This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I recently upgraded an ISE 1.4 (patch3) distributed deployment to version 22.214.171.1246 to fix a known bug. The upgrade was successful in fixing the bug but seems to have broke Prime Infrastructure integration.
After the ISE upgrade, Prime Infrstructure's ISE server (the ISE deployment's primary pan/mnt node) is listed as unreachable.PI version is 2.2.
When I try and make changes to PI's ISE server I get the error:
Identity Services Engine update failed : Some unexpected internal error has occurred. If the problem persists please report to the Tech Support
I tried integrating PI 3.0 with the upgraded ISE but when I try and add the ISE 2.0 server I get the error:
Error(s): You must correct the following error(s) before proceeding:
Error: The connection to Identity Services Engine with IP Address <ISE_IP> has timed out. Please check the network connectivity and the user account status on the Identity Services Engine
A TCP dump on ISE for both PI 2.2 and 3.0 show a TLS 1.2 Handshake Failure (40). I found a similar issue in the following thread:
I don't have access to view the bug CSCur43834 - can anyone tell me if this affects my environment of ISE 126.96.36.1996 and PI 2.2.0/3.0
ps ISE uses 3rd party certificates for EAP/GUi and work fine - root/intermediate are listed in ISE as trusted
Tested this with latest versions of PI (3.01 and 2.2.3) and saw the same issue. PI sends a client hello with TLS version 1.0 and ISE 2.0 responds with handshake failure with TLS version 1.2.
Contacted TAC - PI isn't currently compatible with ISE 2.0 for integration.
Still not supported. Cisco software is getting worse and worse. Tried to upgrade a Cisco 3850 stack with PI to Denali and ended in a boot loop.
Prime/Ise/Denali feel like a beta test @the customer...
Don't bother with installing Prime 3.1, ISE 2.0 integration does not work with Prime 3.1 either:
Just upgraded Prime to 188.8.131.52.132 (via upgrade bundle),
Version information of installed applications
Cisco Prime Infrastructure
Version : 3.1.0
Build : 184.108.40.206.132
still not able to connect to ISE 2.0:
Cisco Identity Services Engine
Version : 220.127.116.11
Build Date : Thu Mar 3 02:38:48 2016
same error message as before: "Some unexpected internal error has occured. ....."
Seems that I was wrong with the last post, the user-id that is used by Prime to connect to ISE was disabled on ISE.... !!!!
Adding ISE monitoring nodes to Prime works now, nevertheless, the error message is quite confusing !!!
Hello Frank ,
Could you please elaborate how to enable the user-id on ISE and which user-id the PI was using to try to connect to ISE ? Is it the " web_root " user-id ?
the userid which is used by PI to connect to ISE has to be configured on ISE as an "Admin User" account (Administration/Admin Access/Admin Users).
This would be a GUI Admin account, not a CLI admin ......!!!
In my case I have given this user an recognizable name (CPItoISE), gave a password to it, enabled it ("Change Status") and granted "Super Admin" role to it.
I don't know, if this would also work with a role with lesser rights (haven't checked that out yet, still a test deployment ....).
Hi Marco. I didn't get a BugID from TAC. I was told this would be fixed early 2016 in PI 3 (no mention of this being fixed with PI 2.X). Other posters indicate this will be fixed in the yet unreleased PI 3.1
I spoke with the TAC on this issue just yesterday.
The issue is indeed arising from a TLS handshake error. I grabbed a packet capture from my lab system and see it as well. The TAC engineer confirmed this is the root cause.
BugID CSCur43834, while similar, is confirmed NOT to be the one affecting ISE 2.0. There is a new bugID (not published publicly yet) that covers this particular issue. I didn't get the ID from the TAC engineer.
The TAC engineer told me that BU that owns Prime Infrastructure has slated PI 3.1 to include a fix for this behavior. The projected release date is February 2016.
Just installed the newest update - Prime 3.0.3 released 15MAR2016 and the issue is still not resolved.
The BU had relayed in the past that the Fix for this issue would be out by the end of February and that Prime 3.1 would be released by the end of the First quarter. Needless to say this was also back in January so the timelines could have changed.