Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6908
Views
40
Helpful
11
Replies

ISE 1.2 Posture Update Issue

Go to solution
deepuvarghese1
Spotlight
Spotlight

‎04-28-2014 03:24 AM - edited ‎03-10-2019 09:40 PM

In ISE 1.2 below message is showing when we do a web posture update either manual or automatic.

"Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured".

It was working fine for long time and all of a sudden it stopped working
and no changes have made on the network side.
https://www.cisco.com/web/secure/pmbu/posture-update.xml is working in the browser.

Few customers had reported the same. Boxes are installed with latest patch version 7.

We can upload the updates through offline mode.

4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mcrukshanfdo
Level 1
Level 1

‎04-28-2014 01:39 PM

I have experienced the same issue. Both the posture update feed URLs 

1. https://www.cisco.com/web/secure/pmbu/posture-update.xml

2. https://www.perfigo.com/ise/posture-update.xml

give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.

A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.

The relevant pcap file is attached

View solution in original post

tcpdump-cisco.zip
11 Replies 11

Go to solution
mcrukshanfdo
Level 1
Level 1

‎04-28-2014 01:39 PM

I have experienced the same issue. Both the posture update feed URLs 

1. https://www.cisco.com/web/secure/pmbu/posture-update.xml

2. https://www.perfigo.com/ise/posture-update.xml

give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.

A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.

The relevant pcap file is attached

tcpdump-cisco.zip

Go to solution
descalante2007
Level 1
Level 1
In response to mcrukshanfdo

‎05-14-2014 04:34 PM

Recently I had the same issue. The dump clearly indicates a problem with a certificate, so I was able to fix it re-enabling all the factory certificates in the Certificate Store.

First I tried re-enabling one by one, but as I got the same result I tried re-enabling all of them at the same time

 

Regards.

0 Helpful

Go to solution
rtanner
Level 1
Level 1
In response to descalante2007

‎03-08-2016 01:57 PM

I had the same issue on ISE 1.3 and 1.4 just now.

I resolved it by adding the Root CA (Geotrust) into the trusted certificates. I had to put the URL in my browser to determine who had issued the cert in the first place, then went to their website to get it, since it wasn't in the ISE to begin with. 

Go to solution
Vinay-M.
Level 1
Level 1
In response to rtanner

‎03-04-2018 09:32 PM

Many Thanks Rtaner,

I had same problem from last 2 week and it wroked for me. Very different kind of certificate issue. I download certificate from Thawte and Hydrant IDE and imported into ISE trusted.  Thanks a Ton for posting this solution. I had very difficult time becauseof this weird error.

Vinay M
0 Helpful

Go to solution
Vinay-M.
Level 1
Level 1
In response to rtanner

‎03-04-2018 09:33 PM

Many Thanks to rtaner for posting this solution. I had this connectvity failing error to BlueCoat proxy and I tried to connect ISE with multiple Proxy IP and port and it kept failing.
Vinay M
0 Helpful

Go to solution
emattison1
Level 1
Level 1
In response to rtanner

‎03-24-2018 02:14 PM

This is still totally valid. I'm playing with 1.4 to go for the SISAS, and this has been bugging me. I downloaded the HydrantID SSL ICA G2 root cert, and that fixed it for me as well!

 

Thanks!

Go to solution
Antonio Macia
Level 3
Level 3

‎03-09-2018 12:58 AM - edited ‎03-09-2018 12:59 AM

Hello, 

 

I ran into this issue and I solved it by adding the "QuoVadis Root CA2"CA as trusted certificate.

 

Regards.

0 Helpful

Go to solution
Ali
Level 4
Level 4
In response to Antonio Macia

‎03-25-2018 12:17 AM

I also Ran into this Issue and found this below update.......

 

https://www.cisco.com/c/en/us/support/docs/field-notices/701/fn70122.html

 

*** Important Update on ISE Please read carefully ***

---------------------------------------------------------------------------

ISE connects to Cisco.com via SSL in order to obtain binary and data updates for Posture and BYOD. On February 14th the certificates used for the Posture Feed Server are being replaced.  To prevent any issues with downloading Posture Feed Server updates, please go to software.cisco.com (LINK) and download the two new  Root and Intermediate certificates and then import them into your Trusted Certificate store in ISE.  When importing the certificates into ISE, please be sure to check the box to “Trust for authentication of Cisco Services”.

 

If the certificates are not updated before Feb 14th then this change will prevent ISE from downloading new software packages directly from Cisco, but will not affect the configuration or operation of Posture or BYOD for end clients.

Go to solution
istafrica
Level 1
Level 1
In response to Ali

‎05-13-2018 11:22 AM

Thank You.. this works like charm..Thumbs up

0 Helpful

Go to solution
alihk1979
Level 1
Level 1
In response to Ali

‎09-04-2018 05:20 AM

Hello All , I am facing same problem with Ise 1.2 the problem is that I couldn't find "Trust for authentication of Cisco Services” to check on it, this option is missing from the certificate, any one has a solution for this.

 

Thank you

0 Helpful

Go to solution
esen.emre
Level 1
Level 1
In response to Ali

‎11-15-2018 04:45 AM

Thank You Ali,

0 Helpful
Customers Also Viewed These Support Documents