Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7612
Views
45
Helpful
17
Replies

Prime Infrastructure integration with ISE 2.0 issue

andrewswanson
Level 7
Level 7

‎11-05-2015 02:31 AM - edited ‎03-10-2019 11:12 PM

Hello

I recently upgraded an ISE 1.4 (patch3) distributed deployment to version 2.0.0.306 to fix a known bug. The upgrade was successful in fixing the bug but seems to have broke Prime Infrastructure integration.

After the ISE upgrade, Prime Infrstructure's ISE server (the ISE deployment's primary pan/mnt node) is listed as unreachable.PI version is 2.2.

When I try and make changes to PI's ISE server I get the error:

Identity Services Engine update failed : Some unexpected internal error has occurred. If the problem persists please report to the Tech Support

I tried integrating PI 3.0 with the upgraded ISE but when I try and add the ISE 2.0 server I get the error:

Error(s): You must correct the following error(s) before proceeding:

Error: The connection to Identity Services Engine with IP Address <ISE_IP> has timed out. Please check the network connectivity and the user account status on the Identity Services Engine

A TCP dump on ISE for both PI 2.2 and 3.0 show a TLS 1.2 Handshake Failure (40). I found a similar issue in the following thread:

https://supportforums.cisco.com/discussion/12615841/cisco-prime-infrastructure-and-ise-integration

I don't have access to view the bug CSCur43834 - can anyone tell me if this affects my environment of ISE 2.0.0.306 and PI 2.2.0/3.0

Thanks
Andy

ps ISE uses 3rd party certificates for EAP/GUi and work fine - root/intermediate are listed in ISE as trusted

10 people had this problem
Labels:
0 Helpful
17 Replies 17

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Cory Peterson

‎03-20-2016 07:38 AM

According to presentations given during Cisco Live Berlin, Prime 3.1 is due out this month.

See BRKNMS-2701, slide 199:

Prime Infrastructure 3.1 Highlights
Available March 2016

NEW SWIM Workflow– support for external 3rd party S/FTP servers for distributed distribution
Enhanced Config baseline Compliance –
Support for AirOS and the ability to e-mail reports/job results
Global Variable across all templates– Define configuration variables and use them across any/all templates
Global Search from Web Search Bar– search configs, clients, devices etc. e.g. search for serial numbers within search bar, search for every config that has "no aaa new-model"

Toivo Voll
Level 1
Level 1
In response to Marvin Rhoads

‎03-21-2016 06:02 AM

On an unrelated note, the ability to search configs is a nice step in the right direction.

0 Helpful

Craig Le-Butt
Level 1
Level 1
In response to Marvin Rhoads

‎04-02-2016 12:37 PM

Hi

No Prime 3.1 yet. I asked our Cisco SE contact the other week when it is due, he said heard end of March, just watched the ciscolive presentation, now says April.

cheers

0 Helpful
Customers Also Viewed These Support Documents