ise 2.6 manage accounts not loading

Meuserid1979 · ‎11-23-2020

Hi,

im having issue with the ise "manage accounts" (work centers>guest access>manage accounts) link not loading. i came across with the link below and would like to give it a try

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc69243/?rfs=iqvred

but i couldnt find where to configure the port 9002? or is there any other workaround than this one?

thanks

Mohammed al Baqari · ‎11-23-2020

Can you describe the issue which you are facing.? This bug was impacting
2.1/2.2 and is fixed in 2.6.

***** please remember to rate useful posts

Meuserid1979 · ‎11-23-2020

hi mohammed, usually when cliking "manage accounts" button, a new tab will open up and show those guest users accounts and options to manage them. previously it was working but suddenly doesnt load

Greg Gibbs · ‎11-23-2020

The port used for the Manage Accounts link (tcp/9002) is not configurable and is documented in the ISE Ports Reference for the PAN.

That link is really just a way to access the Sponsor Portal from the PAN, so the alternative would be to connect directly to the Sponsor Portal using the 'friendly' FQDN configured for that direct-access portal.

You should see the PAN as listening on port tcp/9002 in the 'show ports' output. If it shows listening but the link does not work, you'll likely need to look at any firewall rules or ACLs between your client and the PAN that might be blocking the traffic.

admin# show ports | inc 9002
tcp: 169.254.0.228:49, 169.254.2.1:49, 192.168.120.171:49, 169.254.0.228:50, 169.254.2.1:50, 
192.168.120.171:50, 169.254.0.228:51, 169.254.2.1:51, 192.168.120.171:51, 169.254.0.228:52, 
169.254.2.1:52, 192.168.120.171:52, 127.0.0.1:8888, :::9061, :::9063, :::8905, :::8009, :::5514, 
:::9002, :::1099, :::8910, :::8911, :::80, :::36978, :::9080, 192.168.120.171:8443, :::443, 
192.168.120.171:8444, 192.168.120.171:8445, :::9085, 192.168.120.171:12001, :::9090, 127.0.0.1:2020, 
:::9060

Meuserid1979 · ‎11-23-2020

Hi Greg, thanks, when accessing using other sponsor portal with assigned fqdn, it is working. but i believe the port they are using is 8443. thanks, i will check on whether 9002 is in the list of listening ports

Meuserid1979 · ‎11-24-2020

Hi,

after checking port 9002 is there. what could be the possible issue and workaround? thanks

Greg Gibbs · ‎11-25-2020

As I stated before, I suspect the issue is that something is blocking tcp/9002 traffic between your client PC and the PAN. You could use the TCP Dump tool in ISE to capture packets on the PAN to see if it's receiving the tcp/9002 traffic. If you're not seeing the traffic hit the PAN, you'll need to look at the network path between the PC and the PAN and check any traffic filters (ACLs, firewalls, etc) and logging on those devices. If you are seeing tcp/9002 traffic hit the PAN but still seeing the link failure message, you might try rebooting the PAN and/or opening a TAC case to investigate further.

Also keep in mind that, if you're accessing the PAN using the IP address (instead of the FQDN), clicking the Manage Accounts link redirects to tcp/9002 using the FQDN. If the PAN FQDN is not resolvable by DNS, you'll also have an issue.

The workaround would be to access the Sponsor Portal directly from the 'friendly' FQDN (uses tcp/8445 by default).