Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
1
Helpful
6
Replies

FMC to ISE-PIC Integration

Go to solution
mumbles202
Level 5
Level 5

‎12-07-2023 07:20 AM

I'm in the process of migrating from User Agent to ISE-PIC on an FMC running 6.6.5.  I've done the basic configuration (added certs to both servers, configured AD integration on the ISE-PIC) and have tried to do the change from the Integration window in the FMC but it fails to connect.  I don't see it in the live sessions on the ISE-PIC server either.  When I test I get the following error:

Primary host: 
test: ISE connection.
Preparing ISE Connection objects...
Connecting to ISE server...
Beginning to connect to ISE server...
Captured Jabberwerx log:2023-12-07T14:35:37 [    INFO]: _reconnection_thread starts
Captured Jabberwerx log:2023-12-07T14:35:37 [    INFO]: pxgrid connection init done successfully
Captured Jabberwerx log:2023-12-07T14:35:37 [    INFO]: testing connecting to host 192.168.200.27 timeout=3 ...
Captured Jabberwerx log:2023-12-07T14:35:40 [   ERROR]: connection timed out while trying to test connection to host=192.168.200.27:ip=192.168.200.27:port=5222
Captured Jabberwerx log:2023-12-07T14:35:40 [    INFO]: _on_disconnect called
...failed to connect to ISE server, with error:ISE_CONNECTION_RESULT_FAIL_CANNOT_CONNECT_HOST.  Shutting down ISEConnection.
Unable to connect to ISE server at host: '192.168.200.27'.
connectionHealthPollingThread starting.
connectionHealthPollingThread ending.
disconnecting pxgrid
Captured Jabberwerx log:2023-12-07T14:35:40 [    INFO]: _reconnection_thread exits
Captured Jabberwerx log:2023-12-07T14:35:40 [    INFO]: pxgrid_connection_disconnect completes

I saw a thread where it was posted that 6.6.5 would need to be upgrade to at least 6.7 to work w/ 3.x, which this:

Cisco Secure Firewall Management Center Compatibility Guide - Cisco

confirms.  The ISE-PIC is running 3.3.0.430.  If I'm running 6.6.5, is my only choice to either deploy an older version of ISE-PIC, do the integration, then upgrade both the FMC and the ISE-PIC server to current versions?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-07-2023 07:28 AM

@mumbles202 the problem is likely to be that the FMC 6.6 supports only pxgrid 1.0 and from ISE/ISE-PIC version 3.1 only pxGrid 2.0 is supported. pxGrid 2.0 was introduced in FMC version 6.7. So you options are either upgrade FMC to 6.7 (or higher) or use an older version of ISE-PIC.

IMO I would recommend upgrading to FMC 7.x now (7.2.5 is the recommended version) .

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎12-07-2023 07:28 AM

@mumbles202 the problem is likely to be that the FMC 6.6 supports only pxgrid 1.0 and from ISE/ISE-PIC version 3.1 only pxGrid 2.0 is supported. pxGrid 2.0 was introduced in FMC version 6.7. So you options are either upgrade FMC to 6.7 (or higher) or use an older version of ISE-PIC.

IMO I would recommend upgrading to FMC 7.x now (7.2.5 is the recommended version) .

0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎12-07-2023 07:37 AM

Thanks for the quick reply.  The only real issues I see would be that 6.7 onwards don't support the user agent.  So I could, in theory, disable the user agent during a maintenance window, do the upgrade to a supported version. Then do the integration w/ ISE-PIC 3.3, then upgrade managed devices.  I believe there is only 1 other outstanding issue preventing the upgrade of the FMC (algorithms in 1 vpn which I'll get updated prior), but that should be relatively simple to correct.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎12-07-2023 07:43 AM - edited ‎12-07-2023 08:03 AM

@mumbles202 yes that would work. Else you'd have to implement an older version of ISE-PIC (3.0 latest) and then upgrade ISE-PIC and FMC once you'd fully migrated, slightly more work.

0 Helpful

Go to solution
mumbles202
Level 5
Level 5
In response to Rob Ingram

‎12-12-2023 10:44 PM

So I was able to upgrade the FMC to the base 7.2.5 image and confirmed that the ISE-PIC integration looks to be successful now.

 

I did notice that I can't deploy to the FTDs as they fail on my FlexConfig that had the LDAP attribute map. I see that the option to configure the attribute map is in the GUI now so can I just unassign the Flex Config policy form the FTD and then use the attribute map instead to accomplish the same thing? 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mumbles202

‎12-12-2023 11:23 PM

@mumbles202 yes explicitly remove the flexconfig configuration and reconfigure using the attribute map from the main GUI.

Go to solution
mumbles202
Level 5
Level 5

‎12-13-2023 08:16 AM

Yes, that worked perfectly.  Thanks.

0 Helpful
Customers Also Viewed These Support Documents