cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1409
Views
3
Helpful
8
Replies

"Application Server" service craches when enable "Allow SHA1 Chiper"

Hi all;

I am using ISE 3.1 Patch 5 in my production environment. For some reasons I want to enable "Allow SHA1 Ciphers" option. When I do that, the "Application Server" services caches and then restart automatically. I have seen this behavior in every ISE 3.1 installation...

Any ideas?

Thanks

2 Accepted Solutions

Accepted Solutions

Mark Elsen
Hall of Fame
Hall of Fame

 

  - This could be considered normal behavior because the application services need to adjust according to the new setting(s) , meaning it should then be a one time event only related to changing the allowed ciphers (?)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

Greg Gibbs
Cisco Employee
Cisco Employee

I have not seen this issue and I've enabled the 'Allow SHA1 ciphers' option on both my lab and a customer ISE 3.1 deployment. The app server restarted fine on both.

When I change the setting, the GUI prompts with the following message so I'm not sure why didn't get any warning.

If you continue to see this issue and can replicate it easily, I would suggest opening a TAC case to investigate.
"Changing SHA1 cipher settings will cause the ISE application server to restart on all deployment ISE machines, are you sure you want to proceed?"

View solution in original post

8 Replies 8

Mark Elsen
Hall of Fame
Hall of Fame

 

  - This could be considered normal behavior because the application services need to adjust according to the new setting(s) , meaning it should then be a one time event only related to changing the allowed ciphers (?)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Thanks for your reply...

After I enable the "Allow SHA1 Ciphers" option and then save the configuration, the "Application Server" service goes down without any message to warn me. After some time that the service goes up, we can confirm that the configuration changes has not applied. Now, make the change again, the "Application Server" service goes down for the second time, but this time the changes applies successfully!

 

 

            - How do you assert  that it does not work on first attempt ?

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Because the check box beside the "Allow SHA1 Ciphers" option not selected, although I selected it on the first place.

 

  - Make sure you are not suffering from browser caching effects and or verify initial attempt (setting) with another browser , for instance, 

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Thanks for your reply...

I have checked this situation from 4 ISE deployments with various browsers, with exactly same result.

 

          - Possibly a bug , upgrade to latest available patch release for ISE 3.1 , if it does not help raise a TAC case , 

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Greg Gibbs
Cisco Employee
Cisco Employee

I have not seen this issue and I've enabled the 'Allow SHA1 ciphers' option on both my lab and a customer ISE 3.1 deployment. The app server restarted fine on both.

When I change the setting, the GUI prompts with the following message so I'm not sure why didn't get any warning.

If you continue to see this issue and can replicate it easily, I would suggest opening a TAC case to investigate.
"Changing SHA1 cipher settings will cause the ISE application server to restart on all deployment ISE machines, are you sure you want to proceed?"