cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2860
Views
40
Helpful
14
Replies
Minnesotakid
Beginner

ISE Profiler feed issues

I am currently working on standing up a new ISE 2.7 instance side-by-side with our older 2.3 instance. Both instances profiler feeds stopped working after 3/17/2021. 

 

The errors I'm getting are below. 

2.7 patch 3

Feed Service error : null
**Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server.
**Please ensure that Proxy settings are configured if needed to reach Feed Server.
*** This message was generated by Cisco Identity Services Engine (ISE) ***

 

2.3 patch 7

FeedService test connection failed : Feed Service unavailable : SocketException invoking https://ise.cisco.com:8443/feedserver/feed/serverinfo?ISE_VERSION=2.3.0.298: Connection reset **Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server. **Please ensure that Proxy settings are configured if needed to reach Feed Server.

Odd that both failed on the same day. Does anybody know of any changes on the Cisco side for the requirements for root or intermediate certs here?

2 ACCEPTED SOLUTIONS

Accepted Solutions
thomas
Cisco Employee

Yes, there was a planned maintenance of the ISE feed servers on March 17.

If you are still having problems, contact TAC and they should be able to help you with it.

 

View solution in original post

Thanks again for everyone's suggestions. I was able to track down the issue with TAC. We found an in-house firewall rule that allowed 8443 to ise.cisco.com but it was using a static IP for Cisco's feed rather than an FQDN lookup. I'm guessing the public IP for ISE's profiler feed changed on 3/17, causing this issue. 

 

I am now able to connect both old and new ISE deployments to the profiler feed. 

View solution in original post

14 REPLIES 14
Marcelo Morais
Advocate

Hi @Minnesotakid ,

 please first of all at Work Centers > Profiler > Feeds > Online Subscription Update, try the Test Feed Service Connection and check the Test Result:

Feed.png

Second ... please double check the configuration at Administration > System Settings > Proxy ... remember that:

"The following functionalities are impacted by the proxy settings:
...
Endpoint Profiler Feed Service Update

..."

 

Hope this helps !!!

 

@Marcelo Morais 

Thanks for the suggestions! I've tested each node every day or so to see if it was just a goofy 1-day issue on the Cisco side but it's still failing every time I try. 

 

Here's the error on the 2.3 side when I try to manually run it:
FeedService test connection failed : Feed Service unavailable : SocketException invoking https://ise.cisco.com:8443/feedserver/feed/serverinfo?ISE_VERSION=2.3.0.298: Connection reset **Please ensure that the certificate store on ISE has a valid and enabled entry for either the root certificate or the intermediate certificate for the SSL server certificate chain of Cisco ISE feed server. **Please ensure that Proxy settings are configured if needed to reach Feed Server.

 

As for the proxy server, I've validated there is no proxy server configured on either 2.3 or 2.7

Hi @Minnesotakid ,

 try a TCP Dump (Operations > Troubleshoot > Diagnostic Tools) while you click the Test Feed Service Connection.

 Please check for errors after the CONNECT: ise.cisco.com:8443 (the Feed Service Partner Portal

Feed.png

 

Hope this helps !!!

This is likely due to the decommissioning of the QuoVadis root certificate chain.  Field Notice: FN - 72111 - Cisco Identity Services Engine – QuoVadis Root Certificate Decommission Might Affect Posture, Profiler Feed, Client Provisioning, Support Diagnostics Connector, and Smart Licensing Functionality - Software Upgrade Recommend...

 

Edit: After reading the FN more carefully, this should not have an immediate impact.

"Certificates issued before the QuoVadis Root CA 2 is decommissioned will continue to be valid until they reach their individual expiration date. Once those certificates expire, they will not renew and this might cause functions such as Posture, Profiler Feed, Client Provisioning Updates, Cisco Support Diagnostics Connector, and Smart Licensing to fail to establish secure connections."

thomas
Cisco Employee

Yes, there was a planned maintenance of the ISE feed servers on March 17.

If you are still having problems, contact TAC and they should be able to help you with it.

 

View solution in original post

Thank you @Greg Gibbs and @thomas I figured this was the issue. I will open at TAC case and report back if there's a repeatable fix for anyone else seeing this issue.

Thanks again for everyone's suggestions. I was able to track down the issue with TAC. We found an in-house firewall rule that allowed 8443 to ise.cisco.com but it was using a static IP for Cisco's feed rather than an FQDN lookup. I'm guessing the public IP for ISE's profiler feed changed on 3/17, causing this issue. 

 

I am now able to connect both old and new ISE deployments to the profiler feed. 

View solution in original post

Nadia Bbz
Beginner

hi @Minnesotakid ;

 

i had this problem too version 2.4.0.357 patch 11 , the service feed stopped working after 3/17/2021. 

did you find the solution

 

thanks in advance

 

Check out the marked solution and see if that helps you!

 

Thanks,

Phil

Nadia Bbz
Beginner

 

hi @Minnesotakid ;

 

please can you tell me if the problem was in the rules of your firewall or that of cisco , i noticed that i can ping both of  ise.cisco.com and 173.36.110.10 from ISE

 

thanks in advance

 

The problem was the rule configured in my company's firewall. Also - remember, it uses port 8443 for the connection. 

hi @Minnesotakid ;

thanks for you prompt reply

in firewall , i was authorized all service, all destination also in event log of firewall i see that there is communication between ise and public ip 173.36.110.10 as show in attached

PS: in ise cli , i can ping 173.36.110.10 also ping ise.cisco.com but nslookup 173.36.110.10 i can't find the PTR as show in attached

please can you tell me if when you type nslookup 173.36.110.10 you get ptr

 

 

Hi Nadia,

 

I would contact TAC to verify you have everything you need at this point. They were able to help me on a call within 20 minutes. 

 

Thanks,

Phil

thanks for your suggestions, I Contact TAC and the issue it was with mtu , i changed it to 1300 and now it's work

Content for Community-Ad