cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
82812
Views
41
Helpful
28
Replies

cannot access ISE GUI

ciscoworlds
Level 4
Level 4

Hi, today I changed the IP address of the gig0 and gig1 interfaces of the ISE 2.2 (version 2.2.0.470), but since then I cannot access the GUI. I can ping those IP addresses and even can establish SSH to the ISE CLI and issue commands, but the web page gives me the following error:

 

Oops. Something went wrong
Access is denied , please contact your administrator
 
the output of the "show application status ise" displays everything is running:
 
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 3758
Database Server running 53 PROCESSES
Application Server running 8019
Profiler Database running 5319
ISE Indexing Engine running 9567
AD Connector running 17155
M&T Session Database running 5226
M&T Log Collector running 8273
M&T Log Processor running 8060
Certificate Authority Service running 16879
EST Service running 24350
SXP Engine Service disabled
Docker Daemon running 529
TC-NAC MongoDB Container running 10955
TC-NAC RabbitMQ Container running 11243
TC-NAC Core Engine Container running 13022
VA Database running 15396
VA Service running 15664
Wifi Setup Helper Container running 16023
Wifi Setup Helper Vault running 32
Wifi Setup Helper MongoDB running 15
Wifi Setup Helper Web Server running 196
Wifi Setup Helper Auth Service running 117
Wifi Setup Helper Main Service running 148
Wifi Setup Helper WLC Service running 177
 
Any idea?
1 Accepted Solution

Accepted Solutions

Hello All,

I had the same issue. 

I've got access to console on VM.

I run ISE application ise in safe mode. After got access to GUI.

 

ise/admin# application stop ise 

ise/admin# application start ise safe

go to GUI change settings back

ise/admin# application stop ise

ise/admin# application start ise

 

Regards, Max 

View solution in original post

28 Replies 28

Arne Bier
VIP
VIP

Changing IP addresses causes the applications to restart (if I remember correctly).  Did the application restart after changing the IP addresses? 

Tried a different browser in case the usual one was caching some stuff?

 

Hi;

Yes the ISE was restarted after the IP change, but now, even after a day after that, I'm getting the same error. I tried all of the possible browsers as well as IP and DNS names. but the result was the same. I checked the ISE app status and all of the services are still marked as "Running". 

Assuming that you cleared the cache on each browser AND tried accessing the node using the IP or FQDN name but both failed, then I would check if there is a FW not allowing you to access the new IP for Primary PAN. IF that is not the case, then REBOOT the server. Sometimes the application stop/start does not work at all so a complete reload could be necessary.

the FW is not the case, cause I can ping that IP and even establish SSH session and run command on the ISE through new IPs. I powered off/on the devices but no chance. the error is the same. I think there should be a bug here. I search the Internet and managed to find reports on the same error on the ISE which caused by a bug on ISE, but their conditions were not related to IP changes. So I don't know if there is one here. 

I am using 2.2 and I have faced multiple issues. Let me clarify on the other hand that SSH has nothing to do with HTTPS, same about ping.

 

I would suggest you to remove whatever you have on Gig1 and just use Gig0 for traffic and administration, reboot the server once you make those changes and see what happens. If you are hitting a bug related to multiple interfaces/IP then using only one could help you to narrow down the issue.

 

I removed IP address of gig1 interface and disabled it. then restarted the ISE, but the result was the same. As I use it as demo in the lab, I think it is better to reinstall it. But it should have a reason and that would be good if we know it. 

Hi ciscoworlds

I know the post is quite old but can you check if you are accessing the ISE GUI from an Unauthorized IP address range if you enable that under ISE admin Access as shown below as it would give the same error you mentioned.

ISE-Admin-Access.png

robdinan1
Level 1
Level 1
only the GUI login is disabled after 45 days. You can still SSH and login with the same credentials. From there you issue the command:
# application reset-passwd ise admin

You will be prompted to enter your new password 2x and then you should be able to GUI back in and then go to the Adminstration screen and disable the 45 day policy.

Hello guys,
i have the same issue, i can access the SHH but not GUI. I did access to both of them last night but today I cannot. Nothing has changed and i have not changed anything.
Can you help please.
Thanks

Regards,
Star Sulaiman

Try doing this it may help to get you in, but not resolve the problem. It can also provide more information for when you ope a TAC case beyond cannot log in through gui.

 

SSH into the ISE server. Once you are logged in, run the command application stop ise. When everything stops, run "application start ise safe". before you log in through the gui, run "show application status ise" and make sure the application server is running. Once it show running, then attempt to log in. If you are able to, it may have something to do with the admin access. I don't know for sure what it would be, but something to look at and at least you can get in through the gui.

 

Apologies that I can't help you more. Cisco support helped me to get to that point before I figured out my problem when I got the error.

"Apologies that I can't help you more. Cisco support helped me to get to that point before I figured out my problem when I got the error."

 

You say that Cisco support helped you to that point then you figured out your problem. What was your problem?

Hello Experts,
I have the same problem, access by SSH (CLI)
but not web access to the ISE, I do not know what may be happening, I can create another user through CLI to access the ISE through GUI.

I hope your valuable support.
 
Regards.
Carlos P.

No, that would not work. ISE Admin CLI and Web UI have different sets of users and credentials. In ISE Admin CLI, we may reset the password of an ISE Admin Web UI user, however, by "app reset-passwd ise <WebUI-AdminUser-Name>"

Hello All,

I had the same issue. 

I've got access to console on VM.

I run ISE application ise in safe mode. After got access to GUI.

 

ise/admin# application stop ise 

ise/admin# application start ise safe

go to GUI change settings back

ise/admin# application stop ise

ise/admin# application start ise

 

Regards, Max