Solved: FMC integration with PxGrid Secondary Node FAILS

donovan.chetty · ‎09-29-2017

Good day,

We are trying to integrate newly configured FirePower Management Center 6.2 with our existing ISE PxGrid 2.1 cluster.

The ISE deployment is as follows:

- 6 node cluster

- 2 x nodes for ADM/MnT

- 2 x nodes for PSN

- 2 x nodes for PxGrid

Note about the deployment

- The PxGrid nodes have been successfully joined to the ISE cluster and we have the PxGrid persona running.

- We have an internal CA server that has issued certs to the ISE nodes and the FMC server

- All nodes (6 ISE nodes) and FMC have the certificates issued by the same CA issuing server.

PROBLEM:

The FMC subscribes as a client to the PxGrid Controllers, so that it can receive contextual (SGT, Profiling, etc.) information about users/devices.

When trying to integrate ISE(PxGrid Controller) with the FMC, the primary PxGrid Controller can associate with the FMC - not the secondary one. Meaning I cannot add both the PxGrid controllers as Identity sources on the FMC. Even if I try adding just the secondary PxGrid, this fails. I've confirmed network connectivity (same subnets), no firewall in between them and validity of certificates and issuers. Still not sure why this will not integrate?

Has anybody seen a similar issue or can advise ? (attached a copy of the error)

paul · ‎09-29-2017

That is normal. Just add them both. If you look at the services on your secondary pxGrid node you will see the services are not running. Only one node runs pxGrid at a time. If that node goes down the other nodes services will start up.

View solution in original post

paul · ‎09-29-2017

That is normal. Just add them both. If you look at the services on your secondary pxGrid node you will see the services are not running. Only one node runs pxGrid at a time. If that node goes down the other nodes services will start up.

donovan.chetty · ‎09-29-2017

Thanks Paul.