cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2847
Views
0
Helpful
4
Replies

SXP session to ISE secondary node

Michal Rzepecki
Level 1
Level 1

Hello,

 

I have a problem with setting up SXP session between catalyst switches and ISE secendary node.

All switches has SXP session to ISE primary (172.29.134.140) node set up.

None of these switches has SXP session to ISE secondary (10.102.196.1) node set up.

SXP service is running on both ISE nodes.

ISE01/admin# sh app st ise

ISE PROCESS NAME                       STATE            PROCESS ID
--------------------------------------------------------------------
Database Listener                      running          2494
Database Server                        running          131 PROCESSES
Application Server                     running          10564
Profiler Database                      running          4875
ISE Indexing Engine                    running          16349
AD Connector                           running          19611
M&T Session Database                   running          4513
M&T Log Collector                      running          10317
M&T Log Processor                      running          10222
Certificate Authority Service          running          15740
EST Service                            running          16228
SXP Engine Service                     running          16767
Docker Daemon                          running          6155
TC-NAC Service                         disabled

Wifi Setup Helper Container            disabled
pxGrid Infrastructure Service          running          11578
pxGrid Publisher Subscriber Service    running          11780
pxGrid Connection Manager              running          11723
pxGrid Controller                      running          11818
PassiveID WMI Service                  running          10426
PassiveID Syslog Service               running          17584
PassiveID API Service                  running          18284
PassiveID Agent Service                running          18697
PassiveID Endpoint Service             running          19106
PassiveID SPAN Service                 running          19446
DHCP Server (dhcpd)                    disabled
DNS Server (named)                     disabled
ISE RabbitMQ Container                 running          7118

ISE02/admin# sh app st ise

ISE PROCESS NAME                       STATE            PROCESS ID
--------------------------------------------------------------------
Database Listener                      running          2643
Database Server                        running          108 PROCESSES
Application Server                     running          3672
Profiler Database                      running          5892
ISE Indexing Engine                    running          5325
AD Connector                           running          20535
M&T Session Database                   running          5701
M&T Log Collector                      running          11865
M&T Log Processor                      running          11712
Certificate Authority Service          running          19600
EST Service                            running          20090
SXP Engine Service                     running          20390
Docker Daemon                          running          6833
TC-NAC Service                         disabled

Wifi Setup Helper Container            disabled
pxGrid Infrastructure Service          disabled
pxGrid Publisher Subscriber Service    disabled
pxGrid Connection Manager              disabled
pxGrid Controller                      disabled
PassiveID WMI Service                  disabled
PassiveID Syslog Service               disabled
PassiveID API Service                  disabled
PassiveID Agent Service                disabled
PassiveID Endpoint Service             disabled
PassiveID SPAN Service                 disabled
DHCP Server (dhcpd)                    disabled
DNS Server (named)                     disabled
ISE RabbitMQ Container                 running          7178

I assume ISE is configured properly because SXP session to primary node is working. Both nodes are added to trustsec AAA servers in ISE configuration.

I can see following debugs for both sessions.

Jul 23 07:46:25.982: CTS-SXP-CONN:is_cts_sxp_rf_active
Jul 23 07:46:25.982: CTS-SXP-CONN:ph_retry_open_timer
Jul 23 07:46:25.982: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped
Jul 23 07:46:25.982: CTS-SXP-CONN:retry conn setup; conn index = 1
Jul 23 07:46:25.982: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1
Jul 23 07:46:25.982: CTS-SXP-CONN:conn_cleanup <-1>
Jul 23 07:46:25.982: sxp_calc_src_ip cfg src: 10.97.50.1, def src: 0.0.0.0 calc src: 10.97.50.1 vrf:, tableid:0x0
Jul 23 07:46:25.982: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.97.50.1
Jul 23 07:46:25.982: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.97.50.1
Jul 23 07:46:25.982: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-CONN:get_conn_passwd_info <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-CONN:sxp_socket_upd_md5_option clear tcp MD5 option, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 11, Resource temporarily unavailable, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-CONN:SXP SCM: socket_connect in progress, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-CONN:sxp_send_open_message send sxp open, curr version 4,  <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-MSG:trp_send_msg <1>, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-MSG:trp_socket_write fd<1>, cdbp->ph_sock_pending<1>, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:25.982: CTS-SXP-CONN:ph_retry_open_timer retry timer started
Jul 23 07:46:25.982: CTS-SXP-CONN:Received invalid DIRECT_EVENT
Jul 23 07:46:42.092: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: adminlng] [Source: 10.102.197.17] [localport: 22] at 09:46:42 GMT Tue Jul 23 2019
Jul 23 07:46:55.982: CTS-SXP-CONN:is_cts_sxp_rf_active
Jul 23 07:46:55.982: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 1, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-CONN:SXP SCM: fd = 1, cdbp->listen_fd = -1, ci = 1,  <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-CONN:SXP SCM: fd = 1, cdbp->listen_fd = -1, ci = 1,  <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-MSG:trp_process_read_sock <1>, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-MSG:trp_process_read_sock socket_recv result:-1 errno:257; <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-MSG:trp_socket_read <1>, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-ERR:SXP TRP: socket_recv failed; fd = 1, errno = 257
Jul 23 07:46:55.982: CTS-SXP-CONN:scm_send_msg <TRP_TCP_CLOSE, 1>, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-CONN:ph_tcp_close <1>, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-CONN:SXP SCM: sh_terminate_conn fd = 1, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-CONN:conn_cleanup <1>
Jul 23 07:46:55.982: %CTS-3-SXP_CONN_STATE_CHG_OFF: Connection <10.102.196.1, 10.97.50.1>-1 state changed from Pending_On to Off.
Jul 23 07:46:55.982: CTS-SXP-CONN:free_conn_buffers, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-MSG:imu_sxp_conn_del <1>, <10.102.196.1, 10.97.50.1>
Jul 23 07:46:55.982: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 172.29.134.140, ip2 10.102.196.1 conn mode1 2, conn_mode2 2

Jul 23 07:46:55.982: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.102.196.1, ip2 10.102.196.1 conn mode1 2, conn_mode2 2

Jul 23 07:47:03.732: CTS-SXP-CONN:is_cts_sxp_rf_active
Jul 23 07:47:03.732: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 2, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:03.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2,  <172.29.134.140, 10.97.50.1>
Jul 23 07:47:03.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2,  <172.29.134.140, 10.97.50.1>
Jul 23 07:47:03.732: CTS-SXP-MSG:trp_process_read_sock <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:03.732: CTS-SXP-MSG:trp_socket_read <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:03.732: CTS-SXP-MSG:RCVD peer 172.29.134.140 readlen:8, datalen:0 remain:4096 bufp =
Jul 23 07:47:03.732: CTS-SXP-MSG:sxp_handle_rx_msg_v2 <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:03.732: CTS-SXP-CONN:sxp_start_hold_timer hold timer 172.29.134.140 120
Jul 23 07:47:03.732: CTS-SXP-MSG:trp_socket_read readlen = 8; errno = 257, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:43.732: CTS-SXP-CONN:is_cts_sxp_rf_active
Jul 23 07:47:43.732: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 2, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:43.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2,  <172.29.134.140, 10.97.50.1>
Jul 23 07:47:43.732: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2,  <172.29.134.140, 10.97.50.1>
Jul 23 07:47:43.732: CTS-SXP-MSG:trp_process_read_sock <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:43.732: CTS-SXP-MSG:trp_socket_read <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:43.732: CTS-SXP-MSG:RCVD peer 172.29.134.140 readlen:8, datalen:0 remain:4096 bufp =
Jul 23 07:47:43.732: CTS-SXP-MSG:sxp_handle_rx_msg_v2 <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:47:43.732: CTS-SXP-CONN:sxp_start_hold_timer hold timer 172.29.134.140 120
Jul 23 07:47:43.732: CTS-SXP-MSG:trp_socket_read readlen = 8; errno = 257, <172.29.134.140, 10.97.50.1>
Jul 23 07:48:23.732: CTS-SXP-CONN:is_cts_sxp_rf_active
Jul 23 07:48:23.733: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 2, <172.29.134.140, 10.97.50.1>
Jul 23 07:48:23.733: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2,  <172.29.134.140, 10.97.50.1>
Jul 23 07:48:23.733: CTS-SXP-CONN:SXP SCM: fd = 2, cdbp->listen_fd = -1, ci = 2,  <172.29.134.140, 10.97.50.1>
Jul 23 07:48:23.733: CTS-SXP-MSG:trp_process_read_sock <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:48:23.733: CTS-SXP-MSG:trp_socket_read <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:48:23.733: CTS-SXP-MSG:RCVD peer 172.29.134.140 readlen:8, datalen:0 remain:4096 bufp =
Jul 23 07:48:23.733: CTS-SXP-MSG:sxp_handle_rx_msg_v2 <2>, <172.29.134.140, 10.97.50.1>
Jul 23 07:48:23.733: CTS-SXP-CONN:sxp_start_hold_timer hold timer 172.29.134.140 120
Jul 23 07:48:23.733: CTS-SXP-MSG:trp_socket_read readlen = 8; errno = 257, <172.29.134.140, 10.97.50.1>
1 Accepted Solution

Accepted Solutions

Try removing the authentication, or take a look and implement what is documented in this post. SXP though an ASA usually requires more than just an ACL permitting the traffic.

https://community.cisco.com/t5/security-documents/sxp-through-a-cisco-asa-firewall/ta-p/3647544

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

Please check the info at TrustSec Troubleshooting Guide > SXP.

hslai
Cisco Employee
Cisco Employee

I checked with our SMEs and most likely you have a firewall between the 2nd ISE and the network devices. The guide I cited earlier has the configuration for ASA. If you need further help, please open a TAC case.

Yes, there is a firewall... but between devices and primary node there is even more firewalls. We have checked on ASA logs and this traffic (to port 6499) is being passed.

Try removing the authentication, or take a look and implement what is documented in this post. SXP though an ASA usually requires more than just an ACL permitting the traffic.

https://community.cisco.com/t5/security-documents/sxp-through-a-cisco-asa-firewall/ta-p/3647544
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: