
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2019 01:58 AM
Hello,
I have a problem with setting up SXP session between catalyst switches and ISE secendary node.
All switches has SXP session to ISE primary (172.29.134.140) node set up.
None of these switches has SXP session to ISE secondary (10.102.196.1) node set up.
SXP service is running on both ISE nodes.
ISE01/admin# sh app st ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 2494 Database Server running 131 PROCESSES Application Server running 10564 Profiler Database running 4875 ISE Indexing Engine running 16349 AD Connector running 19611 M&T Session Database running 4513 M&T Log Collector running 10317 M&T Log Processor running 10222 Certificate Authority Service running 15740 EST Service running 16228 SXP Engine Service running 16767 Docker Daemon running 6155 TC-NAC Service disabled Wifi Setup Helper Container disabled pxGrid Infrastructure Service running 11578 pxGrid Publisher Subscriber Service running 11780 pxGrid Connection Manager running 11723 pxGrid Controller running 11818 PassiveID WMI Service running 10426 PassiveID Syslog Service running 17584 PassiveID API Service running 18284 PassiveID Agent Service running 18697 PassiveID Endpoint Service running 19106 PassiveID SPAN Service running 19446 DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE RabbitMQ Container running 7118 ISE02/admin# sh app st ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 2643 Database Server running 108 PROCESSES Application Server running 3672 Profiler Database running 5892 ISE Indexing Engine running 5325 AD Connector running 20535 M&T Session Database running 5701 M&T Log Collector running 11865 M&T Log Processor running 11712 Certificate Authority Service running 19600 EST Service running 20090 SXP Engine Service running 20390 Docker Daemon running 6833 TC-NAC Service disabled Wifi Setup Helper Container disabled pxGrid Infrastructure Service disabled pxGrid Publisher Subscriber Service disabled pxGrid Connection Manager disabled pxGrid Controller disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE RabbitMQ Container running 7178
I assume ISE is configured properly because SXP session to primary node is working. Both nodes are added to trustsec AAA servers in ISE configuration.
I can see following debugs for both sessions.
Jul 23 07:46:25.982: CTS-SXP-CONN:is_cts_sxp_rf_active Jul 23 07:46:25.982: CTS-SXP-CONN:ph_retry_open_timer Jul 23 07:46:25.982: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped Jul 23 07:46:25.982: CTS-SXP-CONN:retry conn setup; conn index = 1 Jul 23 07:46:25.982: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1 Jul 23 07:46:25.982: CTS-SXP-CONN:conn_cleanup <-1> Jul 23 07:46:25.982: sxp_calc_src_ip cfg src: 10.97.50.1, def src: 0.0.0.0 calc src: 10.97.50.1 vrf:, tableid:0x0 Jul 23 07:46:25.982: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.97.50.1 Jul 23 07:46:25.982: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.97.50.1 Jul 23 07:46:25.982: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-CONN:get_conn_passwd_info <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-CONN:sxp_socket_upd_md5_option clear tcp MD5 option, <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 11, Resource temporarily unavailable, <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-CONN:SXP SCM: socket_connect in progress, <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-CONN:sxp_send_open_message send sxp open, curr version 4, <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-MSG:trp_send_msg <1>, <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-MSG:trp_socket_write fd<1>, cdbp->ph_sock_pending<1>, <10.102.196.1, 10.97.50.1> Jul 23 07:46:25.982: CTS-SXP-CONN:ph_retry_open_timer retry timer started Jul 23 07:46:25.982: CTS-SXP-CONN:Received invalid DIRECT_EVENT Jul 23 07:46:42.092: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: adminlng] [Source: 10.102.197.17] [localport: 22] at 09:46:42 GMT Tue Jul 23 2019 Jul 23 07:46:55.982: CTS-SXP-CONN:is_cts_sxp_rf_active Jul 23 07:46:55.982: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 1, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-CONN:SXP SCM: fd = 1, cdbp->listen_fd = -1, ci = 1, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-CONN:SXP SCM: fd = 1, cdbp->listen_fd = -1, ci = 1, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-MSG:trp_process_read_sock <1>, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-MSG:trp_process_read_sock socket_recv result:-1 errno:257; <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-MSG:trp_socket_read <1>, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-ERR:SXP TRP: socket_recv failed; fd = 1, errno = 257 Jul 23 07:46:55.982: CTS-SXP-CONN:scm_send_msg <TRP_TCP_CLOSE, 1>, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-CONN:ph_tcp_close <1>, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-CONN:SXP SCM: sh_terminate_conn fd = 1, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-CONN:conn_cleanup <1> Jul 23 07:46:55.982: %CTS-3-SXP_CONN_STATE_CHG_OFF: Connection <10.102.196.1, 10.97.50.1>-1 state changed from Pending_On to Off. Jul 23 07:46:55.982: CTS-SXP-CONN:free_conn_buffers, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-MSG:imu_sxp_conn_del <1>, <10.102.196.1, 10.97.50.1> Jul 23 07:46:55.982: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 172.29.134.140, ip2 10.102.196.1 conn mode1 2, conn_mode2 2 Jul 23 07:46:55.982: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.102.196.1, ip2 10.102.196.1 conn mode1 2, conn_mode2 2 Jul 23 07:47:03.732: CTS-SXP-CONN:is_cts_sxp_rf_active Jul 23 07:47:03.732: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 2, <172.29.134.140, 10.97.50.1> Jul 23 07:47:03.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2, <172.29.134.140, 10.97.50.1> Jul 23 07:47:03.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2, <172.29.134.140, 10.97.50.1> Jul 23 07:47:03.732: CTS-SXP-MSG:trp_process_read_sock <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:47:03.732: CTS-SXP-MSG:trp_socket_read <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:47:03.732: CTS-SXP-MSG:RCVD peer 172.29.134.140 readlen:8, datalen:0 remain:4096 bufp = Jul 23 07:47:03.732: CTS-SXP-MSG:sxp_handle_rx_msg_v2 <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:47:03.732: CTS-SXP-CONN:sxp_start_hold_timer hold timer 172.29.134.140 120 Jul 23 07:47:03.732: CTS-SXP-MSG:trp_socket_read readlen = 8; errno = 257, <172.29.134.140, 10.97.50.1> Jul 23 07:47:43.732: CTS-SXP-CONN:is_cts_sxp_rf_active Jul 23 07:47:43.732: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 2, <172.29.134.140, 10.97.50.1> Jul 23 07:47:43.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2, <172.29.134.140, 10.97.50.1> Jul 23 07:47:43.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2, <172.29.134.140, 10.97.50.1> Jul 23 07:47:43.732: CTS-SXP-MSG:trp_process_read_sock <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:47:43.732: CTS-SXP-MSG:trp_socket_read <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:47:43.732: CTS-SXP-MSG:RCVD peer 172.29.134.140 readlen:8, datalen:0 remain:4096 bufp = Jul 23 07:47:43.732: CTS-SXP-MSG:sxp_handle_rx_msg_v2 <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:47:43.732: CTS-SXP-CONN:sxp_start_hold_timer hold timer 172.29.134.140 120 Jul 23 07:47:43.732: CTS-SXP-MSG:trp_socket_read readlen = 8; errno = 257, <172.29.134.140, 10.97.50.1> Jul 23 07:48:23.732: CTS-SXP-CONN:is_cts_sxp_rf_active Jul 23 07:48:23.733: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 2, <172.29.134.140, 10.97.50.1> Jul 23 07:48:23.733: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2, <172.29.134.140, 10.97.50.1> Jul 23 07:48:23.733: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2, <172.29.134.140, 10.97.50.1> Jul 23 07:48:23.733: CTS-SXP-MSG:trp_process_read_sock <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:48:23.733: CTS-SXP-MSG:trp_socket_read <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:48:23.733: CTS-SXP-MSG:RCVD peer 172.29.134.140 readlen:8, datalen:0 remain:4096 bufp = Jul 23 07:48:23.733: CTS-SXP-MSG:sxp_handle_rx_msg_v2 <2>, <172.29.134.140, 10.97.50.1> Jul 23 07:48:23.733: CTS-SXP-CONN:sxp_start_hold_timer hold timer 172.29.134.140 120 Jul 23 07:48:23.733: CTS-SXP-MSG:trp_socket_read readlen = 8; errno = 257, <172.29.134.140, 10.97.50.1>
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2019 07:24 AM
https://community.cisco.com/t5/security-documents/sxp-through-a-cisco-asa-firewall/ta-p/3647544
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2019 06:47 PM
Please check the info at TrustSec Troubleshooting Guide > SXP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2019 08:32 PM
I checked with our SMEs and most likely you have a firewall between the 2nd ISE and the network devices. The guide I cited earlier has the configuration for ASA. If you need further help, please open a TAC case.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2019 11:50 PM - edited 07-24-2019 11:51 PM
Yes, there is a firewall... but between devices and primary node there is even more firewalls. We have checked on ASA logs and this traffic (to port 6499) is being passed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2019 07:24 AM
https://community.cisco.com/t5/security-documents/sxp-through-a-cisco-asa-firewall/ta-p/3647544
