cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5082
Views
0
Helpful
13
Replies

ISE ipep registration

MMstre
Level 3
Level 3

Hello All,

I am receiving an error while trying to register to an ipep node. The error states that the node could not be contacted and to make sure it is operational.

I have confirmed that the services are running and it is reachable both IP and DNS.

it is on version 1.2 base.

Due to the change in the software, i am not sure if the software patch available for 1.2 is good for both admin/psn nodes and the IPN, or just one or the other, so i have not patch upgraded anything.

Has anyone ran into this problem of not being able to register the IPN?

1 Accepted Solution

Accepted Solutions

Hi,

You don’t want to import the PAN’s key into the IPN (if I understood that part correctly).

Try this

1. Regenerate and export a self-signed cert for the IPN.

2. Import that cert into the certificate store on the primary PAN

3. Do not do anything further on the IPN

4. Attempt the IPN registration on the PAN

Cheers

Greg Schmitt | Secure Networks Senior Security Engineer

Presidio | www.presidio.com<http://www.presidio.com>

7601 Ora Glen Dr Suite 100, Greenbelt, MD 20770

D: 410.877.4461 | C: 410.877.4461 | gschmitt@presidio.com<mailto:gschmitt@PRESIDIO.com>

CCIE # 8105

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

View solution in original post

13 Replies 13

gschmitt.ngit
Level 1
Level 1

Hi,

We recently completed an upgrade from 1.1.3 to 1.2 on a deployment with iPEPs (IPNs). You do not apply Patch to the iPEPs. They will not accept it. You apply it to the primary PAN, and the PAN pushes it to the remaining nodes (but not the iPEPs).

We did not have any problems re-registering the iPEPs once they were upgraded. Did you reapply the certificates and private keys to them? Both of these get blown away when you do the upgrade.

Cheers

Greg Schmitt | Secure Networks Senior Security Engineer

Presidio | www.presidio.com<http://www.presidio.com>

7601 Ora Glen Dr Suite 100, Greenbelt, MD 20770

D: 410.877.4461 | C: 410.877.4461 | gschmitt@presidio.com<mailto:gschmitt@PRESIDIO.com>

CCIE # 8105

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

Hi Greg,

After upgrading the PAN (primary and backup) i had to reimage the IPN.  I found there is no upgrade to 1.2, rather it is a re-install.  I bootstrapped it, and applied the certs from the primary and secondary admin nodes, as well as placed the cert from the ipep on the first 2 nodes. Perhaps something has gone wrong during the cert moves between the nodes, but i am fairly certain the procedure was done correctly.

I have registered successfully in 1.1.x version of ISE, its only on 1.2 that i seem to be running into an issue...

Hi,

Yeah, the fact that it is a total re-install rather than an upgrade on the IPNs can be a ‘gottcha’. Are these self-signed certificates or CA signed?

Greg Schmitt | Secure Networks Senior Security Engineer

Presidio | www.presidio.com<http://www.presidio.com>

7601 Ora Glen Dr Suite 100, Greenbelt, MD 20770

D: 410.877.4461 | C: 410.877.4461 | gschmitt@presidio.com<mailto:gschmitt@PRESIDIO.com>

CCIE # 8105

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

They are self signed certs, the default certs that the nodes generate.

Hi,

You might try deleting the old IPN cert(s) from the PAN, creating new self-signed cert(s) on the IPN(s) (is this a high availability pair or a single IPN?), export it (them) and importing it (them) into the primary PAN, and retry the registering.

Greg Schmitt | Secure Networks Senior Security Engineer

Presidio | www.presidio.com<http://www.presidio.com>

7601 Ora Glen Dr Suite 100, Greenbelt, MD 20770

D: 410.877.4461 | C: 410.877.4461 | gschmitt@presidio.com<mailto:gschmitt@PRESIDIO.com>

CCIE # 8105

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

i'll give this a try.  With the error message "unable to contact node" i wasnt sure if this would be cert related.  But it makes sense that it could be just a generic message and certs are the issue.

I will give this a shot and update the thread.

Before you try the certs, can you confirm that you can ping from the PANs to the IPNs and from the IPNs to the PANs?

Greg Schmitt | Secure Networks Senior Security Engineer

Presidio | www.presidio.com<http://www.presidio.com>

7601 Ora Glen Dr Suite 100, Greenbelt, MD 20770

D: 410.877.4461 | C: 410.877.4461 | gschmitt@presidio.com<mailto:gschmitt@PRESIDIO.com>

CCIE # 8105

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

i can definitely ping it (by DNS as well) from the PAN

Most likely the certs then/

Greg Schmitt | Secure Networks Senior Security Engineer

Presidio | www.presidio.com<http://www.presidio.com>

7601 Ora Glen Dr Suite 100, Greenbelt, MD 20770

D: 410.877.4461 | C: 410.877.4461 | gschmitt@presidio.com<mailto:gschmitt@PRESIDIO.com>

CCIE # 8105

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

so i exported the cert from the ipn, and imported it into the PAN.  I exported the cert from the PAN, with the private key, and imported into IPN.  Still failing. I am not sure where it is going wrong.  I see the cert in the IPN, and the IPN cert is in the PAN.  but still no go.  I also have a TAC case on this, but theres a bit of a delay in the response...

Hi,

You don’t want to import the PAN’s key into the IPN (if I understood that part correctly).

Try this

1. Regenerate and export a self-signed cert for the IPN.

2. Import that cert into the certificate store on the primary PAN

3. Do not do anything further on the IPN

4. Attempt the IPN registration on the PAN

Cheers

Greg Schmitt | Secure Networks Senior Security Engineer

Presidio | www.presidio.com<http://www.presidio.com>

7601 Ora Glen Dr Suite 100, Greenbelt, MD 20770

D: 410.877.4461 | C: 410.877.4461 | gschmitt@presidio.com<mailto:gschmitt@PRESIDIO.com>

CCIE # 8105

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

Hey Greg,

got tied up with some other tasks, but got back around to this.

It appears that pulling the PAN certs into the IPN is what caused it not to work.  Once i deleted them, and followed your routine, it worked!

Thanks again for you help!  Much appreciated!

Mike

Hi Greg,

Which are the command used to do setp 1:

1.  Regenerate and export a self-signed cert for the IPN.

The command "pep certifcate server add" ony permit to add a certificate already generated.

Thanks in advance,

Mario Falcao