Solved: Re: ISE Profiler feed issues

Minnesotakid · ‎03-23-2021

I am currently working on standing up a new ISE 2.7 instance side-by-side with our older 2.3 instance. Both instances profiler feeds stopped working after 3/17/2021.

The errors I'm getting are below.

2.7 patch 3

Feed Service error : null
**Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server.
**Please ensure that Proxy settings are configured if needed to reach Feed Server.
*** This message was generated by Cisco Identity Services Engine (ISE) ***

2.3 patch 7

FeedService test connection failed : Feed Service unavailable : SocketException invoking https://ise.cisco.com:8443/feedserver/feed/serverinfo?ISE_VERSION=2.3.0.298: Connection reset **Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server. **Please ensure that Proxy settings are configured if needed to reach Feed Server.

Odd that both failed on the same day. Does anybody know of any changes on the Cisco side for the requirements for root or intermediate certs here?

thomas · ‎03-23-2021

Yes, there was a planned maintenance of the ISE feed servers on March 17.

If you are still having problems, contact TAC and they should be able to help you with it.

View solution in original post

Minnesotakid · ‎03-24-2021

Thanks again for everyone's suggestions. I was able to track down the issue with TAC. We found an in-house firewall rule that allowed 8443 to ise.cisco.com but it was using a static IP for Cisco's feed rather than an FQDN lookup. I'm guessing the public IP for ISE's profiler feed changed on 3/17, causing this issue.

I am now able to connect both old and new ISE deployments to the profiler feed.

View solution in original post

Marcelo Morais · ‎03-23-2021

Hi @Minnesotakid ,

please first of all at Work Centers > Profiler > Feeds > Online Subscription Update, try the Test Feed Service Connection and check the Test Result:

Second ... please double check the configuration at Administration > System Settings > Proxy ... remember that:

"The following functionalities are impacted by the proxy settings:
...
Endpoint Profiler Feed Service Update

..."

Hope this helps !!!

Minnesotakid · ‎03-23-2021

@Marcelo Morais

Thanks for the suggestions! I've tested each node every day or so to see if it was just a goofy 1-day issue on the Cisco side but it's still failing every time I try.

Here's the error on the 2.3 side when I try to manually run it:
FeedService test connection failed : Feed Service unavailable : SocketException invoking https://ise.cisco.com:8443/feedserver/feed/serverinfo?ISE_VERSION=2.3.0.298: Connection reset **Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server. **Please ensure that Proxy settings are configured if needed to reach Feed Server.

As for the proxy server, I've validated there is no proxy server configured on either 2.3 or 2.7

Marcelo Morais · ‎03-23-2021

Hi @Minnesotakid ,

try a TCP Dump (Operations > Troubleshoot > Diagnostic Tools) while you click the Test Feed Service Connection.

Please check for errors after the CONNECT: ise.cisco.com:8443 (the Feed Service Partner Portal

Hope this helps !!!

Greg Gibbs · ‎03-23-2021

This is likely due to the decommissioning of the QuoVadis root certificate chain. Field Notice: FN - 72111 - Cisco Identity Services Engine – QuoVadis Root Certificate Decommission Might Affect Posture, Profiler Feed, Client Provisioning, Support Diagnostics Connector, and Smart Licensing Functionality - Software Upgrade Recommend...

Edit: After reading the FN more carefully, this should not have an immediate impact.

"Certificates issued before the QuoVadis Root CA 2 is decommissioned will continue to be valid until they reach their individual expiration date. Once those certificates expire, they will not renew and this might cause functions such as Posture, Profiler Feed, Client Provisioning Updates, Cisco Support Diagnostics Connector, and Smart Licensing to fail to establish secure connections."

thomas · ‎03-23-2021

Yes, there was a planned maintenance of the ISE feed servers on March 17.

If you are still having problems, contact TAC and they should be able to help you with it.

Minnesotakid · ‎03-24-2021

Thank you @Greg Gibbs and @thomas I figured this was the issue. I will open at TAC case and report back if there's a repeatable fix for anyone else seeing this issue.

Minnesotakid · ‎03-24-2021

Thanks again for everyone's suggestions. I was able to track down the issue with TAC. We found an in-house firewall rule that allowed 8443 to ise.cisco.com but it was using a static IP for Cisco's feed rather than an FQDN lookup. I'm guessing the public IP for ISE's profiler feed changed on 3/17, causing this issue.

I am now able to connect both old and new ISE deployments to the profiler feed.

Nadia Bbz · ‎03-24-2021

hi @Minnesotakid ;

i had this problem too version 2.4.0.357 patch 11 , the service feed stopped working after 3/17/2021.

did you find the solution

thanks in advance

Minnesotakid · ‎03-24-2021

Check out the marked solution and see if that helps you!

Thanks,

Phil

Nadia Bbz · ‎03-31-2021

hi @Minnesotakid ;

please can you tell me if the problem was in the rules of your firewall or that of cisco , i noticed that i can ping both of ise.cisco.com and 173.36.110.10 from ISE

thanks in advance

Minnesotakid · ‎03-31-2021

The problem was the rule configured in my company's firewall. Also - remember, it uses port 8443 for the connection.

Nadia Bbz · ‎04-01-2021

hi @Minnesotakid ;

thanks for you prompt reply

in firewall , i was authorized all service, all destination also in event log of firewall i see that there is communication between ise and public ip 173.36.110.10 as show in attached

PS: in ise cli , i can ping 173.36.110.10 also ping ise.cisco.com but nslookup 173.36.110.10 i can't find the PTR as show in attached

please can you tell me if when you type nslookup 173.36.110.10 you get ptr

Minnesotakid · ‎04-01-2021

Hi Nadia,

I would contact TAC to verify you have everything you need at this point. They were able to help me on a call within 20 minutes.

Thanks,

Phil

Nadia Bbz · ‎04-21-2021

thanks for your suggestions, I Contact TAC and the issue it was with mtu , i changed it to 1300 and now it's work