE?

- Why was I able to remove the IP config on the GUI Port although the installation guide say's its mandatory?

 

 

 Marc Aemmer

 

Hi Marc,

In DNA-center installation guide,it is mentioned as GUI port provides access to the DNA Center graphic user interface. Its purpose is to enable users to manage your network using the DNA Center software.

GUI IP address is the one which communicates with ISE(pxgrid & ERS API) & other network devices.

 

Please refer this installation guide for further queries: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-2/install/b_dnac_install_1_2/b_dnac_install_1_2_chapter_0101.html

-Aravind

AndiBuchmann157
Level 1
Level 1

hi there,

i had a similar problem in my lab - but i used an other user to integrate dnac with ise. to achieve my goal i had to add the (ise) user to the ers admin group of the ise.

 

regards

Andreas

Alexandro Carrasquedo
Cisco Employee
Cisco Employee

thanks for opening up the TAC case. as we saw, the problem was related to bug CSCvg29584

james.betts
Level 1
Level 1

Had this same problem. It turns out that DNA Center doesn't completely eliminate all of the artifacts from it's previous connection attempts with ISE. TAC can clear these for you and until they do you will never get the connection established.

 

Please note that when you generate a cert for DNA Center you must include all of the DNA-C IP addresses in the SAN of the cert. This cost us a week of trial and error before we figured it out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco

Ā