Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1773
Views
0
Helpful
5
Replies

Airwatch MDM Multiple HTTP Redirects

Patrick Lloyd
Cisco Employee
Cisco Employee

‎10-21-2016 08:36 AM

Hi team,

We're seeing a weird behavior when it comes to Airwatch integration with ISE 2.0 unpatched, where a packet capture shows a redirection from a secure HTTP connection, to an insecure HTTP connection, and then back to a secure connection.  It looks as if ISE is trying to use an existing secured connection to send an insecure connection.  Including the packet capture in brief below, masked for customer anonymity.  Has anyone seen this before, is this expected behavior, and is it supported by ISE?

--2016-10-21 10:49:52--  https://cnPALLOYD.awmdm.com/ciscoise/mdminfo/

Resolving cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)... 123.30.123.110

Connecting to cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)|123.30.123.110|:443... connected.

HTTP request sent, awaiting response... 401 Unauthorized

Authentication selected: Basic realm="cnPALLOYD.awmdm.com"

Reusing existing connection to cnPALLOYD.awmdm.com:443.

HTTP request sent, awaiting response... 307 Temporary Redirect

Location: http://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/ [following]

--2016-10-21 10:49:52--  http://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/

Connecting to cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)|123.30.123.110|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: https://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/ [following]

--2016-10-21 10:49:52--  https://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/

Connecting to cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)|123.30.123.110|:443... conn

0 Helpful
5 Replies 5

howon
Cisco Employee
Cisco Employee

‎10-23-2016 12:54 AM

Can you provide nature of the issue? Which step are you seeing the traffic? Is the MDM flow failing?

0 Helpful

Patrick Lloyd
Cisco Employee
Cisco Employee
In response to howon

‎10-24-2016 07:00 AM

We’re seeing that even a register to the Airwatch client servers from the ISE PSN results in multiple redirects, alternating between secured and unsecured HTTP. When we switched to another Airwatch deployment, it did work, and it remains secured, just wasn’t sure if this was expected or normal behavior that we’ve seen in the past.

0 Helpful

imbashir
Cisco Employee
Cisco Employee
In response to Patrick Lloyd

‎10-25-2016 08:32 AM

Hi Patrick, could you pls fwd the screen shot of the MDM addition screen

The ADD MDM uses 443 for connection and it requires the AW certs to the uploaded in to ISE trusted store

Thanks

Imran.

0 Helpful

Patrick Lloyd
Cisco Employee
Cisco Employee
In response to imbashir

‎10-25-2016 08:38 AM

Hi Imran,

Confirmed that the certs for the entire chain (GoDaddy) were imported, and 443 port was used. I don’t have the screen shots as this was done at a customer site last week. As soon as we changed to another Airwatch gateway, it worked, which is odd. I’ve seen a couple TAC cases which have implied that the upstream server might be at fault, and we’re waiting on Airwatch to indicate whether there’s something that needs to change on their end, i.e. server number.

0 Helpful

arsasiku
Cisco Employee
Cisco Employee

‎10-26-2016 01:51 PM

Turns out to be the same issue with redirect.

https://cisco.jiveon.com/message/372759

0 Helpful
Customers Also Viewed These Support Documents