Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
185
Views
1
Helpful
2
Replies

Cisco ISE Licensing - Failed to verify signature

Go to solution
klnnnnng
Level 1
Level 1

‎06-21-2024 01:59 AM

Hello ISE guys,

we are running ISE 3.2 deployment and a few days ago we had to reboot both our PAN Nodes. Reboot Secondary (B Node), wait, promote to primary (A->B), wait, reboot secondary (A Node). Since then we are facing CSSM licensing problems -> "Satellite Authorization Renewal: Details=Failed to verify signature". Now the primary PAN Node disappered from the On-Prem CSSM Satellite and the Secondary got registered. Unfortunaltely now the authorization is failing the the ISE deployment cannot sync with the CSSM Satellite.

I tried Refresh and Renew Registration but the issue persist since the token/SN cannot be verified.

Does anyone has experience with the mentioned issue or is there a certain procedure that we need to stick to?

Thank you in advance!

Kind regards

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎06-21-2024 03:02 PM

ISE and on-prem CSSM licensing has always been unreliable in my experience and not sure who is causing this (ISE, or CSSM). If you find a stable combination of the two, then consider yourself lucky.  I occasionally have to de-register and re-register nodes to CSSM because all attempts to sync and refresh etc. don't work. Don't waste your time trying. Just de-register from CSSM, log into CSSM and if the ISE node is still there, manually delete it. Then generate a token and re-register. The CSSM feels like it's built on some pretty simplistic opensource code and I would hazard a guess, that it's not implemented in the most robust ways.

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎06-21-2024 03:02 PM

ISE and on-prem CSSM licensing has always been unreliable in my experience and not sure who is causing this (ISE, or CSSM). If you find a stable combination of the two, then consider yourself lucky.  I occasionally have to de-register and re-register nodes to CSSM because all attempts to sync and refresh etc. don't work. Don't waste your time trying. Just de-register from CSSM, log into CSSM and if the ISE node is still there, manually delete it. Then generate a token and re-register. The CSSM feels like it's built on some pretty simplistic opensource code and I would hazard a guess, that it's not implemented in the most robust ways.

Go to solution
klnnnnng
Level 1
Level 1
In response to Arne Bier

‎06-22-2024 01:03 AM

Hello Arne,

after all the unsuccessful Refresh and Renew registration attempts this is what we did and it helped. I thought there should or could be a more elegant solution to the problem. Thank you for the thorough explanation and sharing your expertise. 

Regards 

0 Helpful
Customers Also Viewed These Support Documents