cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

121
Views
0
Helpful
2
Replies
Beginner

ISE - TrustSec errors

 
 
 
 
 
 
 
 
 
 
 
Last week we had one of our 6807XL crash on Thursday 10/10 (case # SR 687680740). As we were troubleshooting the issue with the 6807XL, we noticed some issues with ISE and WLC cluster not coming back up correctly after the crash. We have noticed event logs that are showing TrustSec errors communicating back to ISE. Can anyone advise on how to troubleshoot these specific errors? Any assistance would be greatly appreciated
 

Oct 14 13:37:16.181: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.
Oct 14 13:39:16.182: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.
Oct 14 13:41:16.183: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.
Oct 14 13:43:16.235: %CTS-SW2-3-SXP_CONN_STATE_CHG_OFF: Connection <10.11.1.240, 10.99.3.2>-1 state changed from Pending_On to Off.

There is ALSO errors on 67 DHCP on the core…this may need digging into as well…the SGTs change with these errors:
permit udp 67
^
% Invalid input detected at '^' marker.

Oct 14 13:48:54.738: %RBM-SW2-3-RBM_PARSE_ACE: Could not parse command for adding ACE 'permit udp 67' to IP Role-Based Access List 'Deny_All-80'
Oct 14 13:48:54.738: %CTS-SW2-3-AUTHZ_POLICY_SGACL_ACE_FAILED: Failed to install IP SGACL 'Deny_All-80' for SGT=292:EW189 due to ACE 'permit udp 67' error
Oct 14 13:48:54.785: %RBM-SW1_STBY-3-RBM_PARSE_CMD: Could not parse command. See command output and errors below

permit udp 67
^
% Invalid input detected at '^' marker.

Oct 14 13:48:54.785: %RBM-SW1_STBY-3-RBM_PARSE_ACE: Could not parse command for adding ACE 'permit udp 67' to IP Role-Based Access List 'Deny_All-80'
Oct 14 13:48:54.785: %CTS-SW1_STBY-3-AUTHZ_POLICY_SGACL_ACE_FAILED: Failed to install IP SGACL 'Deny_All-80' for SGT=292:EW189 due to ACE 'permit udp 67' error

2 REPLIES 2
Rising star

Re: ISE - TrustSec errors

For the DHCP SGACL try changing the syntax to: permit udp dst eq 67
For the sxp connection error, has anything changed in regard to comms between ISE and your device? Firewall? SVI ACL?
Cisco Employee

Re: ISE - TrustSec errors

Please work through tac