cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4008
Views
27
Helpful
10
Replies

ISE and Cisco Smart Software Manager CSSM satellite support

gjaeggle
Cisco Employee
Cisco Employee

Hi Team,

ISE and Cisco SSM satellite is still not supported. Also not with ISE 2.4.

Is this on the roadmap if yes with which release / patch and when?


"Cisco Smart Software Manager satellite is not supported."

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter…

Best regards

Gerhard

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Please reach out to the ISE Product managers for product feature request and roadmap questions

View solution in original post

10 Replies 10

Jason Kunst
Cisco Employee
Cisco Employee

Please reach out to the ISE Product managers for product feature request and roadmap questions

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

Unfortunately, we can’t discuss roadmap items in this forum. Please reach out to the PM team to discuss futures.

Regards,

-Tim

I managed to get ISE 2.3 talking to our Smart Software Manager satellite (v5.0.1) which we also use for our Prime Infrastructure licensing.  Having said that, ISE stops talking to it after around 23 hours (TAC case open).  My question is, whether SSMS is the "supported" product to use when connecting ISE using Transport Gateway?

Can someone please explain exactly how to "reach out to your PM"?  What is the email address or proper next step please?

I Have asked our licensing pm pjatapro

Hello Arne

Did you get smart licensing using the satellite working on ISE?

HI Henrik

yes I have it running in two deployments. Each deployment is 2.3 patch 3 and each has their own satellite (5.0.1)

It works after initial config and after roughly I day the TCP communication from ISE just dies. We did tcpdump and there is no comms. We have to delete all the config and start again and then it works for another day. tac are investigating.

Our Prime servers use same satellites and they are fine.

Small update on my TAC case (might be interesting to others who have this issue)

Turns out, that ISE will use the ISE Proxy configuration (if configured) when performing Smart Call Home operations.  If no proxy is configured, then ISE assumes it has a direct path to the internet.

In my case I had configured the proxy in ISE because we use an internet based SMS Gateway service and all internet traffic has to pass through an authenticated web proxy.  This all works really well.

Because Smart Licensing somehow relies on Smart Call Home, AND, because Smart Call Home is ostensibly an internet service, ISE is hard coded to use the proxy (if one is configured).  This would have almost been okay, if it wasn't for the fact that ISE doesn't provide the proxy credentials that I have configured - and hence, the proxy rejects ISE.  This is due to the bugs CSCvh77224 and CSCvd93008)

When ISE uses Smart Call Home for Smart Licensing (Transport Gateway connection method) then the satellite server is on the customer INTRANET and not on the Internet - hence, no need for a proxy.

Ideally, there should be a tickbox in the Smart Call Home screen, that says “Use Proxy (Y/N)?” because we cannot assume that Smart Call Home is always going to Internet or needs to use a proxy.  However, it's probably acceptable in most cases to tell ISE to bypass the proxy for the local Satellite server's domain name, which is one of the workarounds listed below.

I am waiting for the TAC to concur with this analysis.

My workaround suggestions

  • If your ISE deployment does not need Web Proxy, then ensure that the ISE proxy config page is not enabled/configured - if you had to disabled it, then ensure you also perform an application stop/start on all PAN nodes because this is required to activate changes in this page!
  • If your ISE deployment needs Web Proxy for other things (e.g. SMS Gateway), then try adding the Satellite FQDN web domain to the ISE proxy bypass list, followed by application stop/start on all PAN nodes!
  • If your ISE deployment needs Web proxy for other things (e.g. SMS Gateway), and if bypassing the FQDN is not possible (for whatever reason), then configure your web proxy server to allow unauthenticated proxy access from ISE PAN nodes (IP source address whitelist on proxy)

Arne

I've been trying to do it using ISE 2.2 patch 7, but can't get ISE to register to the satellite at all.

Is this how you have configured it?

I've tried configuring Smart Call Home with both "Turn on full SCH capability" and "Keep the default SCH telemetry..."

I dont know if the email adress is necassary? On some IOS router examples using Smart Licensing they use this.

The Profile Settings are the default.

SCH_sensored.PNG

Smart Licensing - just before pressing register_sensored.PNG

This ISE does not have internet access at all. Is the proxy setting something I have to take into considerations doing this?

Using default telemetry is fine (no need for email etc). I still don’t know how that helps at all because we have configured it on our prod box but never received any emails.

I Noticed that your satellite server is talking on port 80? The default is port 443 as far as I know (at least that is what my satellite server install tech gave me and it works)

SO by default ise will try use the proxy. If you have proxy enabled and you are required to keep it enabled then simply add a domain bypass for that server‘s domain in the ISE proxy confit.  And most importantly you must stop start the ise application on PAN servers.

See see how that goes.

Hello Henrik

I've similar to your situation. i need to migrate ISE 1.4 to ISE 2.2 with decision if it's simplest way just to stay with legacy licensing model. So have u managed your ISE<>SSMS communications to work?

Thank u in advance