cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5440
Views
0
Helpful
4
Replies

ISE is available but pxGRID is unavailable in DNAC

Hello,

I have an issue when trying to integrate DNA center with ISE.

After adding ISE as an AAA server in DNAC, the DNA briefly displays an error saying "expected trust phrase was not received" and a status of FAILED. Then this status immediately changes to ACTIVE.

On the DNA System 360 page, i see the ISE server itself as Available, but pxGRID is "unavailable" (see screenshot).

At no point during this process does the DNA client appear in the ISE pxGRID services (so i cannot approve it, and the ISE is not in auto approval mode).

 

I don't think this is a generic connectivity issue because i get proper errors when configuring DNA with wrong ISE password.

 

I know there are issues with certificates when trying to integrate ISE with DNA :

- ISE uses a self-signed certificate for pxGRID.

- DNA uses the default certificate (i did not perform any certificate configuration change on the DNA).

- The DNA certificate appears in the trusted certificates list on ISE.

 

 

ISE version : 2.3

DNA version : 1.1.7

 

 

Thank you in advance for your assistance,

regards.

 

4 Replies 4

Gaur Samal
Cisco Employee
Cisco Employee

If ISE is showing active but pxgrid is showing unavailable and you do not see any client under ISE -> pxgrid services, then  you might want to raise TAC case, as we need to see what is going on with Pxgrid service within DNAC. 

there are multiple issues in 1.1.7 regarding DNAC-Pxgrid integration which is improved/fixed in dnac 1.2.x release line.

 

Tom,

 

Take a look at my post 

 

https://community.cisco.com/t5/digital-network-architecture-dna/resilient-borders-and-connectivity/m-p/3747258

 

I have detailed the versions I was using for a pre-stage I have just completed. I did build a CA and have the ISE CSR signed by it. If DNA has ‘talked’ to ISE you should see the Koba cert from DNA in the ISE Trusted Cert Store but only 1.2.6 and 2.3 patch 5 worked successfully for me (4 ISE nodes show as available on DNA, with 2 running pxGrid.

I made 3 upgrades to 1.3.1.2. On the single Cluster all went OK, but on both 3 node clusters I have now the same Status, ISE OK, but pxGrid unavailable...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco