Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5328
Views
25
Helpful
9
Replies

DNA 1.3.1.x

Go to solution
Frank Lothar Weber
Level 1
Level 1

‎01-08-2020 03:29 AM - edited ‎01-08-2020 03:31 AM

Hi, folks.

I am one of the lucky guys that were able to get the budget to buy a dnac appliance to evaluate sd-access and all the other fancy stuff .... :-)

So I set the appliance up, everything seems to be running in order so far, exept for these two points:

1. ISE integration fails

When I try to add ISE to dna, dnac tells me that I have the wrong version of ISE:

dnac error message.jpg

The funny stuff is, that ISE is EXACTLY version 2.6 Patch1:

 

ise version.jpg

Since the error message states "2.6P1 or above", I tried integrating ISE also with patch2 and patch3,

result is the same as above !!!

I need to try integration ISE with version 2.4 and see what happens then ....

 

Could it be that DNAC version is too old to implement any ISE with 2.6 version ??

System Update on the dnac appliance shows me this:

 

dnac version.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This brings me to 

 

2. Why can't my dnac see any 1.3.1.x version ??

Shouldn't it be there ??

 

 

Any clues ??

 

Rgs

Frank

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mariusz Kazmierski
Cisco Employee
Cisco Employee
In response to Frank Lothar Weber

‎01-09-2020 12:41 PM

Hi, 

 

ISE - DNA-Center integration requirements are described here:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3-1-0/install_guide/M4/b_cisco_dna_center_install_guide_1_3_1_0_M4/b_cisco_dna_center_install_guide_1_3_1_0_M4_chapter_0101.html

 

In the logs provided on the request to get certificate from ISE, DNA-Center receives HTTP Code: 404 - Not found. 

 

In addition to the above, make sure that in Administration > System > Settings -> ERS Settings 'Disable CSRF For ERS Request' is selected (due to current limitation described in CSCvk68816).

 

If all of the above will not help, you may try to attempt to workaround the issue by regenerating "ISE Root CA" from ISE ad make sure the pxgrid persona is assigned to the right certificate on ISE. This can be check under: Administrator > System > Certificates > System Certificates (column: Used By = pxGrid). In order to regenerate the "ISE Root CA", go to: Administrator > System > Certificates > Certificate signing Request > Select "ISE Root CA".

 

If none of the above will help, I would  strongly recommend to open TAC case to tshoot it further. 

 

Best regards,

Mariusz

View solution in original post

9 Replies 9

Go to solution
Mariusz Kazmierski
Cisco Employee
Cisco Employee

‎01-08-2020 06:04 AM

Hi, 

 

Based on the statement that you shared, provided error message could be bogus (from versioning perspective) while still true from the first statement - "unable to connect to ISE". What we saw in the past is that communication errors could be generated when there is some kind of misconfiguration. Can you assure that FQDN specified in DNAC matches the one in ISE, as well as the passwords for CLI/UI on ISE match one another? 

 

I would also recommend to look at this article which describes in detail DNA-Center & ISE integration:

https://community.cisco.com/t5/networking-documents/how-to-cisco-dna-center-ise-integration/ta-p/3896410

 

If this will not help, I would recommend to open TAC case to troubleshoot it further in details by collecting logs from DNAC and ISE and finding the culprit in your setup. 

 

Best regards,

Mariusz

0 Helpful

Go to solution
Mariusz Kazmierski
Cisco Employee
Cisco Employee
In response to Mariusz Kazmierski

‎01-08-2020 06:07 AM - edited ‎01-08-2020 06:08 AM

Hi, 

 

Regarding DNA-Center versions:

System: 1.3.0.109  -> this is internal component version of system component. 
 
For Cisco DNA-Center release version, select from menu lifebouy icon (second from the right) and select: About (first option). 
You should see there 1.3.1.x version that you run. 
 
After determining DNA-Center version & ISE version, compatibility check can be verified here:
https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html
 
Regards,
Mariusz
0 Helpful

Go to solution
Frank Lothar Weber
Level 1
Level 1
In response to Mariusz Kazmierski

‎01-08-2020 07:09 AM

Yeah, my bad, looked at the wrong place ... :-)

Running version is 1.3.1.4, not 1.3.0 .... Thanks for the hint !!!

 

In the meantime I was able to install an ISE with version 2.4P11, which used the exact same username and passwords, the same certificate, same FQDN, etc. and that version-mismatch error didn't show up, the box is connected to dnac now.

 

As I said before, with ISE 2.6 patch 1-3 integration did not work, seems to me dnac 1.3.1.4 and ISE 2.6 don't like each other very much yet.... :-)

 

Rgs

Frank

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to Frank Lothar Weber

‎01-08-2020 01:32 PM

Hi Frank, please refer to the compatibility matrix Mariusz shared, 2.4p11 as of today is not certified with SD-Access. All the 2.6 versions in the matrix I have integrated with DNAC easily more than 10 times and I've had zero problems. Suggest opening a TAC if you need 2.6 but cannot get it to work. Jerome

Go to solution
Frank Lothar Weber
Level 1
Level 1
In response to jedolphi

‎01-08-2020 11:12 PM - edited ‎01-08-2020 11:29 PM

Thanks again for that hint, I have removed patch 11 and installed patch 10 onto ISE.

 

Integration of ISE 2.4p10 into dnac did work, ISE is shown as active in dnac:

dnac ise integrated.jpg

But dnac doesn't show up on ISE pxGrid services as a subscriber.

I know that it could take some time until it shows, but I waited hours ....

Any ideas what to do/to check to get dnac to show up ??

 

Rgs

Frank

Go to solution
Mariusz Kazmierski
Cisco Employee
Cisco Employee
In response to Frank Lothar Weber

‎01-08-2020 11:49 PM

Hi Frank, 

 

Logs are available here: 

 

ISE:
Operations>Troubleshoot>Download Logs>Debug Logs > ise-psc.log (for extra debugs / insights, enable in: Administration->System->Logging->Debug Log Configuration "pxgrid", "infrastructure", and "ers" prior reproducing the issue).

 

DNA-Center:
SSH to DNA-Center (on port 2222; username: maglev) and look at the following logs (you can also look them from Kibana perspective from DNA-Center UI):
maglev$ magctl service logs -r -f network-design-service
maglev$ magctl service logs -r -f identity-manager-pxgrid-service

 

Probably the simplest way to get proper logs would be to have above enabled and then collect above logs from both sides (ISE and DNA-Center) and look for some errors / issues - if there will be no obvious errors, I would recommend to go with TAC case and attach above logs for further investigation (in addition to 'sudo rca' from DNA-Center). 

 

Best regards,

Mariusz

0 Helpful

Go to solution
Frank Lothar Weber
Level 1
Level 1
In response to Mariusz Kazmierski

‎01-09-2020 12:33 AM - edited ‎01-09-2020 12:37 AM

Hi, again.

I looked at the debug logs on dnac, I think I found something what could be the cause:

 

Seem like dnac is trying to request a pxGrid user certificate from ISE and that process fails, found this in the log:

 

2020-01-09 08:17:50,422 | DEBUG | SimpleAsyncTaskExecutor-1 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | KeyStore created |
2020-01-09 08:17:50,442 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.m.s.s.k8sProvider | the apiserver url is http://maglevserver.maglev-system.svc.cluster.local:8011/api/v1/maglev/servicediscovery |
2020-01-09 08:17:50,446 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.m.s.s.k8sProvider | the return code is 200 |
2020-01-09 08:17:50,538 | DEBUG | SimpleAsyncTaskExecutor-1 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Retrieved mac address: 00:16:3e:c9:bc:d5 |
2020-01-09 08:17:50,538 | DEBUG | SimpleAsyncTaskExecutor-1 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | endPointCertStr:certificateRequest CertificateRequestDTO [cn=dnaadmin, san=00:16:3e:c9:bc:d5] |
2020-01-09 08:17:50,538 | DEBUG | SimpleAsyncTaskExecutor-1 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | PxGrid endpoint certificate request: PUT /ers/config/endpointcert/certRequest HTTP/1.1 |
2020-01-09 08:17:50,649 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.a.c.e.c.CloseableHttpClientUtils | Decrypting Password when password has not changed. |
2020-01-09 08:17:50,658 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.a.c.e.c.CloseableHttpClientUtils | Making an api call: PUT https://dna-ise-01.xxxxxxx:9060/ers/config/endpointcert/certRequest |
2020-01-09 08:17:51,912 | ERROR | SimpleAsyncTaskExecutor-1 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | An error occurred while retrieving PxGrid endpoint certificate. Request: PUT /ers/config/endpointcert/certRequest HTTP/1.1, Response: HttpResponseProxy{HTTP/1.1 404 Not Found [Cache-Control: no-cache, no-store, must-revalidate, Expires: Thu, 01 Jan 1970 00:00:00 GMT, Pragma: no-cache, Internal Server Error: Unexpected Exeption:: 500, Content-Length: 0, Date: Thu, 09 Jan 2020 08:17:51 GMT, Server: ] [Content-Length: 0,Chunked: false]} |
2020-01-09 08:17:51,912 | ERROR | SimpleAsyncTaskExecutor-1 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Error retrieving PxGrid endpoint certificate from ISE |
2020-01-09 08:17:51,912 | ERROR | SimpleAsyncTaskExecutor-1 | | c.c.e.i.u.PxgridConnectionManagerV2 | PxGridManagerV2 : Exception connecting to ISE 10.x.y.z, com.cisco.enc.identitymanager.exceptions.IdentityManagerException

and after this a lot of java exceptions are fired .....

 

Which rights need to be assigned to the "dnaadmin" user, I have assigned "ERS Admin" and "SuperAdmin" to the user, maybe that is not enough ... ??

Rgs

Frank

0 Helpful

Go to solution
Mariusz Kazmierski
Cisco Employee
Cisco Employee
In response to Frank Lothar Weber

‎01-09-2020 12:41 PM

Hi, 

 

ISE - DNA-Center integration requirements are described here:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3-1-0/install_guide/M4/b_cisco_dna_center_install_guide_1_3_1_0_M4/b_cisco_dna_center_install_guide_1_3_1_0_M4_chapter_0101.html

 

In the logs provided on the request to get certificate from ISE, DNA-Center receives HTTP Code: 404 - Not found. 

 

In addition to the above, make sure that in Administration > System > Settings -> ERS Settings 'Disable CSRF For ERS Request' is selected (due to current limitation described in CSCvk68816).

 

If all of the above will not help, you may try to attempt to workaround the issue by regenerating "ISE Root CA" from ISE ad make sure the pxgrid persona is assigned to the right certificate on ISE. This can be check under: Administrator > System > Certificates > System Certificates (column: Used By = pxGrid). In order to regenerate the "ISE Root CA", go to: Administrator > System > Certificates > Certificate signing Request > Select "ISE Root CA".

 

If none of the above will help, I would  strongly recommend to open TAC case to tshoot it further. 

 

Best regards,

Mariusz

Go to solution
Frank Lothar Weber
Level 1
Level 1
In response to Mariusz Kazmierski

‎01-10-2020 03:21 AM - edited ‎01-10-2020 03:44 AM

Hi, Mariusz.

 

Renewing the ISE Root Certificate seems to have done the trick, dna center now shows up as pxGrid subscriber on ISE:

 

dna pxgrid success.jpg

Thanks again for the hint, here is what I did:

 

1. Deleted the ISE from dnac

2. Renewed the CA certificate on ISE

3. Reconnected ISE to dnac, at the same time looking at dnac pxgrid logs:

2020-01-10 08:22:56,774 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.g.a.i.GrapevineMessageListener | Requeue flag for for message CiscoIseNotification {context={public={accept-language=de, RBACSecurityContext=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1ZDcwYzEwNjZiYzMyOTAwOTVlYTM4ZmQiLCJhdXRoU291cmNlIjoiZXh0ZXJuYWwiLCJ0ZW5hbnROYW1lIjoiVE5UMCIsInJvbGVzIjpbIjVkNmZhZjdkNjgwNDdiMDA0YmVhMmIyZiJdLCJ0ZW5hbnRJZCI6IjVkNmZhZjdjNjgwNDdiMDA0YmVhMmIyZCIsImV4cCI6MTU3ODY0NzAwNCwiaWF0IjoxNTc4NjQzNDA0LCJqdGkiOiJiNThhNzRjYi03YTUxLTRjNmMtOTlmOC1jMDYxZmU5MjZjYWEiLCJ1c2VybmFtZSI6InhpYTB3ZiJ9.nlday9rTxc24PgZIrR_pxYgvIgPpvpbarBN6X9kXSpKalB0b3e5YH56x-_bpJzjz829vjMNrJtrX53H086dSlwp1iNRpoSfyHqnWVSdnN2hOv5ry3o3TgfshwGxn0BSj-HPVdzZ-Xb0-M6lOCUjvSD8sTmCD0sPdlx8k-myMCDe9R8bwKTF8MhMtyUyDlc-7sdConSI8iTAGvgnEnVfqp05MET-nqT3WDndMiFXlZ0byKeHKZMUp_noc_UsrI4agPKwTVAfdCmztT8-wh3Qdxx0VKqdZKiGIClKihXagLA3QdbJje-4qWSPZGEcCxIiu9gylY6ZqFec-Ppu-VSTUAQ}}, replyToChain=null, version=0, payload=CiscoIseNotifcation [ciscoIseUuid=1e328254-6ccf-4165-8af3-ba5ca39bfdd7]} is true |
2020-01-10 08:22:56,775 | ERROR | SimpleAsyncTaskExecutor-1 | | c.c.g.a.i.GrapevineMessageListener | Message CiscoIseNotification {context={public={accept-language=de, RBACSecurityContext=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1ZDcwYzEwNjZiYzMyOTAwOTVlYTM4ZmQiLCJhdXRoU291cmNlIjoiZXh0ZXJuYWwiLCJ0ZW5hbnROYW1lIjoiVE5UMCIsInJvbGVzIjpbIjVkNmZhZjdkNjgwNDdiMDA0YmVhMmIyZiJdLCJ0ZW5hbnRJZCI6IjVkNmZhZjdjNjgwNDdiMDA0YmVhMmIyZCIsImV4cCI6MTU3ODY0NzAwNCwiaWF0IjoxNTc4NjQzNDA0LCJqdGkiOiJiNThhNzRjYi03YTUxLTRjNmMtOTlmOC1jMDYxZmU5MjZjYWEiLCJ1c2VybmFtZSI6InhpYTB3ZiJ9.nlday9rTxc24PgZIrR_pxYgvIgPpvpbarBN6X9kXSpKalB0b3e5YH56x-_bpJzjz829vjMNrJtrX53H086dSlwp1iNRpoSfyHqnWVSdnN2hOv5ry3o3TgfshwGxn0BSj-HPVdzZ-Xb0-M6lOCUjvSD8sTmCD0sPdlx8k-myMCDe9R8bwKTF8MhMtyUyDlc-7sdConSI8iTAGvgnEnVfqp05MET-nqT3WDndMiFXlZ0byKeHKZMUp_noc_UsrI4agPKwTVAfdCmztT8-wh3Qdxx0VKqdZKiGIClKihXagLA3QdbJje-4qWSPZGEcCxIiu9gylY6ZqFec-Ppu-VSTUAQ}}, replyToChain=null, version=0, payload=CiscoIseNotifcation [ciscoIseUuid=1e328254-6ccf-4165-8af3-ba5ca39bfdd7]} retry count exceeded maxrRetries of 5 |
2020-01-10 08:28:42,765 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.a.i.h.c.CiscoIseTrustMessageHandlerV2 | ISE Event Received: trust.established |
2020-01-10 08:28:42,765 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.a.i.h.c.CiscoIseTrustMessageHandlerV2 | ISE Event payload: CiscoIseNotifcation [ciscoIseUuid=05ed2dca-ec3d-4137-aa8c-534a2b51020b] |
2020-01-10 08:28:42,765 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.a.i.h.c.CiscoIseTrustMessageHandlerV2 | Received Cisco ISE trust established message |
2020-01-10 08:28:42,765 | INFO | SimpleAsyncTaskExecutor-1 | | c.c.e.i.impl.CiscoIseServiceImplV2 | Connecting with ISE: 05ed2dca-ec3d-4137-aa8c-534a2b51020b |
2020-01-10 08:28:42,769 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.impl.CiscoIseConnectorTask | Create a CiscoIseConnectorTask |
2020-01-10 08:28:42,769 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridConnectionManagerFactoryV2 | Obtain the PxGridConnection ManagerV2 for aaa server 3f7167dc-aaf4-46d4-8e3b-0bf26cdb5dca |
2020-01-10 08:28:42,769 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridConnectionManagerFactoryV2 | Creating a new PxGridConnection ManagerV2 for aaa server 3f7167dc-aaf4-46d4-8e3b-0bf26cdb5dca |
2020-01-10 08:28:42,771 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridConnectionManagerFactoryV2 | PxGrid nodes found: [CiscoISE[lastStatusUpdateTime=2020-01-10 08:28:42.62,role=PXGRID,sshKey=,subscriberName=dna-center,trustState=TRUSTED,description=,fqdn=dna-ise-01.bla.bla.com,ipAddress=x.y.z.x,password=4bBiHHBM9V+LoHK+leq7JOqmpnYpkrWthsOb6lAxpQmu1XcBtsBL2ExbRrWq2PtshmCYNqBm3NdwugTzKplTQ9pPYZY2OGsz,state=INACTIVE,type=ISE,userName=dnaadmin,instanceUuid=c81aff4e-20b2-4be0-8439-88b1a842c4a4,instanceId=1453453,authEntityId=1453453,authEntityClass=-272915024,instanceTenantId=5d6faf7c68047b004bea2b2d,_orderedListOEIndex=<Integer>,_creationOrderIndex=<Integer>,_isBeingChanged=<Boolean>,deployPending=<DeployPendingEnum>,instanceVersion=0]] |
2020-01-10 08:28:42,772 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridConnectionManagerFactoryV2 | Creating new connection manager object for aaaServerId: 3f7167dc-aaf4-46d4-8e3b-0bf26cdb5dca |
2020-01-10 08:28:42,772 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.impl.CiscoIseConnectorTask | Establish Connection with ISE |
2020-01-10 08:28:42,772 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridConnectionManagerV2 | Try connecting to x.y.z.x |
2020-01-10 08:28:42,773 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridConnectionManagerV2 | getActiveV1Node : V1 primary on x.y.z.x |
2020-01-10 08:28:42,773 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridConnectionManagerV2 | Establishing connection with ISE x.y.z.x |
2020-01-10 08:28:42,867 | INFO | coIseServiceImpl-Worker-2 | | c.c.m.s.s.k8sProvider | the apiserver url is http://maglevserver.maglev-system.svc.cluster.local:8011/api/v1/maglev/servicediscovery |
2020-01-10 08:28:42,872 | INFO | coIseServiceImpl-Worker-2 | | c.c.m.s.s.k8sProvider | the return code is 200 |
2020-01-10 08:28:42,972 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Retrieved mac address: 00:16:3e:c9:bc:d5 |
2020-01-10 08:28:42,972 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | endPointCertStr:certificateRequest CertificateRequestDTO [cn=dnaadmin, san=00:16:3e:c9:bc:d5] |
2020-01-10 08:28:42,972 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | PxGrid endpoint certificate request: PUT /ers/config/endpointcert/certRequest HTTP/1.1 |
2020-01-10 08:28:43,075 | INFO | coIseServiceImpl-Worker-2 | | c.c.a.c.e.c.CloseableHttpClientUtils | Truststore has changed. Closing existing httpclient |
2020-01-10 08:28:43,075 | INFO | coIseServiceImpl-Worker-2 | | c.c.a.c.e.c.CloseableHttpClientUtils | Closing httpclient |
2020-01-10 08:28:43,075 | INFO | coIseServiceImpl-Worker-2 | | c.c.a.c.e.c.CloseableHttpClientUtils | Closing httpclient |
2020-01-10 08:28:43,075 | INFO | coIseServiceImpl-Worker-2 | | c.c.a.c.e.c.CloseableHttpClientUtils | Initializing http client |
2020-01-10 08:28:43,170 | INFO | coIseServiceImpl-Worker-2 | | c.c.apicem.common.ers.util.ErsUtil | Downloading trust store |
2020-01-10 08:28:43,205 | INFO | coIseServiceImpl-Worker-2 | | c.c.apicem.common.ers.util.ErsUtil | Truststore download SUCCESSFUL |
2020-01-10 08:28:43,217 | INFO | coIseServiceImpl-Worker-2 | | c.c.a.c.e.c.CloseableHttpClientUtils | ERS port in use: 9060 |
2020-01-10 08:28:43,217 | INFO | coIseServiceImpl-Worker-2 | | c.c.a.c.e.c.CloseableHttpClientUtils | Decrypting password if password has changed or running for first time. |
2020-01-10 08:28:43,324 | INFO | coIseServiceImpl-Worker-2 | | c.c.a.c.e.c.CloseableHttpClientUtils | Making an api call: PUT https://dna-ise-01.bla.bla.com:9060/ers/config/endpointcert/certRequest |
2020-01-10 08:28:46,590 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Alias 0 dnaadmin_00-16-3e-c9-bc-d5: |
2020-01-10 08:28:46,590 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Adding key for alias dnaadmin_00-16-3e-c9-bc-d5 |
2020-01-10 08:28:46,597 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Issuer : CN=Certificate Services Endpoint Sub CA - dna-ise-01 |
2020-01-10 08:28:46,597 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Valid From : Thu Jan 09 08:28:45 UTC 2020 |
2020-01-10 08:28:46,597 | DEBUG | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Valid To : Sun Jan 09 08:28:45 UTC 2022 |
2020-01-10 08:28:47,268 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridV2RestController | sendRequest: url https://dna-ise-01.bla.bla.com:8910/pxgrid/control/AccountActivate |
2020-01-10 08:28:48,318 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridV2RestController | Response data received {"accountState":"ENABLED","version":"2.0.1.7"} |
2020-01-10 08:28:48,326 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridV2RestController | sendRequest: url https://dna-ise-01.bla.bla.com:8910/pxgrid/control/ServiceLookup |
2020-01-10 08:28:48,335 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridV2RestController | Response data received {"services":[{"name":"com.cisco.ise.pubsub","nodeName":"ise-pubsub-dna-ise-01","properties":{"wsUrl":"wss://dna-ise-01.bla.bla.com:8910/pxgrid/ise/pubsub"}}]} |
2020-01-10 08:28:48,342 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.utils.PxgridStompClient | ISE PubSub url=wss://dna-ise-01.bla.bla.com:8910/pxgrid/ise/pubsub |
2020-01-10 08:28:48,344 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridV2RestController | sendRequest: url https://dna-ise-01.bla.bla.com:8910/pxgrid/control/AccessSecret |
2020-01-10 08:28:48,511 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.u.PxgridV2RestController | Response data received {"secret":"8KT9FCwaGbHOwAaH"} |
2020-01-10 08:28:49,741 | INFO | Grizzly(1) | | c.c.e.i.utils.PxgridStompClient | On Websocket Open |
2020-01-10 08:28:49,748 | DEBUG | Grizzly(1) | | c.c.e.i.utils.PxgridStompClient | STOMP CONNECT host=dna-ise-01.bla.bla.com |
2020-01-10 08:28:49,754 | INFO | coIseServiceImpl-Worker-2 | | c.c.e.i.impl.CiscoIseConnectorTask | Finished creating the CiscoIseConnectorTask |
2020-01-10 08:28:49,759 | DEBUG | Grizzly(2) | | c.c.e.i.utils.PxgridStompClient | OnStomp message CONNECTED |
2020-01-10 08:28:49,760 | INFO | Grizzly(2) | | c.c.e.i.utils.PxgridStompClient | STOMP CONNECTED version=1.2 |
2020-01-10 08:28:49,763 | INFO | Grizzly(2) | | c.c.e.i.u.PxgridConnectionManagerV2 | onConnected |
2020-01-10 08:28:49,763 | DEBUG | Grizzly(2) | | c.c.e.i.u.PxgridConnectionManagerV2 | getCiscoISEFromFqdn: host dna-ise-01.bla.bla.com list [CiscoISE[lastStatusUpdateTime=2020-01-10 08:28:42.62,role=PXGRID,sshKey=,subscriberName=dna-center,trustState=TRUSTED,description=,fqdn=dna-ise-01.bla.bla.com,ipAddress=x.y.z.x,password=4bBiHHBM9V+LoHK+leq7JOqmpnYpkrWthsOb6lAxpQmu1XcBtsBL2ExbRrWq2PtshmCYNqBm3NdwugTzKplTQ9pPYZY2OGsz,state=INACTIVE,type=ISE,userName=dnaadmin,instanceUuid=c81aff4e-20b2-4be0-8439-88b1a842c4a4,instanceId=1453453,authEntityId=1453453,authEntityClass=-272915024,instanceTenantId=5d6faf7c68047b004bea2b2d,_orderedListOEIndex=<Integer>,_creationOrderIndex=<Integer>,_isBeingChanged=<Boolean>,deployPending=<DeployPendingEnum>,instanceVersion=0]] |
2020-01-10 08:28:49,765 | INFO | Grizzly(2) | | c.c.e.i.u.PxgridConnectionManagerV2 | PxGridManagerV2: Successfully connected to PxGrid V2, ip x.y.z.x and id c81aff4e-20b2-4be0-8439-88b1a842c4a4 |
2020-01-10 08:28:49,765 | INFO | Grizzly(2) | | c.c.e.i.impl.CiscoIseServiceImplV2 | Updating ISE server state. ID: c81aff4e-20b2-4be0-8439-88b1a842c4a4. New State: ACTIVE |
2020-01-10 08:28:49,765 | INFO | Grizzly(2) | | c.c.e.i.impl.CiscoIseServiceImplV2 | get Cisco ISE by id c81aff4e-20b2-4be0-8439-88b1a842c4a4 |
2020-01-10 08:28:49,767 | INFO | Grizzly(2) | | c.c.e.i.impl.CiscoIseServiceImplV2 | Found Cisco ISE server configuration; c81aff4e-20b2-4be0-8439-88b1a842c4a4 |
2020-01-10 08:28:49,767 | INFO | Grizzly(2) | | c.c.e.i.impl.CiscoIseServiceImplV2 | Attempting to update Cisco ISE 1453453 |
2020-01-10 08:28:49,773 | INFO | Grizzly(2) | | c.c.e.i.u.PxgridConnectionManagerV2 | PxGridManagerV2 : updated pxgrid status of x.y.z.x to ACTIVE |
2020-01-10 08:28:49,773 | INFO | Grizzly(2) | | c.c.e.i.u.PxgridConnectionManagerV2 | Try connecting to x.y.z.x |
2020-01-10 08:28:49,774 | INFO | Grizzly(2) | | c.c.e.i.u.PxgridConnectionManagerV2 | getActiveV1Node : V1 primary on x.y.z.x |
2020-01-10 08:28:49,989 | INFO | Grizzly(2) | | c.c.e.i.notifier.PxGridMessageCache | New Runtime PxGridMessage received: Group Name : session,securitygroup, User Name : dnaadmin, Subscriber Name : dna-center_dnac_ndp, IseServerIP : x.y.z.x |
2020-01-10 08:28:49,989 | INFO | Grizzly(2) | | c.c.e.i.notifier.PxGridMessageCache | Runtime PxGridMessage received, starting PxGridMessageNotifier thread |
2020-01-10 08:28:49,989 | DEBUG | Grizzly(2) | | c.c.e.i.u.PxGridConfigurationUtilsV2 | Delete endpoint cert zip file downloaded from local disk , uid 3f7167dc-aaf4-46d4-8e3b-0bf26cdb5dca |
2020-01-10 08:28:49,998 | INFO | Grizzly(2) | | c.c.e.i.impl.CiscoIseServiceImplV2 | sendToExchange: PxGridStatusChangedMessage {context=null, replyToChain=null, version=0, payload=com.cisco.enc.identitymanager.api.request.PxGridStatusChangedMessage$Request@48abc004} |
2020-01-10 08:28:50,004 | DEBUG | xgid-notifier-0 | | c.c.e.i.n.PxGridMessageNotifier | PxGridMessage for notification Group Name : session,securitygroup, User Name : dnaadmin, Subscriber Name : dna-center_dnac_ndp, IseServerIP : x.y.z.x |
2020-01-10 08:28:50,004 | INFO | xgid-notifier-0 | | c.c.e.i.n.PxGridMessageNotifier | Invoking NDP POST REST API for Group Name : session,securitygroup, User Name : dnaadmin, Subscriber Name : dna-center_dnac_ndp, IseServerIP : x.y.z.x |
2020-01-10 08:28:50,004 | DEBUG | xgid-notifier-0 | | c.c.e.i.notifier.IseCertProcessor | creating ISE cert based TrustStore. From /home/maglev/iostruststore.jks to /opt/maglev/services/identity-manager-pxgrid-service/7.1.78.60109/isecertbasedtruststore.jks |
2020-01-10 08:28:50,014 | DEBUG | xgid-notifier-0 | | c.c.e.i.notifier.IseCertProcessor | Keeping ISE cert "cn=company rootca 01, o=company ag, c=de_847428317556386225111258049062751213293928450_third_party" alias in new TrustStore |
2020-01-10 08:28:50,015 | DEBUG | xgid-notifier-0 | | c.c.e.i.notifier.IseCertProcessor | Keeping ISE cert "cn=company rootca 01, o=company ag, c=de_143394666216616981269959701218645583448_third_party" alias in new TrustStore |
2020-01-10 08:28:50,015 | DEBUG | xgid-notifier-0 | | c.c.e.i.notifier.IseCertProcessor | Keeping ISE cert "cn=company subca 01, o=company ag, c=de_669022544526528933915520781942037365435436509_third_party" alias in new TrustStore |
2020-01-10 08:28:50,017 | DEBUG | xgid-notifier-0 | | c.c.e.i.notifier.IseCertProcessor | Completed creating ISE cert based TrustStore: /opt/maglev/services/identity-manager-pxgrid-service/7.1.78.60109/isecertbasedtruststore.jks |
2020-01-10 08:28:50,030 | DEBUG | xgid-notifier-0 | | c.c.e.i.notifier.NdpRestClient | Invoking POST call to NDP Group Name : session,securitygroup, User Name : dnaadmin, Subscriber Name : dna-center_dnac_ndp, IseServerIP : x.y.z.x |
2020-01-10 08:28:50,268 | DEBUG | xgid-notifier-0 | | c.c.e.i.notifier.NdpRestClient | Response from NDP POST call: <200,StdResult [version=1.0],{Content-Type=[application/json], Date=[Fri, 10 Jan 2020 08:28:50 GMT], Content-Length=[261]}> |
2020-01-10 08:28:50,268 | INFO | xgid-notifier-0 | | c.c.e.i.n.PxGridMessageNotifier | Completed NDP POST of ise configuration Group Name : session,securitygroup, User Name : dnaadmin, Subscriber Name : dna-center_dnac_ndp, IseServerIP : x.y.z.x |
2020-01-10 08:28:50,268 | INFO | xgid-notifier-0 | | c.c.e.i.notifier.PxGridMessageCache | PxGridMessage notification completed: Group Name : session,securitygroup, User Name : dnaadmin, Subscriber Name : dna-center_dnac_ndp, IseServerIP : x.y.z.x |
2020-01-10 08:28:50,416 | DEBUG | xgid-notifier-0 | | c.c.e.i.n.PxGridMessageNotifier | PxGridMessage for notification com.cisco.enc.identitymanagerpxgrid.notifier.PxGridDeletedMessage@1ece8039[iseDeploymentId=f577bac2-e0f1-41dd-b9ab-e90a0280e365,iseNotificationState=IN_PROGRESS,messageId=fb49c832-677a-4fd8-bfd4-c8e8c7a4ded7,failureCount=0,lastFailureReason=<null>,isRuntimeMessage=false] |

4. Voila !!!

I will try to get ISE 2.6p1-2 working, too.

 

Rgs

Frank

Customers Also Viewed These Support Documents