Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1385
Views
1
Helpful
9
Replies

Stealthwatch Quarantine request failed to send to ISE

phuhd2
Level 1
Level 1

‎04-27-2018 12:52 AM

I'm deploying Cisco ISE 2.3.0 and Stealthwatch 6.9. My ISE and Stealthwatch are connected  via pxGrid. I can't find configuration guide for integrating Stealthwatch 6.9 and ISE 2.3. So that I followed of the " Deploying Cisco Stealthwatch 6.9 with Cisco Identity Services Engine (ISE) 2.2 using Cisco Platform Exchange Grid (pxGrid)" and used the External CA Server.

ISE and Stealthwatch are connected, but I can't do Quanrantine request.

Quarantine request failed to send to ISE: "Mitigation request was not sent because no active users were present on this host, or the active users came from an ISE installation not configured to this SMC"

How do I tshoot this Error?


2.jpg

3.jpg

4.jpg

1 person had this problem
0 Helpful
9 Replies 9

nir-r
Level 4
Level 4

‎04-28-2018 03:25 AM

I have the same issue with Stealthwatch implementation 6.9 & 6.10

No users appear on SMC and for this reason quarantine doesn't work.

According to TAC there is a bug that should be solved with upcoming 6.9/6.10 updates (6.9.5, 6.10.3)

0 Helpful

phuhd2
Level 1
Level 1
In response to nir-r

‎05-01-2018 09:03 PM

Hi nir-r,

Could you please show me the Bug link about that to me get more detail?

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎05-04-2018 10:59 PM

Please ensure you are following the "Testing" section (page 44 and on) of

Deploying Cisco Stealthwatch 6.9 with Cisco Identity Services Engine (ISE) 2.2 using Cisco Platform Exchange Grid (pxGri…

First of all, the endpoint needs authenticated to ISE successfully with an active session. Then, verify the StealthWatch receives the info and shows the entry's end time as current.

0 Helpful

phuhd2
Level 1
Level 1
In response to hslai

‎05-06-2018 07:53 PM

I didn't see any documents for Cisco ISE 2.3, so I followed "Deploying Cisco Stealthwatch 6.9 with Cisco Identity Services Engine (ISE) 2.2 using Cisco Platform Exchange Grid (pxGrid)".

The endpoint was authenticated to ISE successfully and on  client's status also "active" as the third picture above.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to phuhd2

‎05-06-2018 08:00 PM

Page 45 of Deploying Cisco Stealthwatch 6.9 with Cisco Identity Services Engine (ISE) 2.2 using Cisco Platform Exchange Grid (pxGri… shows a "current" session. I am suspecting that yours have nothing current.

Try logging in as a different user.

Screen Shot 2018-05-06 at 7.57.39 PM.png

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to phuhd2

‎05-06-2018 08:01 PM

Additionally, please ensure you have the latest patches installed on the StealthWatch 6.9.

0 Helpful

phuhd2
Level 1
Level 1
In response to hslai

‎05-06-2018 08:17 PM

I'm using Stealthwatch 6.9.2. I have just checked the latest patches and seen that Cisco stopped release 6.9 version. Now, only 6.10.2.

Capture.PNG

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to phuhd2

‎05-06-2018 08:58 PM

6.10.2 should work.

6.9.x appears available @ "Flexera/Download & License Center" and under "Archive Versions".

Back in March 2018, StealthWatch team advised me to use 6.9.3 or 6.10.1.

Screen Shot 2018-05-06 at 9.01.52 PM.png

phuhd2
Level 1
Level 1
In response to hslai

‎05-07-2018 12:32 AM

Thanks hslai, let me update the latest patches on version 6.9 and try again.

0 Helpful
Customers Also Viewed These Support Documents