This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm current struggling to get PI and ISE to integrate, these are running:
To integrate ISE with PI, on the PI server I browse to
Design > Management Tools >External Management Servers > ISE Servers
I enter all the correct details but I get an error message:
Error: Identity Service Engine with IP Address XXX.XXX.XXX.XXX is not reachable. Please check the network connectivity of the Identity Services Engine.
Both devices are in the same subnet, there’s no filtering taking place. Both servers can see each other without an issue. From the CLI I can confirm I can see an ARP and can ping each other without issue. Both the CPI primary and ISE Primary server are located on the same ESX host.
Is your ISE deployment single node? If it's distributed, you should be pointing to the M&T server(s).
We recently discussed over in the Network Management forum where I showed some examples.
I doubt it's a version conflict. I've integrated ISE 1.2, 1.3 and 1.4 with PI 2.0, 2.1 and 2.2 at various times (though I can't say with certainty I've done your exact mix).
If I were troubleshooting I'd dig into the packets a bit to see what's going on (or open a TAC case). You can initiate a packet capture from either system - PI from the root shell or ISE from the troubleshooting tools in the GUI.
I thought the issue was due to a certificate issue.
I have updated the management certificates on all ISE and PI servers, these are allocated via our internal CA. The management certificates have been working not throwing errors since they were installed (my laptop has the CA certs installed via AD CS)
On the ISE servers I had uploaded the CA certs but missed this off the PI servers. I presumed it was due to the PI not trusting the certificate allocated to the ISE server (As it didn't have the CA certs). After updating the CA certs I still get the same issue.
I do see a TLSv1 Handshake error in the packet capture, this hasn't changed post CA cert upload.
Going to raise a TAC case.
I'm having the same problem. A TCPDump on ISE shows that ISE is replying with a TLSv1 "handshake failure" to Prime's SSLv2 "client hello".
If possible, keep this post updated with TACs reply. My environment:
ISE: 126.96.36.199 patch 3
Thanks in advance.
TAC have informed me this is a bug, you need to upgrade via a patch which is downloadable from CCO.
The bug ID is CSCur43834
I have not completed the patch as yet, I will keep you posted.
Thanks for the update. I'll open a TAC case myself to get it now that I've run across the same issue. I had forgotten this thread conversation until Google reminded me. :)
I see the same TLS 1.0 - 1.2 negotiation failure you ran across when I did a tcpdump from ISE 2.0. It even happens with PI 3.02. The BugID still isn't public. :(
FYI the BugID you cited is only applicable to the ISE 1.x and PI2.x scenario.
The integration is broken (again) in ISE 2.0 - PI 3.0. There's an unpublished BugID on the issue.
My TAC engineer told me that PI 3.1 (ca. February 2016) will fix it.
Interesting. I wonder what would happen if you imported the Prime Infrastructure server certificate into ISE's store as a trusted certificate.
Are both ISE and PI certificates issues from the same trusted root CA. Do you have any intermediate certificates loaded into ISE in addition to the root?
TJ - that might very well be the case.
I came across a handy utility use for nmap to check supported cipher specs on a host. You might give it a whirl to check your hypothesis: