Solved: Re: Cisco ISE and DNA integration

trondaker · ‎02-18-2020

So were building our production deployment these days and trying to integrate with our ISE-deployment. In the lab we used a single vm/all personas ISE-deployment, and integrating ISE and DNA worked as per the documentation. Now we have 6 PSNs behind a BigIP with two admin/monitoring nodes, and i cant figure out how to integrate the two. I have enabled pxgrid on the pan and one psn, i have tried pointing DNA to the ip of the pan and the psn, but all result in the attached error. Error establishing trust with ISE: Expected failure phrase received: Trust establishment operation failed. Check ISE node role or whether remote server x.x.x.x is available.

Both the DNA enterprise-interface and the ISE PAN is on the same subnet, so no firewall issues. The documentation isnt clear on what ip to point DNA to, but im guessing its the node with pxgrid enabled right? So both PAN and the one PSN should work? I have not done any editing of certificates here, so all nodes run self signed default certs. I can not see the DNA center appear in the pxgrid approval list on the PAN.

Using tcpdump on the DNA, i can see DNA establishing a SSH-connection to ISE, but after a while the attached error appears.

trondaker · ‎02-26-2020

Hehe this is a bit embarrassing, but we recently enabled smart licensing for our ise-deployment - and through that we had to use a proxy. Little did i know that this would impact the pxgrid/peering with DNA. Exempted DNA from the proxy on ISE and everything worked.

So as you said Matthias, ip for the PAN in the ip, admin-user with ers-rights, the FQDN of the ISE, the virtual ip of the bigip in the virtual ip field and everything is good to go. Didnt need to deploy new certs from same CA and so on, plain self-signed worked fine.

View solution in original post

Matthias · ‎02-19-2020

At the Sytem Settings page you have to enter the Primary PAN IP.

Be sure that the GUI and CLI admin password is the same.

Enter the FQDN+domain like its set on the certificate.

Virtual IP shout be you LoadBalancer with PSNs.

Check this discussion:

https://community.cisco.com/t5/cisco-digital-network/cisco-dnac-error-establishing-trust-with-ise/td-p/3715754

___

Please push the Helpful Button

trondaker · ‎02-19-2020

Thats interesting, havent even seen the virtual ip-part - been so locked-in on the server ip :P Now "peering" to the PAN-ip, and have the BigIP-virtual ip in the virtual-field. Same error still, but thats a step in the right direction. Have opened a TAC-case now, so we will see what happens.

ISE 2.4 patch 5 and DNA 1.3.1.0 (software out of the box).

Matthias · ‎02-20-2020

Thanks, let us know where the issue was.

Also take al look at this intigration guide: https://community.cisco.com/t5/networking-documents/how-to-cisco-dna-center-ise-integration/ta-p/3896

trondaker · ‎02-26-2020

Hehe this is a bit embarrassing, but we recently enabled smart licensing for our ise-deployment - and through that we had to use a proxy. Little did i know that this would impact the pxgrid/peering with DNA. Exempted DNA from the proxy on ISE and everything worked.

So as you said Matthias, ip for the PAN in the ip, admin-user with ers-rights, the FQDN of the ISE, the virtual ip of the bigip in the virtual ip field and everything is good to go. Didnt need to deploy new certs from same CA and so on, plain self-signed worked fine.