cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8214
Views
45
Helpful
17
Replies

Prime Infrastructure integration with ISE 2.0 issue

andrewswanson
Level 7
Level 7

Hello

I recently upgraded an ISE 1.4 (patch3) distributed deployment to version 2.0.0.306 to fix a known bug. The upgrade was successful in fixing the bug but seems to have broke Prime Infrastructure integration.

After the ISE upgrade, Prime Infrstructure's ISE server (the ISE deployment's primary pan/mnt node) is listed as unreachable.PI version is 2.2.

When I try and make changes to PI's ISE server I get the error:

Identity Services Engine update failed : Some unexpected internal error has occurred. If the problem persists please report to the Tech Support

I tried integrating PI 3.0 with the upgraded ISE but when I try and add the ISE 2.0 server I get the error:

Error(s): You must correct the following error(s) before proceeding:

Error: The connection to Identity Services Engine with IP Address <ISE_IP> has timed out. Please check the network connectivity and the user account status on the Identity Services Engine

A TCP dump on ISE for both PI 2.2 and 3.0 show a TLS 1.2 Handshake Failure (40). I found a similar issue in the following thread:

https://supportforums.cisco.com/discussion/12615841/cisco-prime-infrastructure-and-ise-integration

I don't have access to view the bug CSCur43834 - can anyone tell me if this affects my environment of ISE 2.0.0.306 and PI 2.2.0/3.0

Thanks
Andy

ps ISE uses 3rd party certificates for EAP/GUi and work fine - root/intermediate are listed in ISE as trusted

17 Replies 17

andrewswanson
Level 7
Level 7

Tested this with latest versions of PI (3.01 and 2.2.3) and saw the same issue. PI sends a client hello with TLS version 1.0 and ISE 2.0 responds with handshake failure with TLS version 1.2.

Contacted TAC - PI isn't currently compatible with ISE 2.0 for integration.

Cheers

Andy

Still not supported. Cisco software is getting worse and worse. Tried to upgrade a Cisco 3850 stack with PI to Denali and ended in a boot loop.

Prime/Ise/Denali feel like a beta test @the customer...

Don't bother with installing Prime 3.1, ISE 2.0 integration does not work with Prime 3.1 either:

Just upgraded Prime to 3.1.0.0.132 (via upgrade bundle),  

Version information of installed applications
---------------------------------------------

Cisco Prime Infrastructure
********************************************************
Version : 3.1.0
Build : 3.1.0.0.132

still not able to connect to ISE 2.0:

Cisco Identity Services Engine
---------------------------------------------
Version : 2.0.1.130
Build Date : Thu Mar 3 02:38:48 2016

same error message as before: "Some unexpected internal error has occured. ....."

Rgs

Frank

UPS !!!

Seems that I was wrong with the last post, the user-id that is used by Prime to connect to ISE was disabled on ISE.... !!!!

Adding ISE monitoring nodes to Prime works now, nevertheless, the error message is quite confusing !!!

Hello Frank ,

Could you please elaborate how to enable the user-id on ISE and which user-id the PI was using to try to connect to ISE ? Is it the " web_root " user-id ?

Hi,

the userid which is used by PI to connect to ISE has to be configured on ISE as an "Admin User" account (Administration/Admin Access/Admin Users).

This would be a GUI Admin account, not a CLI admin ......!!!

In my case I have given this user an recognizable name (CPItoISE), gave a password to it, enabled it ("Change Status") and granted "Super Admin" role to it.

I don't know, if this would also work with a role with lesser rights (haven't checked that out yet, still a test deployment ....).

Rgs

Frank

worked for me , thanks

Ciao Andrew,

do you have BugID? Cannot associate ISE (2.0 patch 2) on PI (2.2).

thanks

Marco

Hi Marco. I didn't get a BugID from TAC. I was told this would be fixed early 2016 in PI 3 (no mention of this being fixed with PI 2.X). Other posters indicate this will be fixed in the yet unreleased PI 3.1

hth

Andy

cisco_tac_cr
Level 1
Level 1

I'm using ISE 2.0.306 with PI3 P1 and have the same issue. Any news from BU?

I spoke with the TAC on this issue just yesterday.

The issue is indeed arising from a TLS handshake error. I grabbed a packet capture from my lab system and see it as well. The TAC engineer confirmed this is the root cause.

BugID CSCur43834, while similar, is confirmed NOT to be the one affecting ISE 2.0. There is a new bugID (not published publicly yet) that covers this particular issue. I didn't get the ID from the TAC engineer.

The TAC engineer told me that BU that owns Prime Infrastructure has slated PI 3.1 to include a fix for this behavior. The projected release date is February 2016.

Good afternoon.
There were news? Same problem...

Just installed the newest update - Prime 3.0.3 released 15MAR2016 and the issue is still not resolved.

The BU had relayed in the past that the Fix for this issue would be out by the end of February and that Prime 3.1 would be released by the end of the First quarter. Needless to say this was also back in January so the timelines could have changed.