PassiveID problems

Janne K. · ‎01-14-2026

Hi there,

Im having som trouble setting up PassiveID in a new ISE install.
ise version 3.4 patch 4

I have 3 nodes, all of them have passiveid enabled, and i can see the service running in cli with 'sh app stat ise'

in the ise passiveid-agent.log i see this continuously:
2026-01-14 13:28:33,941 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Agent DC04.domain.dk did not set DCs status during the last 5 minutes - marking it down.
2026-01-14 13:28:33,942 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Make sure agent is up and running.. Identity Mapping.probe = Agent , Identity Mapping.dc-host = DC04.domain.dk , Identity Mapping.server = ISEPAN-01 ,
2026-01-14 13:28:33,942 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Make sure agent is up and running.. Identity Mapping.probe = Agent , Identity Mapping.dc-host = DC04.domain.dk , Identity Mapping.server = ISEPSN-01 ,
2026-01-14 13:28:33,942 ERROR [Timer-0][[]] com.cisco.idc.agent-probe -:::::- Make sure agent is up and running.. Identity Mapping.probe = Agent , Identity Mapping.dc-host = DC04.domain.dk , Identity Mapping.server = ISEMON-01 ,

and on the DC in the CiscoISEPICAgent log i see this:
2026-01-14 13:31:29,652 ERROR - Rest Client, Error getting configuration from https://ISEPAN-01.domain.dk:9095 : The operation has timed out
2026-01-14 13:31:29,652 ERROR - Rest Client, Error getting configuration from https://ISEPSN-01.domain.dk:9095 : The operation has timed out
2026-01-14 13:31:29,652 ERROR - Rest Client, Error getting configuration from https://ISEMON-01.domain.dk:9095 : The operation has timed out
2026-01-14 13:31:30,672 ERROR - Configuration , Received empty config

the pic service is running fine, also after a restart.

when i do a tcp dump from ISE i see that ISE closes the incoming connection on port 9095 from the DC: (picture)

And doing a 'show ports' on ise cli It does not show any port 9095 anywhere.

Reloading the nodes does not help either.

Should i just go ahead and contact TAC? or does anyone have had similar problems?

Cristian Matei · ‎01-26-2026

Hi,

@Janne K. Did you figure it out? To me, it looks that because it fails to get the config, the socket is not opened, thus you don't see port 9095 opened, although the service is running.

Looks like you're hitting the bug, see the proposed WA:

https://bst.cisco.com/bugsearch/bug/CSCvy83653?rfs=qvlogin

If not, suggest to upgrade to the latest patch, however to avoid unnecessary bloat on the HDD, backups and taking all this crap with you in following upgrades, first rollback all patches, before applying only the latest patch:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215406-patch-installation-on-ise-and-faq-durin.html

Thanks,

Cristian.

Stefan Mihajlov · ‎01-26-2026

@Janne K. since the port is not listening please verify in the GUI that a valid system certificate is assigned to the passive identity role.. if the certificate is correct, try disabling and then re-enabling the Passive Identity service checkbox under the Deployment settings to force the service to reload

Janne K. · ‎01-26-2026

After uninstalling patch 4 it started working as intended.
I tried with patch 3 instead, but that nukes the ise application on the sns-3855, (no problem on the 3815 though...) even on a fresh 3.4 install and then i have to reimage the nodes.

Im gonna get TAC involved.