Queue Link Error: Message=From Primary_ISE To Secondary_ISE; Cause=

adamscottmaster2013 · ‎06-13-2022

I have a pair of ISE 3.1 patch-3 running as:

node1: Primary Admin; Primary MNT; PSN

node2: Secondary Admin; Secondary MNT; PSN

Everything is working fine until as security audit, the security team uses Qualys to scan these ISE devices. During the scan, I got the following these messages:

Queue Link Error: Message=From node2 To node1; Cause={tls_alert;{unknown_ca;"tls Client: In State Certify At Ssl_handshake.erl:1887 Generated Client Alert: Fatal - Unknown Ca\n"}

Queue Link Error: Message=From node1 To node2; Cause={tls_alert;{unknown_ca;"tls Client: In State Certify At Ssl_handshake.erl:1887 Generated Client Alert: Fatal - Unknown Ca\n"}

During the Qualys scan, both the radius & tacacs logs came up empty, and the system is very slow responding.

Is that expected? I thought SNS-3615 should be able to handle Qualys scan. Thoughts?

ahollifield · ‎06-15-2022

This has nothing to do with the Qualys scan. This is the ISE messaging certificate. You need to re-generate the ISE root CA and then re-generate the ISE messaging service certificate for all nodes.

adamscottmaster2013 · ‎06-16-2022

I resolved the issue by blocking Qualys from scanning this ISE and haven't seen this issue for the past few days.

Marcelo Morais · ‎06-16-2022

Hi @adamscottmaster2013 ,

interesting ... could you please double check your Qualys configuration via the ThreatCentric NAC with Qualys and ISE.?

Regards

marce1000 · ‎06-16-2022

- FYI : https://community.cisco.com/t5/security-documents/ise-queue-link-error/ta-p/4625179

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

adamscottmaster2013 · ‎06-17-2022

@marce1000: As I've said before, I blocked qualys from scanning the ISE appliances and have not seen queue-link error since.