Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2274
Views
0
Helpful
8
Replies

pxgrid error from ISE-PIC 2.6.0.156 to FMC 6.3.0.2

Adam6225
Level 1
Level 1

‎07-29-2019 10:41 PM

Hi,

 

Looking for assistance connecting pxgrid from ISE-PIC to FMC.

I followed this video closely http://www.labminutes.com/sec0285_ise_22_passiveid_pxgrid_1

But when I go to test connection from the FMC it throws up an error -

 

bulk download iter next failed XML errorNo error
Sending SSL alert:close notify
Failed to validate bulk download.

 

Anyone got any ideas. I have tried re issuing the certs from ISE. Still no success.

 

Thanks

1 person had this problem
0 Helpful
8 Replies 8

Surendra
Cisco Employee
Cisco Employee

‎07-29-2019 11:29 PM - edited ‎07-29-2019 11:31 PM

If the MnT node same as the pxGrid node ? If not, please import MnT node certificate's CA certificate to FMC as well. It is recommended to get both the pxGrid and MnT nodes certificates signed by the same CA to avoid any issues on the FMC.

0 Helpful

Adam6225
Level 1
Level 1
In response to Surendra

‎07-30-2019 12:19 AM

Thanks for your reply....

I don't have a seperate MNT node.

In the guide I followed it just used the same root cert from the ISE-PIC server for both pxgrid server CA & MNT server CA.

I'm presuming this is supported on the ISE-PIC rather than just ISE. Not sure if it is enabled on ISE-PIC.

 

0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to Adam6225

‎07-30-2019 12:59 AM

By default, the Admin certificate for a node is a self-signed certificate and it does not come from the internal ISE CA server. However, your pxGrid node on the other hand comes from the internal CA server. If you can share the screen shots of the page Administration > System > Certificates > Certificate Management > System certificates, this will give us a fair idea.
0 Helpful

Adam6225
Level 1
Level 1
In response to Surendra

‎07-30-2019 01:14 AM

Please see screenshot attached. Thanks Surendra

Preview file
169 KB
0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to Adam6225

‎07-30-2019 01:51 AM

As you can see, the CA of pxGrid certificate is not the same as the CA for the admin certificate. Bulk download is an API sent to the MnT node and it presents the admin certificate during the same. This will not be trusted by the FMC unless you import this self-signed certificate to the Trusted certificates on the FMC. the best way to go about this is to get these certificates for both pxGrid and the ISE server certificate used for Admin usage signed by a single CA, be it internal or External.
0 Helpful

Adam6225
Level 1
Level 1
In response to Surendra

‎07-30-2019 11:44 PM

I went ahead and changed the admin & pxgrid certs. I signed them with my windows domain CA. I uploaded all of the root CA certs to both ISE & FMC. I also created a new FMC pxgrid cert signed by the same CA.

 

It seems like after all of this I have the exact same error message -

 

Failed to validate bulk download.

 

Do you have any other thoughts you can share on how to fix?

 

 

Preview file
90 KB
0 Helpful

fedor.solovev
Spotlight
Spotlight
In response to Adam6225

‎07-14-2021 02:15 PM

Hello,
Could you share how did you solve the task ?

0 Helpful

Adam6225
Level 1
Level 1
In response to fedor.solovev

‎07-14-2021 03:04 PM

Hey,

 

Its been awhile, but I think that I applied a patch or service pack or something similar.

 

As soon as I did that the problem went away.

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents