Solved: Configuring SGT on C9200-48P switch with ISE

tvancamp6 · ‎03-30-2023

Hoping for a second set of eyes as we are in the process of upgrading a 3850 to a 9200. I had no problems getting the 3850 or any other 3k switches configured for SGT, but I cannot for the life of me get this 9200 to peer with ISE. I am getting this error:

*Mar 30 23:45:21: %TCP-6-BADAUTH: Invalid MD5 digest from <ISE PSN>(53567) to <9k switch ip>(64999) tableid - 0

which of course makes it appear that I have entered mismatched keys, but I have checked this and even used identical config between the 3k and 9k and only the 3k will establish peering with ISE. Within ISE, when I add the device, the status for the 9k just remains OFF. I tried changing between type 0,6, and 7 for the password with no positive results. Are there different/additional commands for the 9k?

These are the commands I am using for this:

cts authorization list SGT
!
cts sxp enable
cts sxp default source-ip <switch ip>
cts sxp default password 0 <secretwords>
cts sxp connection peer <FIREWALL> password default mode local speaker hold-time 0
cts sxp connection peer <ISE PSN> password default mode local both
cts sxp connection peer <ISE PSN> password default mode local both

9k_switch#show cts sxp connections
SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Key-Chain: Not Set
Default Key-Chain Name: Not Applicable
Default Source IP: <9k_mgmt_ip>
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : <FIREWALL>
Source IP : <Switch MGMT IP>
Conn status : Pending_On
Conn version : 4
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Duration since last state change: 0:00:00:07 (dd:hr:mm:sec)

----------------------------------------------
Peer IP : <ISE PSN>
Source IP : <Switch MGMT IP>
Conn status : Off (Speaker) :: Pending_On (Listener)
Conn version : 4
Local mode : Both
Connection inst# : 1
TCP conn fd : -1(Speaker) 3(Listener)
TCP conn password: default SXP password
Duration since last state change: 0:00:13:39 (dd:hr:mm:sec) :: 0:00:00:07 (dd:hr:mm:sec)

----------------------------------------------
Peer IP : <ISE PSN>
Source IP : <Switch MGMT IP>
Conn status : Off (Speaker) :: Pending_On (Listener)
Conn version : 4
Local mode : Both
Connection inst# : 1
TCP conn fd : -1(Speaker) 2(Listener)
TCP conn password: default SXP password
Duration since last state change: 1:03:26:07 (dd:hr:mm:sec) :: 0:00:00:07 (dd:hr:mm:sec)

Total num of SXP Connections = 3

Rodrigo Diaz · ‎03-30-2023

hi @tvancamp6 , I would check that first the connection works fine without MD5 , what you can do is to set up the password as "none " in both ISE and switch , if the connection is stablished that will mean that the TCP 64999 port is working fine , also I will review if there is a firewall in the middle between the ISE and the switch , you can refer to the following links for issues related :

https://community.cisco.com/t5/security-documents/sxp-through-a-cisco-asa-firewall/ta-p/3647544

Also the next documentation can be helpful https://community.cisco.com/t5/security-knowledge-base/trustsec-troubleshooting-guide/ta-p/3647576

Rate and comment if that helped you.

View solution in original post

tvancamp6 · ‎03-30-2023

Hello Rodrigo,

I appreciate the feedback! I actually did already try setting the password to none, but the connection never came up and I just saw this message in the log:

*Mar 30 17:36:27: %TCP-6-BADAUTH: No MD5 digest from <ISE PSN>(62402) to <9k_switch>(64999) tableid - 0

We were actually looking into the details from your screenshot this morning as I found this same article and awaiting feedback from the team if these changes have been made. I'm also trying to line up a spare 9200 to setup outside the firewall just to make sure we can in fact make it work and to rule out any issues that might be firewall related. Thank you for the helpful response, I feel like I was at least on the right track with my troubleshooting and was just running out of ideas.