Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
192
Views
1
Helpful
2
Replies

Issue with SXP between ASAv and ISE

Anders Fredriksson
Level 1
Level 1

‎02-21-2024 01:42 AM

Hi all,

I’m experiencing an annoying problem when configuring SXP between ASA and ISE for a PoC environment. I have configured Radius and basic Trustsec and ‘everything’ works fine until SXP is configured. SXP (ASA) won’t connect regardless settings on ASA. Status is either “Pending On” or “Off”.

ASA debug shows this message:
[cts sxp message error]: trp_socket_read: socket_recv failed; fd = 4, errno = 13, err_msg = Permission denied

Technically, I might not need SXP as this ASA is intended for RA VPN only. If ISE return attributes ASA can use those will not change for the duration of the VPN session, or am I missing something? Does anyone have any ideas on why ASA logs a Permission Denied?

There is a firewall between ASA and ISE but that literally has an “allow any any” rule for now.

*** VERSIONS ***
ASAv: 9.20(2)2
ISE: 3.2.0.542, patch:5

*** ASA DEBUG ***
debug cts all
debug cts sxp all

[cts sxp message error]: trp_socket_read: socket_recv failed; fd = 4, errno = 13, err_msg = Permission denied

*** ASA CONFIGURATION ***
ssh 10.2.2.0 255.255.255.0 inside
aaa-server ISE-RADIUS protocol radius
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE-RADIUS (inside) host ise-node01.mydomain.com
timeout 8
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa-server ISE-RADIUS (inside) host ise-node02.mydomain.com
timeout 8
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
cts server-group ISE-RADIUS
cts sxp enable
cts sxp default password *****
cts sxp default source-ip 10.1.1.5
cts sxp connection peer 10.2.2.43 password default mode local listener
cts sxp connection peer 10.2.2.44 password default mode local listener

/Anders

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎02-21-2024 04:34 AM

@Anders Fredriksson

I assume the SXP service is enabled on the ISE PSN?

Is the firewall in between ISE performing NAT, that could cause a problem.

From the ASA take a packet capture of the SXP traffic to confirm communication to/from ISE (or not), filter on TCP port 64999 for SXP.

Anders Fredriksson
Level 1
Level 1

‎02-21-2024 06:41 AM

@Rob Ingram 

Thank you for pointing me in the right direction!
The capture showed that both ISE and ASA were mutually ignoring each other by not responding to connection requests (SYN packets -> wait 120 sec -> try again).
5 x ASA -> ISE TCP/64999 SYN
5 x ISE -> ASA TCP/64999 SYN

Enter weirdness,
I changed password type to “None” on both devices and then it worked. But how can an SXP setting take effect before a session is established? Shouldn’t that be something to convey in the session after establishment? Obviously, I have some reading to do!

/Anders

0 Helpful
Customers Also Viewed These Support Documents