cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6154
Views
5
Helpful
15
Replies
Highlighted
Beginner

Cisco Prime Infrastructure and ISE Integration

Hi,

I'm current struggling to get PI and ISE to integrate, these are running:

  • ISE 1.3.0.876
  • PI 2.1.0.0.87

To integrate ISE with PI, on the PI server I browse to

Design > Management Tools >External Management Servers >   ISE Servers

I enter all the correct details but I get an error message:

Error: Identity Service Engine with IP Address XXX.XXX.XXX.XXX is not reachable. Please check the network connectivity of the Identity Services Engine.

Both devices are in the same subnet, there’s no filtering taking place. Both servers can see each other without an issue. From the CLI I can confirm I can see an ARP and can ping each other without issue. Both the CPI primary and ISE Primary server are located on the same ESX host.

Any ideas?????

Everyone's tags (1)
15 REPLIES 15
Highlighted
Hall of Fame Guru

Is your ISE deployment single

Is your ISE deployment single node? If it's distributed, you should be pointing to the M&T server(s).

We recently discussed over in the Network Management forum where I showed some examples.

Highlighted
Beginner

Hi Marvin,This was sourced

Hi Marvin,

This was sourced from my primary MnT/PAN (Primary for both roles at present)

Do you think its a version conflict? 

Thanks


RG

Highlighted
Hall of Fame Guru

I doubt it's a version

I doubt it's a version conflict. I've integrated ISE 1.2, 1.3 and 1.4 with PI 2.0, 2.1 and 2.2 at various times (though I can't say with certainty I've done your exact mix).

If I were troubleshooting I'd dig into the packets a bit to see what's going on (or open a TAC case). You can initiate a packet capture from either system - PI from the root shell or ISE from the troubleshooting tools in the GUI.

Highlighted
Beginner

Marvin,great shout on the

Marvin,

great shout on the packet capture.. looks like I have a TLS/SSL issues which I think I known why.. I'll keep you posted.

Thanks

RG

Highlighted
Beginner

I thought the issue was due

I thought the issue was due to a certificate issue.

 

I have updated the management certificates on all ISE and PI servers, these are allocated via our internal CA. The management certificates have been working not throwing errors since they were installed (my laptop has the CA certs installed via AD CS)

On the ISE servers I had uploaded the CA certs but missed this off the PI servers. I presumed it was due to the PI not trusting the certificate allocated to the ISE server (As it didn't have the CA certs). After updating the CA certs I still get the same issue. 

I do see a TLSv1 Handshake error in the packet capture, this hasn't changed post CA cert upload.

 

Going to raise a TAC case.

 

 

 

 

Highlighted
Beginner

Hi RG, I'm having the same

Hi RG,

 

I'm having the same problem. A TCPDump on ISE shows that ISE is replying with a TLSv1 "handshake failure" to Prime's SSLv2 "client hello".

 

If possible, keep this post updated with TACs reply. My environment:

Prime: 2.1.0.0.87

ISE: 1.4.0.253 patch 3

 

Thanks in advance.

 

Regards,

Highlighted
Beginner

TAC have informed me this is

TAC have informed me this is a bug, you need to upgrade via a patch which is downloadable from CCO.

 

The bug ID is CSCur43834

 

I have not completed the patch as yet, I will keep you posted.

 

Thanks

 

RG

Highlighted
Hall of Fame Guru

RG,

RG,

Were you ever able to get this patch?

Highlighted
Beginner

Yes, installed and working

Yes, installed and working without issue since.

Thanks

RG

Highlighted
Hall of Fame Guru

Thanks for the update. I'll

Thanks for the update. I'll open a TAC case myself to get it now that I've run across the same issue. I had forgotten this thread conversation until Google reminded me. :)

I see the same TLS 1.0 - 1.2 negotiation failure you ran across when I did a tcpdump from ISE 2.0. It even happens with PI 3.02. The BugID still isn't public. :(

Highlighted
Hall of Fame Guru

FYI the BugID you cited is

FYI the BugID you cited is only applicable to the ISE 1.x and PI2.x scenario.

The integration is broken (again) in ISE 2.0 - PI 3.0. There's an unpublished BugID on the issue.

My TAC engineer told me that PI 3.1 (ca. February 2016) will fix it.

Highlighted
Hall of Fame Guru

Interesting. I wonder what

Interesting. I wonder what would happen if you imported the Prime Infrastructure server certificate into ISE's store as a trusted certificate.

Are both ISE and PI certificates issues from the same trusted root CA. Do you have any intermediate certificates loaded into ISE in addition to the root?

Highlighted
Beginner

If I can answer with my case,

If I can answer with my case, the SSL breaks just after the first client hello, the server certificate is not even changed.

 

I'm wondering if it's not because ISE don't accept any of the ciphers proposed by Prime (see attached).

Highlighted
Hall of Fame Guru

TJ - that might very well be

TJ - that might very well be the case.

I came across a handy utility use for nmap to check supported cipher specs on a host. You might give it a whirl to check your hypothesis:

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html