cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11729
Views
5
Helpful
15
Replies

Cisco Prime Infrastructure and ISE Integration

rgreville666
Level 1
Level 1

Hi,

I'm current struggling to get PI and ISE to integrate, these are running:

  • ISE 1.3.0.876
  • PI 2.1.0.0.87

To integrate ISE with PI, on the PI server I browse to

Design > Management Tools >External Management Servers >   ISE Servers

I enter all the correct details but I get an error message:

Error: Identity Service Engine with IP Address XXX.XXX.XXX.XXX is not reachable. Please check the network connectivity of the Identity Services Engine.

Both devices are in the same subnet, there’s no filtering taking place. Both servers can see each other without an issue. From the CLI I can confirm I can see an ARP and can ping each other without issue. Both the CPI primary and ISE Primary server are located on the same ESX host.

Any ideas?????

15 Replies 15

Marvin Rhoads
Hall of Fame
Hall of Fame

Is your ISE deployment single node? If it's distributed, you should be pointing to the M&T server(s).

We recently discussed over in the Network Management forum where I showed some examples.

Hi Marvin,

This was sourced from my primary MnT/PAN (Primary for both roles at present)

Do you think its a version conflict? 

Thanks


RG

I doubt it's a version conflict. I've integrated ISE 1.2, 1.3 and 1.4 with PI 2.0, 2.1 and 2.2 at various times (though I can't say with certainty I've done your exact mix).

If I were troubleshooting I'd dig into the packets a bit to see what's going on (or open a TAC case). You can initiate a packet capture from either system - PI from the root shell or ISE from the troubleshooting tools in the GUI.

Marvin,

great shout on the packet capture.. looks like I have a TLS/SSL issues which I think I known why.. I'll keep you posted.

Thanks

RG

I thought the issue was due to a certificate issue.

 

I have updated the management certificates on all ISE and PI servers, these are allocated via our internal CA. The management certificates have been working not throwing errors since they were installed (my laptop has the CA certs installed via AD CS)

On the ISE servers I had uploaded the CA certs but missed this off the PI servers. I presumed it was due to the PI not trusting the certificate allocated to the ISE server (As it didn't have the CA certs). After updating the CA certs I still get the same issue. 

I do see a TLSv1 Handshake error in the packet capture, this hasn't changed post CA cert upload.

 

Going to raise a TAC case.

 

 

 

 

Hi RG,

 

I'm having the same problem. A TCPDump on ISE shows that ISE is replying with a TLSv1 "handshake failure" to Prime's SSLv2 "client hello".

 

If possible, keep this post updated with TACs reply. My environment:

Prime: 2.1.0.0.87

ISE: 1.4.0.253 patch 3

 

Thanks in advance.

 

Regards,

TAC have informed me this is a bug, you need to upgrade via a patch which is downloadable from CCO.

 

The bug ID is CSCur43834

 

I have not completed the patch as yet, I will keep you posted.

 

Thanks

 

RG

RG,

Were you ever able to get this patch?

Yes, installed and working without issue since.

Thanks

RG

Thanks for the update. I'll open a TAC case myself to get it now that I've run across the same issue. I had forgotten this thread conversation until Google reminded me. :)

I see the same TLS 1.0 - 1.2 negotiation failure you ran across when I did a tcpdump from ISE 2.0. It even happens with PI 3.02. The BugID still isn't public. :(

FYI the BugID you cited is only applicable to the ISE 1.x and PI2.x scenario.

The integration is broken (again) in ISE 2.0 - PI 3.0. There's an unpublished BugID on the issue.

My TAC engineer told me that PI 3.1 (ca. February 2016) will fix it.

Interesting. I wonder what would happen if you imported the Prime Infrastructure server certificate into ISE's store as a trusted certificate.

Are both ISE and PI certificates issues from the same trusted root CA. Do you have any intermediate certificates loaded into ISE in addition to the root?

If I can answer with my case, the SSL breaks just after the first client hello, the server certificate is not even changed.

 

I'm wondering if it's not because ISE don't accept any of the ciphers proposed by Prime (see attached).

TJ - that might very well be the case.

I came across a handy utility use for nmap to check supported cipher specs on a host. You might give it a whirl to check your hypothesis:

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html