Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
0
Helpful
4
Replies

Cisco DNA and ISE Integration Issue

Go to solution
Ciscorocks
Level 1
Level 1

‎01-28-2023 11:53 AM

We are trying to integrate our Cisco DNA center deployment with ISE and are seeing an error that is stating a CA chain is broken. The error is referring to the chain being broken for issuer "CN=Certificate Services Root CA" this is under "certificate authority certificates". How can we renew this cert so that the chain is no longer broken so that we can get past this error? Do we need to renew the chain for the ISE internal root cert? Any info is appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ciscorocks
Level 1
Level 1
In response to hslai

‎02-01-2023 09:15 AM

After re-generating the ISE internal root ca and then messaging cert we were able to get DNAC integrated. Make sure the "use DNA center certificate" in DNAC integration settings is unchecked.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎01-29-2023 03:48 PM

Hey @Ciscorocks ,

Just out of interest, in your ISE deployment, do you see ongoing "Queue Link" Alarms ? If so, then the solution is to regenerate the ISE Internal CA. This is quick an easy and does not cause disruption. Of course, if you're using the internal ISE CA then please don't do this - you'll need to make a more comprehensive solution to ensure you don't break your client connectivity.

 

cheers 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-31-2023 07:46 PM

@Ciscorocks Arne is correct that you would need check whether Cisco internal CA service also used for client authentications. In case it's not used for that, then you may follow the Queue-Link Alarm subsection of

0 Helpful

Go to solution
Ciscorocks
Level 1
Level 1
In response to hslai

‎02-01-2023 09:15 AM

After re-generating the ISE internal root ca and then messaging cert we were able to get DNAC integrated. Make sure the "use DNA center certificate" in DNAC integration settings is unchecked.

0 Helpful
Customers Also Viewed These Support Documents