Cisco ISE Gui access issues

mhafbnet · ‎06-19-2019

OK, I have read many of the discussions in regards to the Cisco ISE GUI access problems. I rebuilt the server using 2.4 and after initial configuration i was able to log into the GUI interface and start the setup of the ISE server. I got to the point of connecting to the Active Directory when i discovered nobody knew the password for the AD service account. I requested the password be reset but while waiting for that I disconnected the ISE servers from the network for troubleshooting purposes related to another issue. After getting the new passwords I reconnected the ISE servers to the network and tried to access the GUI interface. It just timed out. I am able to ping and SSH into the servers. I can log into the GUI interface of the old ICE servers using the same browser just fine.

I check to make sure the Application server was running and it is. I also stop the application service and restarted it in safe mode. Still cannot access the GUI interface. I also changed the password as recommended in other threads and still no luck. Its as if the HTTPS connection is being refused by ISE server. Today I rebuilt the server "again" but still no luck logging into the GUI interface. I have cleared the cache on the browser and I have tried Firefox, IE and Chrome. All the browsers can log into the old ISE servers via https but not the rebuilt servers. Again, after I rebuilt them the first time I WAS able to log into the GUI interface. I am at a loss here.

Arne Bier · ‎06-19-2019

To eliminate whether this is a web/browser related issue or not, have you tried the following

Check if the TCP/443 is listening

ise01/admin# show ports | in 443
     tcp: 169.254.0.228:49, 192.168.0.221:49, 169.254.0.228:50, 192.168.0.221:50, 169.254.0.228:51, 192.168.0.221:51, 169.254.0.228:52, 192.168.0.221:52, 127.0.0.1:8888, 192.16
8.0.221:8443, :::443, 192.168.0.221:8444, 192.168.0.221:8445, :::9085, 192.168.0.221:12001, :::9090, 127.0.0.1:2020, :::9060, :::9061, :::8905, :::8009, :::5514, :::9002, :::10
99, :::8910, :::8911, :::61616, :::80, :::30008, :::9080

And have you tried a telnet to port 443 to see if ISE is accepting the TCP connection? Below shows that the connection is open on port 443

[admin-biera@centos-01 ~]$
[admin-biera@centos-01 ~]$ telnet 192.168.0.221 443
Trying 192.168.0.221...
Connected to 192.168.0.221.
Escape character is '^]'.

if the above is working then it tells you that TCP connection to ISE Admin portal should work. It means there is no firewall in the way etc. But if the browser is refusing connection then check the browser settings like proxy etc. - disable the proxy (if enabled) and check again.

Is the new server on the same IP subnet as the old server, to which you can still access the GUI?

mhafbnet · ‎06-20-2019

Thank you very much. I will try this today and let you know how it goes. I did do the show ports on both the ISE server that is no allowing HTTP connections and the ISE server that is allowing connections but I could not see 443 in either of them. I will try it again with the pipe.

mhafbnet · ‎06-20-2019

The new server are on the 34 subnet and the old servers are on the 36 subnet.

Mohammed al Baqari · ‎06-19-2019

When you try to get to ISE GUI and its not working, can you confirm that
ISE URL resolves to the correct IP?

If you connect directly using IP, can you confirm that the ARP of the IP
points to the mac of the same ISE?

If that is good, do you have a firewall or proxy which might be blocking
your access.

Finally, check if the certificate of ISE is expired as I have experienced
the same when admin cert is expired.

mhafbnet · ‎06-20-2019

Like I said in the original post. This had been working fine, the url does resolve to the correct ip and the ARP does point to the mac of the ISE. I can connect to the ISE server via SSH and i can ping the ISE server. This is not an ARP issue. As far as the certificate goes. I just rebuilt the server from scratch so the certificates having expired is not an issue as well. It cannot be a firewall or proxy issue because I can connect and log into the other ISE servers on the network using the same browser. I have had other admins try and HTTP to the rebuilt servers and they are unable connect as well.

hslai · ‎06-29-2019

I hope you have already engaged Cisco TAC support by now.

If you are still in the same state and trying to resolving it yourself, then adding to the others..

You could try this ISE admin CLI command "tech netstat | inc <ISE-Gi0-IP-Address>:443" to check any ESTABLISHED, TIME_WAIT, or CLOSE_WAIT. If that looks ok, then do other checks, such as telnet on port 443 from another system on the same subnet, and do some packet captures.