cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2629
Views
2
Helpful
12
Replies
Highlighted
Beginner

Error on connecting FMC to ISE

Hi I have FMC 6.2.2.2 and ISE 2.3 patch 2 running in a POC. I have created a PXGrid ISE connection and am using common certs signed by an internal OpenSSL CA. When I test the connection from the FMC It fails with the following log. I have a similar set up in my own lab and it works. Looks like it's failing on the last step. Any ideas?

Primary host:

test: ISE connection.

Preparing ISE Connection objects...

Preparing subscription objects...

Connecting to ISE server...

Beginning to connect to ISE server...

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: _reconnection_thread starts

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: pxgrid connection init done successfully

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: testing connecting to host 10.222.48.22 timeout=3 ...

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: testing connection to host OK 10.222.48.22:Will use ip=10.222.48.22

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: connecting to host 10.222.48.22 ...

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: stream opened

Starting SSL Handshake, SSL state:before/connect initialization

Completed SSL Handshake, SSL state: SSL negotiation finished successfully

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: EXTERNAL authentication complete

Captured Jabberwerx log:2018-03-21T19:29:42 [    INFO]: authenticated successfully (sasl mechanism: EXTERNAL)

Captured Jabberwerx log:2018-03-21T19:29:43 [    INFO]: pxgrid_connection_connect: Connected. host=10.222.48.22

Captured Jabberwerx log:2018-03-21T19:29:43 [    INFO]: Controller version: 2.0.0.7

Captured Jabberwerx log:2018-03-21T19:29:43 [    INFO]: Account approved

Captured Jabberwerx log:2018-03-21T19:29:43 [    INFO]:  CoreCapability successfully subscribed

Captured Jabberwerx log:2018-03-21T19:29:43 [    INFO]:  EndpointProfileMetaDataCapability successfully subscribed

Captured Jabberwerx log:2018-03-21T19:29:43 [    INFO]:  TrustSecMetaDataCapability successfully subscribed

Captured Jabberwerx log:2018-03-21T19:29:44 [    INFO]:  SessionDirectoryCapability successfully subscribed

Captured Jabberwerx log:2018-03-21T19:29:44 [    INFO]: _on_connect called

Captured Jabberwerx log:2018-03-21T19:29:44 [    INFO]: EndpointProtectionServiceCapability successfully subscribed

Captured Jabberwerx log:2018-03-21T19:29:44 [    INFO]: AdaptiveNetworkControlCapability successfully subscribed

Queried 1 bulk download hostnames:ise1.ise.com:8910

...successfully connected to ISE server.

Starting bulk download

connectionHealthPollingThread starting.

Captured Jabberwerx log:2018-03-21T19:29:44 [    INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://ise1.ise.com:8910/pxgrid/mnt/sd/getSessionListByTime'

Connection to ISE server failed because of time out

12 REPLIES 12
Highlighted
Contributor
Contributor

Simple thing but have you enabled PxGrid on the node as it's not enabled by default?

Highlighted

Yep did that...

Sent from my iPhone

Highlighted
Advocate

That may be the MNT connection that is failing.  I am assuming your MNT node is running on a different ISE server than your pxGrid node.  Did you correctly put in the MNT CA root?  There are two roots certs you need to load into FMC:

  1. The root cert for the certificate environment running the pxGrid.  I usually use the ISE internal CA to run the pxGrid certs so this root cert would be the root CA cert of the primary admin node which is acting as the root of the internal CA.
  2. The root CA of the certificate running the Admin persona of the MNT node.  Most likely this is either a public CA cert or the root cert from the customer's PKI.
Highlighted

Thx ... but the error did not look like a certificate error. Also it’s on the same node ( it’s a lab poc)

Dom

Sent from my iPhone

Highlighted

Hey Dominic,

Ensure that everything is FQDN resolvable,  If still having issues, unicast me directly.

Thanks,

John

jeppich@cisco.com

Highlighted
Contributor

I am having the issue. were you able to find a solution?

Highlighted

Just to close the loop on this thread. Spoke to Paul off-line.  Re-issued external CA cert for both the ISE pxGrid node and FMC, re-booted FMC.  FMC was able to successfully connect and register.

Thanks,

John

jeppich@cisco.com

Highlighted

Like John said. We were able to make it work.

Today I tried the same in a production environment and encounter another issue. Multiple things might be wrong.

1. In ISE the customer has a distributed deployment. I decided to use the admin node for pxgrid.

2. ISE has certs already installed using an external CA for Admin, Portal, etc (not for pxgrid). The decided decided to use their internal MS CA to generate the pxgrid cert so I generated the CSR and exported it so that the customer could generate the cert. That worked fine. I had to import the Root CA from this internal MS CA into ISE and after that I had to import bind the cert for the admin node, secondary node and monitoring node.

3. In FMC I exported the cert and private key using CLI and using the same MS CA we generated the cert which I uploaded into FMC under Internal Certs and after that I uploaded the root CA from the internal MS CA inside Trusted CAs.

Up to this point in ISE we had the other external CA being used for admin, portal, etc and the new Cert from the internal MS CA just for pxgrid. I am doing it right so far?

In FMC the certs were signed by the same MS CA and the root cert was uploaded. No issues.

When I tried to add ISE as the Identity Store in FMC using the selected certs I got a failure. It seems that when FMC tries to connect to ISE it is hitting the other cert instead of the ones we created in Microsoft, check the logs below:

Primary host:

test: ISE connection.

Preparing ISE Connection objects...

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: pxgrid connection init done successfully

Preparing subscription objects...

Connecting to ISE server...

Beginning to connect to ISE server...

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: _reconnection_thread starts

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: connecting to host 10.81.2.200 .......

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: stream opened

Starting SSL Handshake, SSL state:before/connect initialization

Completed SSL Handshake, SSL state: SSL negotiation finished successfully

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: EXTERNAL authentication complete

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: authenticated successfully (sasl mechanism: EXTERNAL)

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: pxgrid_connection_connect: Connected. host=10.81.2.200

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: Controller version: 1.0.3.38

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: Account approved

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: _on_connect called

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Queried 2 bulk download hostnames:SVLPISE.xxxx.com:8910, SVSMISE.xxxx.com:8910

...successfully connected to ISE server.

Starting bulk download

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://SVLPISE.xxxx.com:8910/pxgrid/mnt/sd/getSessionListByTime'

Starting SSL Handshake, SSL state:before/connect initialization

Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x744F483C1394D140CADBA3B21DC49F8D', issued by 'C = US, ST = VA, L = Herndon, O = Network Solutions L.L.C., CN = Network Solutions OV Server CA 2', to 'C = GT, postalCode = 4004, ST = Guatemala, L = Guatemala, street = Diagonal 6 10-01 zona 10, O = Administracion de Datos, OU = ADATSA, OU = Secure Link SSL Wildcard, CN = *.xxxx.com'

...because SSL negotiation encountered error: self signed certificate in certificate chain

...while validating this entry in the certificate chain: Certificate with Serial Number '0x01', issued by 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root', to 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root'

Sending SSL alert:unknown CA

Sending SSL alert:close notify

Captured Jabberwerx log:2018-05-02T18:21:23 [   ERROR]: curl_easy_perform() failed: (60) Peer certificate cannot be authenticated with given CA certificates at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240

bulk download iter next failed REST errorPeer certificate cannot be authenticated with given CA certificates

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://SVSMISE.xxxx.com:8910/pxgrid/mnt/sd/getSessionListByTime'

Starting SSL Handshake, SSL state:before/connect initialization

Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x744F483C1394D140CADBA3B21DC49F8D', issued by 'C = US, ST = VA, L = Herndon, O = Network Solutions L.L.C., CN = Network Solutions OV Server CA 2', to 'C = GT, postalCode = 4004, ST = Guatemala, L = Guatemala, street = Diagonal 6 10-01 zona 10, O = Administracion de Datos, OU = ADATSA, OU = Secure Link SSL Wildcard, CN = *.xxxx.com'

...because SSL negotiation encountered error: self signed certificate in certificate chain

...while validating this entry in the certificate chain: Certificate with Serial Number '0x01', issued by 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root', to 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root'

Sending SSL alert:unknown CA

Sending SSL alert:close notify

Captured Jabberwerx log:2018-05-02T18:21:23 [   ERROR]: curl_easy_perform() failed: (60) Peer certificate cannot be authenticated with given CA certificates at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240

bulk download iter next failed REST errorPeer certificate cannot be authenticated with given CA certificates

Failed to validate bulk download.

disconnecting pxgrid

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: _reconnection_thread exits

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: stream closed; err_dom=(null)

2018-05-02T18:21:23 [    INFO]: _on_disconnect called

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: Event loop exit. status=1

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]:  destroying client ...

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: pxgrid_connection_disconnect completes

Any comments on that?

Additionally I found that the timezone is not configured correctly in ISE and in FMC. The hostname in FMC is also not configured right. We will fix that.

Any sugesstion on why FMC is getting the other cert instead of the one configured for pxgrid?

Highlighted

Where is that wildcard cert running? Is it the admin GUI cert on the monitoring node? FMC talks to pxGrid and MNT via REST.

Highlighted

The wildcard is running in the Admin node and the rest of the nodes in ISE. The admin node is separate from the monitoring node.

Highlighted

But is the wildcard node running the Admin use case on all nodes? If so you need to load that root CA into FMC.

That is why the MNT Server CA has its own entry.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted

Hey Paul,

If the customer in a productional deployment is using external CA for all nodes, than you don't wan to use the internal CA.

Let me know your availability early next week and i will setup a webex.

Thanks,

John

cell: 240-447-3937

Content for Community-Ad