11-05-2015 02:31 AM - edited 03-10-2019 11:12 PM
Hello
I recently upgraded an ISE 1.4 (patch3) distributed deployment to version 2.0.0.306 to fix a known bug. The upgrade was successful in fixing the bug but seems to have broke Prime Infrastructure integration.
After the ISE upgrade, Prime Infrstructure's ISE server (the ISE deployment's primary pan/mnt node) is listed as unreachable.PI version is 2.2.
When I try and make changes to PI's ISE server I get the error:
Identity Services Engine update failed : Some unexpected internal error has occurred. If the problem persists please report to the Tech Support
I tried integrating PI 3.0 with the upgraded ISE but when I try and add the ISE 2.0 server I get the error:
Error(s): You must correct the following error(s) before proceeding:
Error: The connection to Identity Services Engine with IP Address <ISE_IP> has timed out. Please check the network connectivity and the user account status on the Identity Services Engine
A TCP dump on ISE for both PI 2.2 and 3.0 show a TLS 1.2 Handshake Failure (40). I found a similar issue in the following thread:
https://supportforums.cisco.com/discussion/12615841/cisco-prime-infrastructure-and-ise-integration
I don't have access to view the bug CSCur43834 - can anyone tell me if this affects my environment of ISE 2.0.0.306 and PI 2.2.0/3.0
Thanks
Andy
ps ISE uses 3rd party certificates for EAP/GUi and work fine - root/intermediate are listed in ISE as trusted
03-20-2016 07:38 AM
According to presentations given during Cisco Live Berlin, Prime 3.1 is due out this month.
See BRKNMS-2701, slide 199:
Prime Infrastructure 3.1 Highlights
Available March 2016NEW SWIM Workflow– support for external 3rd party S/FTP servers for distributed distribution
Enhanced Config baseline Compliance –
Support for AirOS and the ability to e-mail reports/job results
Global Variable across all templates– Define configuration variables and use them across any/all templates
Global Search from Web Search Bar– search configs, clients, devices etc. e.g. search for serial numbers within search bar, search for every config that has "no aaa new-model"
03-21-2016 06:02 AM
On an unrelated note, the ability to search configs is a nice step in the right direction.
04-02-2016 12:37 PM
Hi
No Prime 3.1 yet. I asked our Cisco SE contact the other week when it is due, he said heard end of March, just watched the ciscolive presentation, now says April.
cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide