Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5534
Views
2
Helpful
18
Replies

Cisco ISE 3.1 After Patch Update Issue

azman.mansor
Level 1
Level 1

‎06-18-2023 05:18 AM

Dear Cisco Support,

We have 2 Cisco ISE 3.1 appliance.. Recently we have update using patch 7 update.

Once device ISE #1 has been updated we unable to access/view login page but able to ping that IP.

trying to ssh but looks like password does not work anymore to ssh.

We able to access ISE #2 device via browser but the configuration were difference and all setting looks was not there such a policies, configuration and etc..  trying to ssh to ISE #2 devices but same scenario occurred as device ISE #1.

Please help how can we access back our ISE

Thank You

Azman

Labels:
0 Helpful
18 Replies 18

azman.mansor
Level 1
Level 1
In response to azman.mansor

‎06-25-2023 06:06 PM

Hi,

Just want to share what we have done on primary ISE. We've deregistered the primary one and do again the application stop and start ISE and we rebooted the node. ISE indexing engine able to run. Then next we need to figure out either the routing in the configuration because we still unable to access the GUI but server was pingable.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎06-26-2023 08:49 AM

@azman.mansor If SSH working, then routing should not be an issue. I would suggest two things to get more info.

  • Take a packet capture between ISE and the admin workstation
  • Move the admin workstation to the same subnet as ISE
0 Helpful

azman.mansor
Level 1
Level 1
In response to hslai

‎06-26-2023 06:43 PM

Hi hslai,

 

I do the step #2 from your advise seat in the same vlan and its work and able to access the GUI.

I can summarize it I only can access the GUI if I seat in the same vlan and unable to reach the GUI if outside the that vlan.

Since we already narrow down the issue, can give the advise what need to do next to allow us access it from another vlan again.

Thanks

0 Helpful

Aref Alsouqi
VIP
VIP

‎06-27-2023 04:53 AM

There are no restrictions to access ISE CLI or GUI from a different VLAN or a remote subnet, what you need is just a network connectivity that will route the traffic between the endpoint and ISE, and to allow the traffic to pass through if you should have any security device in the middle. Also, ISE allows restricting the accesses to itself based on IP address (Administration > Admin Access > Settings > Access > IP Access) but the default settings allow all IPs. If you could access ISE CLI then you could reset the GUI password, but if you can't I don't think there are any other options rather than trying to recover the administrator password as per the below doc, but tbh I think you are hitting a bug that is causing all these anomalies:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html#anc5

 

0 Helpful
Customers Also Viewed These Support Documents