cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
433
Views
0
Helpful
10
Replies

FMCv unable to communicate with ISE-PIC after 7.0.5 upgrade

SpanbildNzLtd
Beginner
Beginner

Existing deployment was FMCv version 6.6.0 and ISE-PIC 2.6.0.156, Patches 2,3 & 10.

This was communicating fine passing through the discovered identities to FMCv.

I have just completed a upgrade to FMCv to version 7.0.5. This communication link through pxgrid has stopped.
When I click on the test button on the FMC Identity Sources the test returns success. But the following additional logs are given.

Primary host:
[INFO]: PXGrid v2 is enabled
[INFO]: pxgrid 2.0: account activate succeeded
[INFO]: pxgrid 2.0: ISE server reports com.cisco.ise.session is unsupported or disabled.
[INFO]: pxgrid 2.0: ISE server reports com.cisco.ise.config.profiler is unsupported or disabled.
[INFO]: pxgrid 2.0: ISE server reports com.cisco.ise.config.trustsec is unsupported or disabled.
[INFO]: pxgrid 2.0: ISE server reports com.cisco.ise.config.anc is unsupported or disabled.
[INFO]: These ISE Services are disabled, or are unsupported by ISE: SessionDirectory, EndpointProfile, SecurityGroups, AdaptiveNetworkControl
[INFO]: These ISE Services features not enabled on FMC: SXP
[INFO]: All requested ISE Services are online.

To me that reads that my ISE-PIC node does not have pxgrid 2.0 enabled which is now a requirement of FMCv 7.0.

I have read through a lot of documentation(like that pxgrid 2.0 is supported on version 2.6 patch 6+) but cannot find any reference on how to turn pxgrid 2.0 on for my existing standalone ISE-PIC deployment.

Thanks
-
Jeremy

1 Accepted Solution

Accepted Solutions

SpanbildNzLtd
Beginner
Beginner

Because our setup is a standalone client, I spun up a new instance of ISE-PIC version 3.1 using the trial licence and connected it into the Domain and added in some providers which started to pole the AD correctly of user logins.

I exported & imported the Root CA's for both appliances respectively then configured FMCv to start using the newer 3.1 edition and it connected successfully.
I approve the two new Subscribers in ISE-PIC and now all is well. FMCv is getting live updates of user activity once again.

Converted our traditional licence to a smart licence, registered the new instance and we done!

Thank you to all who have taken the time to look at this.
Regards - Jeremy

View solution in original post

10 Replies 10

ahollifield
VIP Rising star VIP Rising star
VIP Rising star

Is the pxGrid role enabled on the ISE node you are pointing to?  

Yes I believe so, when showing an application status for ise pxgrid services are listed as running. Plus it wouldn't be working existingly with my FMCv otherwise?

In ISE-PIC there isn't a way to turn pxgrid on and off any way, not at least in the web interface.
Thanks

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Correct your FMC 7.0+ (actually 6.7+) will require your ISE (or ISE-PIC specifically in your case) to support pxGrid 2.0.

I suspect 2.6 patch 6 didn't include the update for ISE-PIC. Could you possibly upgrade it to a more current release (like 3.0 or ideally 3.1)?

3.0 is the highest supported ISE-PIC version for FMCv 7.0. We cannot progress any further than 7.0 due to that being the supported version for the ASA 5516-x.

pxgrid 2.0 should be supported, i hope:
"pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations."
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_pxgrid.html#Cisco_Generic_Topic.dita_e0e84d81-07b8-4f51-b533-c46c2aeae3b2

Have you tried removing and then re-adding the ISE integration to FMC? If could be that the old integration that was using pxGridv1 is somehow being remembered by FMC and the upgraded server isn't connecting properly as a result.

SpanbildNzLtd
Beginner
Beginner

I have turned off the integration, saved. Recreated the FMC CA certificate, imported it into ISE and then re-enabled the FMC Identity integration and selected the new FMC CA cert to use. I left the ISE "pxGrid Server CA" and "MNT Server CA" in place as by my thought process they are generated at the ISE end and nothing there has changed in that regard and when going to make mock new certificate there isn't an option to choose which pxgrid version to use.

Thanks.

hslai
Cisco Employee
Cisco Employee

@SpanbildNzLtd I hope you have Cisco TAC engaged on this.

ISE-PIC has no 3.0 release because 3.x mandates Cisco Smart Licensing and because we only got that to work for ISE-PIC in 3.1+. So, it's not clear to me whether you are trying ISE or ISE-PIC or both.

Yes sorry my mistake there, in the original post I say 3.0 but in fact it is 3.1 that is the last supported version and further to that I don't think 3.0 even exists for ISE-PIC.

hslai
Cisco Employee
Cisco Employee

@SpanbildNzLtd If the pxGrid Web Clients page is empty, take a look at CSCvu63918, which documented a known issue in using the self-signed certificate generated by ISE (until ISE 3.0). The certificate has an extension Netscape Cert Type with the value "SSL server" only.

SpanbildNzLtd
Beginner
Beginner

Because our setup is a standalone client, I spun up a new instance of ISE-PIC version 3.1 using the trial licence and connected it into the Domain and added in some providers which started to pole the AD correctly of user logins.

I exported & imported the Root CA's for both appliances respectively then configured FMCv to start using the newer 3.1 edition and it connected successfully.
I approve the two new Subscribers in ISE-PIC and now all is well. FMCv is getting live updates of user activity once again.

Converted our traditional licence to a smart licence, registered the new instance and we done!

Thank you to all who have taken the time to look at this.
Regards - Jeremy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers