Hi Marvin,

This was sourced from my primary MnT/PAN (Primary for both roles at present)

Do you think its a version conflict? 

Thanks

RG

I doubt it's a version conflict. I've integrated ISE 1.2, 1.3 and 1.4 with PI 2.0, 2.1 and 2.2 at various times (though I can't say with certainty I've done your exact mix).

If I were troubleshooting I'd dig into the packets a bit to see what's going on (or open a TAC case). You can initiate a packet capture from either system - PI from the root shell or ISE from the troubleshooting tools in the GUI.

Marvin,

great shout on the packet capture.. looks like I have a TLS/SSL issues which I think I known why.. I'll keep you posted.

Thanks

RG

I thought the issue was due to a certificate issue.

I have updated the management certificates on all ISE and PI servers, these are allocated via our internal CA. The management certificates have been working not throwing errors since they were installed (my laptop has the CA certs installed via AD CS)

On the ISE servers I had uploaded the CA certs but missed this off the PI servers. I presumed it was due to the PI not trusting the certificate allocated to the ISE server (As it didn't have the CA certs). After updating the CA certs I still get the same issue. 

I do see a TLSv1 Handshake error in the packet capture, this hasn't changed post CA cert upload.

Going to raise a TAC case.

Hi RG,

I'm having the same problem. A TCPDump on ISE shows that ISE is replying with a TLSv1 "handshake failure" to Prime's SSLv2 "client hello".

If possible, keep this post updated with TACs reply. My environment:

Prime: 2.1.0.0.87

ISE: 1.4.0.253 patch 3

Thanks in advance.

Regards,

TAC have informed me this is a bug, you need to upgrade via a patch which is downloadable from CCO.

The bug ID is CSCur43834

I have not completed the patch as yet, I will keep you posted.

Thanks

RG

RG,

Were you ever able to get this patch?

Yes, installed and working without issue since.

Thanks

RG

Thanks for the update. I'll open a TAC case myself to get it now that I've run across the same issue. I had forgotten this thread conversation until Google reminded me. :)

I see the same TLS 1.0 - 1.2 negotiation failure you ran across when I did a tcpdump from ISE 2.0. It even happens with PI 3.02. The BugID still isn't public. :(

FYI the BugID you cited is only applicable to the ISE 1.x and PI2.x scenario.

The integration is broken (again) in ISE 2.0 - PI 3.0. There's an unpublished BugID on the issue.

My TAC engineer told me that PI 3.1 (ca. February 2016) will fix it.

Interesting. I wonder what would happen if you imported the Prime Infrastructure server certificate into ISE's store as a trusted certificate.

Are both ISE and PI certificates issues from the same trusted root CA. Do you have any intermediate certificates loaded into ISE in addition to the root?

If I can answer with my case, the SSL breaks just after the first client hello, the server certificate is not even changed.

I'm wondering if it's not because ISE don't accept any of the ciphers proposed by Prime (see attached).

TJ - that might very well be the case.

I came across a handy utility use for nmap to check supported cipher specs on a host. You might give it a whirl to check your hypothesis:

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html