Re: Error connecting to ISE Profiler Feed

joe_lizzi · ‎07-24-2019

I am attempting to get the Profiler FeedService working in our ISE (2.4, Patch 9) deployment, but it keeps returning a non-helpful "null" error whenever I test it:

Test result: Failure: FeedService test connection failed : Feed Service error : null 
**Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server. **Please ensure that Proxy settings are configured if needed to reach Feed Server.

I have checked the certs, and the two required per the documentation - Verisign Class 3 Public and Verisign Class 3 Server - are both enabled and valid. The PAN has outbound Internet access (no proxy service needed). I have even done a manual/offline import of the latest profiler package, just in case it needed to be "kick-started".

I don't know if the Profiler Feed worked under previous patch versions, as we're just getting this deployment up to production-capable, and therefore I didn't test the function prior to now.

Any ideas?

Surendra · ‎07-24-2019

Take a packet capture on the ISE filtered with the feed server IP address. Find the feed server IP by looking up the FQDN in the URL. Capture will show you why it is failing exactly,

joe_lizzi · ‎07-24-2019

It's contacting ise.cisco.com (208.90.58.30), on port 8443, as one might expect. The problem, of course, is that I can't actually see what data errors are being passed back, since everything is encrypted.

But it's definitely talking to the remote profiler feed server.

Surendra · ‎07-24-2019

If you are using wireshark, decode that stream as SSL and then check if the SSL handshake is complete. My best guess would be a failure at that point itself.

hslai · ‎07-27-2019

Besides what Surendra suggested, please also check ISE debug logs ise-psc.log and profiler.log. If not helping, please open a TAC case to troubleshoot further.