Solved: Re: Post-Uploading New Certificate - System Scan Stops at 1%

Matthew Martin · ‎10-28-2020

Hello All,

We were in the planning phase of Upgrading ISE from 2.3 to 2.7 when our main Portal Certificate from DigiCert expired this past Monday. We got a new Cert from DigiCert Monday afternoon. The Cert is a wildcard Cert in which the CSR was generated from our proxy server I believe (*Manager did the CSR and DigiCert submission for the new Wildcard Cert). He then sent me the Private Key generated from the CSR request, as well as the 3 Certs received from DigiCert.

Files from DigiCert:

TrustedRoot.crt --> the serial number and valid/expiration dates from this Cert already matches a DigiCert certificate listed under the Trusted Certificates page.
DigiCertCA.crt --> same goes for this one with serial number and valid/expiration dates
star_domain_com.crt

What I did:

I went to ISE > Admin > Certificates > System Certificates > Import - I used the wildcard Cert (*star_domain_com.crt), along with the Private Key, and assigned it to the "Portals" usage, which is what the expired one was previously set to. This all uploaded fine.

After this, the next day, which I guess is when the Client PC's Posture reports expired on the ISE server, everyone's System Scan tab was getting stuck at 1% and would receive a pop-up saying: "Failed to get configuration from secure gateway. Contact your system administrator".

After clicking OK on the pop-up, the System Scan module on AnyConnect would show "Failed to launch downloader".

Since the new Cert was assigned to Portals, which includes the Posture Portal, I'm assuming the Cert has something to do with the issue..? Other than the certificate, I haven't made any other changes from when the issue began.

Any help would be greatly appreciated!

Thanks in Advance,

Matt

Matthew Martin · ‎10-29-2020

Hmmm.... I think this could be working again.

Is it possible this could have "sort of" fixed itself by doing the following...

On Monday, in order to get our client PC's back working again internally, I went into our Wired, Wireless and VPN policy sets and disabled the "Unknown" Policies for each of those. Then, I modified the "Compliant" Policy by removing the condition "Posture Status = Compliant". So the only real check happening was that the PC was a part of the AD/Domain. In essence allowing all the client PCs to connect to the network again, and sort of "check-in" with the ISE server for config updates.

To test, in the Wired Policy Set, I re-enabled the Unknown Policy and added an extra condition that the PC had to be a part of a specific AD group that only mine and my co-worker's PCs were a part of. Then, I duplicated the Complaint policy and added the same condition to check that the PC was in that specific AD Group.

I then deleted both of our PCs from the ISE Server's Context Visibility page, and we both did a Network Repair via AnyConnect.

After I did that, I could see both of our PCs in LiveLogs connect to ISE > go into the Unknown Auth Policy > then a few seconds later received the "Test_Wired_Compliant" Policy.

I also went into Reports > Posture Assessment by Endpoint, and I found a posture report from both of our PCs with the current Date and Time we did the test.

I'm going to test with a few more PCs to see if it really is working again.

-Matt

View solution in original post

Mike.Cifelli · ‎10-29-2020

A few questions that may aide in tshooting:

-Did your wildcard cert *star_domain_com.crt remain the same after replacing it?

-Can you share your Posture agent settings config (ISEPostureCFG.xml)?

-Have you gathered a DART bundle from one of the clients having an issue and attempted to work with TAC? The DART bundle will generate event viewer logs that may shed some light for you, along with some other items.

I have seen the "Failed to launch downloader" error, but my experience was when I was attempting to rely on ISE CPP to upgrade AC components for RAVPN users.

Matthew Martin · ‎10-29-2020

Hey Mike, thanks for the reply.

- In comparing the old Cert to the new one, the only things that appear different are the Valid/Expiration dates and the Serial Numbers.

- This file is attached. Had to use a ".txt" extension and also remove the "<?xml version....." line as well to get the file uploaded.

- I had opened the TAC case and asked for instructions on uploading the Cert. However, after uploading the new Cert, when the problems arissed they have not been responding (*except to say ask the ASA team) and I received a email from the Agent's manager saying 2.3 is no longer supported... We actually had plans on upgrading ISE to 2.7 this weekend, but not until this issue gets resolved.

Yea, I've seen the downloader thing in the past. And my thought was the error appeared because it couldn't reach ISE Posture Portal to check for configuration changes. But, that was just a guess.

Does the <PublicKey> section of the ISEPostureCFG.xml have anything to do with the Portal certificate?

Thanks Again,