cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
82806
Views
41
Helpful
28
Replies

cannot access ISE GUI

ciscoworlds
Level 4
Level 4

Hi, today I changed the IP address of the gig0 and gig1 interfaces of the ISE 2.2 (version 2.2.0.470), but since then I cannot access the GUI. I can ping those IP addresses and even can establish SSH to the ISE CLI and issue commands, but the web page gives me the following error:

 

Oops. Something went wrong
Access is denied , please contact your administrator
 
the output of the "show application status ise" displays everything is running:
 
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 3758
Database Server running 53 PROCESSES
Application Server running 8019
Profiler Database running 5319
ISE Indexing Engine running 9567
AD Connector running 17155
M&T Session Database running 5226
M&T Log Collector running 8273
M&T Log Processor running 8060
Certificate Authority Service running 16879
EST Service running 24350
SXP Engine Service disabled
Docker Daemon running 529
TC-NAC MongoDB Container running 10955
TC-NAC RabbitMQ Container running 11243
TC-NAC Core Engine Container running 13022
VA Database running 15396
VA Service running 15664
Wifi Setup Helper Container running 16023
Wifi Setup Helper Vault running 32
Wifi Setup Helper MongoDB running 15
Wifi Setup Helper Web Server running 196
Wifi Setup Helper Auth Service running 117
Wifi Setup Helper Main Service running 148
Wifi Setup Helper WLC Service running 177
 
Any idea?
28 Replies 28

Hello volant.

I have the same issue with the Cisco ISE GUI access.

I followed your steps, the GUI come back but i have only the "Administration" tab.

 

I think that my problem is that i did the steps:

 

ise/admin# application stop ise 

ise/admin# application start ise safe

 

ise/admin# application stop ise

ise/admin# application start ise

 

But, when you say "go to GUI change settings back", i did not do anything because i do not understand what thing i had to do.

What should we do if we cannot access the web GUI because while my guys were doing a password change, they selected option 1 and not 3?  We can access the CUI just fine, just not the GUI.

Hi @autolb ,

 when you said " ... they selected option 1 and not 3 ... " could you please share what are they doing (which command) ?

Regards

Was having the Same issue in the lab. Had second IP in Gi 1 but gui would not show. Disabled G 0, Rebooted , Gui came up.

Version 2.1

Sim Bambrah
Level 1
Level 1

I tried @volant 's solution and it worked.  After I patched ISE the GUI stopped working again and none of above solutions worked again.  Removed the patch and still same issue.  I am now reinstalling the VM

fitzie
Level 1
Level 1

I'm having a similar issue in the process of installing ISE v3 on a number of brand new 3655s.

I've noticed that the problem appears on some of the servers when I bind Gi 1 to Gi 0.

Removing the binding seems to make the problem go away.  I've not yet assigned certificates to the servers, so I'm going to do that before rebind the Gi 1 back to Gi 0.

Spreadlove
Level 1
Level 1

Hi All,

I am having issues accessing ISE via GUI, I installed 3.1 on a Hyper-V environment. No settings have been done after installation

I am able to connect via ssh but I tried the below suggestion but still cannot access ISE 

ise/admin# application stop ise

ise/admin# application start ise safe

 

ise/admin# application stop ise

ise/admin# application start ise

This is the status of shapp stat ise

Database Listener running 53670
Database Server running 80 PROCESSES
Application Server running 83203
Profiler Database running 75037
ISE Indexing Engine running 85111
AD Connector running 90056
M&T Session Database running 74811
M&T Log Processor running 83408
Certificate Authority Service running 89637
EST Service running 120153
SXP Engine Service disabled
TC-NAC Service disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE Messaging Service running 57148
ISE API Gateway Database Service not running
ISE API Gateway Service not running
Segmentation Policy Service disabled
REST Auth Service disabled
SSE Connector disabled
Hermes (pxGrid Cloud Agent) disabled

Hi SpreadLove,

Can you share a screenshot of the error you are getting when accessing the GUI and which browser are you using for that prupose ?

Hi Mohamed,

Thanks for reaching out, I have tried Mozilla, Edge and Chrome all on latest update, I have also restarted ISE VM several times tooimage.png

 

image.png

 

image.png

 

Hi SpreadLove,

For me, it sounds like the ISE VM rejects the connection due to an SSL error, perhaps a negotiation failure which will take us to check some basic settings here:

1-Make sure that your windows host and Hyper-V environment (and accordingly ISE) clock are synchronized

2-Make sure that TLS 1.0 and TLS1.1 is enabled for the browser settings, Although ISE should negoitate TLS1.2 or higher, it maybe bugged, just open Run and type inetcpl.cpl and go to Advanced table and scroll all the way down and enable TLS 1.0 and 1.1 and check again

MohamedAbdElnaserMohamedMohamedAli_0-1676375202717.png

3- if the above didn't work try to apply any ISE patches available to 3.1 release and try again, as it maybe a bug

Sorry, I may have overlooked the connection refuse error, which indicates possibly that the https port (TCP 443) is not opened on the ISE side due to a bug, can you ssh into the ISE VM and issue command "sh ports | include 443" and see the result

 

Hi Mohamed,
Below is the output I get when I enter the command, I am finding hard to make meaning out of it
tcp: 0.0.0.0:9443, 127.0.0.1:2020, 0.0.0.0:9060, 0.0.0.0:9061, 0.0.0.0:9063, 0.0.0.0:8905, 0.0.0.0:5514, 0.0.0.0:9002, 0.0.0.0:1099, 0.0.0.0:20845, 0.0.0.0:8910, 0.0.0.0:9070, 169.254.4.1:49, 169.254.2.1:49, "ISE IP ADD":49, 169.254.4.1:50, 169.254.2.1:50, "ISE IP ADD":50, 169.254.4.1:51, 169.254.2.1:51, "ISE IP ADD":51, 169.254.4.1:52, 169.254.2.1:52, "ISE IP ADD":52, 127.0.0.1:8888, 0.0.0.0:9080, "ISE IP ADD":8443, "ISE IP ADD":8444, "ISE IP ADD":8445, 0.0.0.0:9085, "ISE IP ADD":8449, 0.0.0.0:9090
udp: 169.254.4.1:3799, 169.254.2.1:3799, "ISE IP ADD":3799, 127.0.0.1:3799, 0.0.0.0:53443, 169.254.4.1:22767, "ISE IP ADD":8905, 169.254.2.1:8905, 169.254.4.1:8905, 0.0.0.0:41998, "ISE IP ADD":27254, "ISE IP ADD":45347, 0.0.0.0:30514, 0.0.0.0:30514, 169.254.2.1:63623, 169.254.4.1:15406, 169.254.2.1:15906, "ISE IP ADD":67, 0.0.0.2:50488, 169.254.4.1:1645, 169.254.2.1:1645, "ISE IP ADD":1645, 127.0.0.1:1645, 169.254.4.1:1646, 169.254.2.1:1646, "ISE IP ADD":1646, 127.0.0.1:1646, 169.254.4.1:1700, 169.254.2.1:1700, "ISE IP ADD":1700, 127.0.0.1:1700, 169.254.4.1:1812, 169.254.2.1:1812, "ISE IP ADD":1812, 127.0.0.1:1812, 169.254.4.1:1813, 169.254.2.1:1813, "ISE IP ADD":1813, 127.0.0.1:1813, 169.254.4.1:2083, 169.254.2.1:2083, "ISE IP ADD":2083, 127.0.0.1:2083, 0.0.0.0:18902, :::53575, :::21998, :::30282

Also I have tried to copy the patch bundle to ise via tftp and ftp and the file is unable to copy successfully, in ISE the file shows in the directory with 0 bytes in size and I get transfer failed
Below is the command used
copy tftp://"tftp ip add"/ise-patchbundle-3.1.0.518-Patch5-22120201.SPA.x86_64.tar.gz disk:/ - for tftp
copy ftp://"ftp ip add"/ise-patchbundle-3.1.0.518-Patch5-22120201.SPA.x86_64.tar.gz disk:/ - for ftp

Solutions will be much appreciated

Hi SpreadLove,

I have built a fresh install of ISE 3.1 VM using VMware Workstation 16 Pro using the ise-3.1.0.518b.SPA.x86_64.iso and the installation was successful and smooth and I'm able to login to the ISE via both GUI and CLI

The Application server service and the https port seems to be open as expected in this case

MohamedAbdElnaserMohamedMohamedAli_0-1676590810740.png

Regarding copy the patch file using tftp, from experience, it mostly fails for files greater than 1GB. I'm not sure about FTP though but usually I use SCP to transfer files using this utility from Solarwinds "SCP Server"

MohamedAbdElnaserMohamedMohamedAli_1-1676590992231.png

and I use the following command to transfer the patch file into Cisco ISE "copy sftp://x.x.x.x/<username>/ise-patchbundle-3.1.0.518-Patch5-22120201.SPA.x86_64.tar.gz disk:/"

It would ask for username and password and complete but unfortunately, it won't display any progress bar and it is extremely slow. it transferred only 120 MB out of 3GB in almost 1 hour and 25 minutes but no timeout so far

My opinion would be that the installation got corrupted somehow and you may need to reinstall a fresh VM of ISE 3.1 (if that is applicable) otherwise, continue with the patch install and it may fix this corruption.

Note: there was a shell root access to the underlying Linux OS in Cisco ISE 1.4 (know about it during TAC case), where they can display and configure the IPTable (Linux firewall) but it was only done using a tar file supplied by Cisco TAC and it is tied to a specific version of ISE. There is a unsupported method used by one user in the below thread that can get you root access but can mess up other things as well (so use it on your own risk) but if you can get access to root you maybe able to check httpd daemon and the IPtable

Cisco ISE - root mode - Cisco Community 

Hi Mohamed,

I just re installed on hyper-v, I selected generation 1 during setup this time, and it worked, that's the only change I made between the two VM setups
But I still have issues transfering files via sftp too, I will look into that in soon time.
Thanks for your assistance.
I appreciate