cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2069
Views
5
Helpful
9
Replies

Threat Centric NAC can't connect to AMP Cloud

michanna
Level 1
Level 1

I am having a problem with re-connecting ISE Threat Centric NAC to the the AMP Cloud. It was working and then couldn't connect. So eventually I removed the connector and recreated it. Now when I try to complete the configuration to reconnect it fails with * Error while trying to connect to AMP cloud. Internet connectivity is fine and there have been no firewall changes. Any suggestions would be appreciated. I am running 2.4p8. 

1 Accepted Solution

Accepted Solutions

After working with TAC the solution (for me) was to update the Digicert Root CA and the Thawte certificates on the ISE cube.  The TAC engineer sent me two files to import to ISE. After that the connection to the AMP cloud came back up.  This was with a new install of ISE 2.4 patch 8 and as I said earlier the connector was working for awhile so still not sure what happened. 

View solution in original post

9 Replies 9

hslai
Cisco Employee
Cisco Employee

Once I ran into this and the issue was due to the previous registration was still in my AMP console account. Once the earlier removed, it went fine.

You may also check using ISE admin CLI:

show logging container tc-nac container-name <InstanceName> log-name adapter.log tail

Thanks for the response.  I don't see a registration in the AMP cloud. It seems like maybe a SSL connection error. I got this from the log.

2019-07-25 21:25:01,072 ERROR [MainProcess][Thread-3] [AMPAdaptor.py][338][get_clouds] Get clouds received RequestException ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verif

y failed')],)",)

 

A packet capture on the ASA shows it trying to communicate but failing to get a response from the API request to the AMP cloud.

 

I went ahead and opened a ticket on this.

 

Thanks again.

 

Michael

So it isn't just me.  I am getting the same error.  If you would please post when the issue has been resolved.  Thank you.


2019-07-25 21:25:01,072 ERROR [MainProcess][Thread-3] [AMPAdaptor.py][338][get_clouds] Get clouds received RequestException ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verif

y failed')],)",)


This likely indicates some certificate mismatch. We should be able to see the server certificate and the chain sent by a server in the AMP Cloud in a packet capture. We need verify whether the subject or the subject alternative name fields matching to the web site the adapter trying to reach and also its root CA needs trusted by ISE.

Maybe this bug applies?

CSCvo76914

It could be related but might not be the exact issue. CSCvo76914 is about some of the AMP cloud sites using Thawte certificates but that should not be an issue if the CA certificate is present in the ISE trust certificates list and explicitly trusted.

After working with TAC the solution (for me) was to update the Digicert Root CA and the Thawte certificates on the ISE cube.  The TAC engineer sent me two files to import to ISE. After that the connection to the AMP cloud came back up.  This was with a new install of ISE 2.4 patch 8 and as I said earlier the connector was working for awhile so still not sure what happened. 

Do you still have the certs?  Running into this issue with a Lab demo on ISE2.4 patch 11.  Any help would be appreciated.

Here is what I used.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: