Solved: ISE ERROR Feed Service unavailable

shlomoi · ‎01-30-2022

Hi friends,

in the last few days I get an error message, nothing has changed on my network and there is no block in the firewall.

Feed Service unavailable : SSLHandshakeException invoking https://ise.cisco.com:8443/feedserver/feed/serverinfo?ISE_VERSION=2.4.0.357: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
**Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server.
**Please ensure that Proxy settings are configured if needed to reach Feed Server.
*** This message was generated by Cisco Identity Services Engine (ISE) ***

Anyone else having this problem?

Thanks

hslai · ‎01-31-2022

@shlomoi : Please add IndenTrust as an additional root CA to be trusted for cisco services. Good to keep the certificates you showed, unless you are certain that they are not used for anything else.

View solution in original post

Aref Alsouqi · ‎01-30-2022

I had this issue on a customer deployment that was running ISE 2.6, and still have the same issue after upgrading to 3.0 with Patch 6.

Maybe we are hitting this bug?

Bug Search Tool (cisco.com)

shlomoi · ‎01-30-2022

Hey aref.

I'm not sure we have the same problem. My ise in version 2.4 with traditional and not smart licensing. Bug talks about smart licensing. I'll probably open Tac and update.

Thanks

Aref Alsouqi · ‎01-30-2022

When we first saw this issue with ISE 2.6, it was running traditional licenses, and then we moved to 3.0 with smart licenses the issue still persisted. TAC would be the way to go.

hslai · ‎01-30-2022

Verify IndenTrust Commerical Root CA 1 is present in the Trusted Certificates in ISE and trusted for cisco services. The ISE profiler feed service site has recently updated the server certificate and it is now issued by HydrantID Server CA O1, a subCA of IndenTrust. For more info, see Field Notice: FN - 72111 - Cisco Identity Services Engine – QuoVadis Root Certificate Decommission Might Affect Posture, Profiler Feed, Client Provisioning, Support Diagnostics Connector, and Smart Licensing Functionality - Software Upgrade Recommend...

shlomoi · ‎01-31-2022

hi hslai Thank you for your help ,

For me it appears like this, how can i change the certificate

It's safe to make the change, it's going to hurt my service. My service is currently working fine, except for the update error.

Thanks shlomo

hslai · ‎01-31-2022

@shlomoi : Please add IndenTrust as an additional root CA to be trusted for cisco services. Good to keep the certificates you showed, unless you are certain that they are not used for anything else.

shlomoi · ‎01-31-2022

I replaced the certificate and everything works fine, thank you very much

Aref Alsouqi · ‎01-31-2022

In my case, the customer confirmed the cert is in place and has the Trust for authentication of Cisco Services enabled, but unfortunately it is still not working.

hslai · ‎01-31-2022

@Aref Alsouqi

If your issue is with Smart licensing, then it can only be addressed by upgrading or patching with an official ISE release with the fix. Smart licensing is not using the ISE trusted certificates store. Otherwise, please work with TAC.

Aref Alsouqi · ‎01-31-2022

The customer build is running the latest'ish patch 4. As today patch 5 became available will ask to apply it and see if that makes any better. If not will recommend to work with TAC.