08-24-2017 12:27 AM
Hi
We have a ISE 2.2 deployment that is integrated with MobileIron MDM solution. We have seen intermittent failures in the communication between the solutions (the manual check is always successful). Now we have found a possible cause for the problems as we have found "Deny TCP (no connection..)" logs in the firewall (ASA) that are separating the systems.
Do we have to tweek the tcp timeout values in the firewall to successfully integrate ISE and MobileIron? Does anyone have experience from this?
Thanks
Solved! Go to Solution.
08-31-2017 12:01 AM
The issue orginated from MobileIron. A upgrade from v9.1 to 9.4 solved the problem.
Thank you for your inputs
08-24-2017 02:00 PM
You shouldn’t have to. Are you seeing connections being terminated due to timeout? Do you have absolute timeouts configured in the ASA by chance?
08-25-2017 02:09 AM
Thanks,
The firewall is not logging session termination and it is using default settings for tcp (no service-policy tweeks applied). Time out values:
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
08-25-2017 10:04 AM
I would take a packet capture to better understand when this happens. Take a capture on the inside and outside with an ACL to limit the capture to this traffic. The next time you see the no connection message, look at the capture to determine if ISE, MobileIron, or the ASA is responsible for killing the connection. Also, depending on what level your logs are being generated at, you may not see the timeout message. You should probably increase the log level to debug while you are troubleshooting this problem.
George
08-31-2017 12:01 AM
The issue orginated from MobileIron. A upgrade from v9.1 to 9.4 solved the problem.
Thank you for your inputs
08-31-2017 12:09 PM
Thanks for closing the loop.
01-17-2018 10:48 AM
We are having a similar issue. We have ISE 2.1 patch 5 and MobileIron 9.2 in production and 9.5 for testing. The MDM setup in ISE for both MDM platforms reports successful tests, but when we compose conditions that check the 9.2 version for device status ISE just fails the call and moves on to new rules/conditions. The same checks to the 9.5 platform pass.
Does anyone have documentation regarding this bug or methodology for proving this bug condition?
01-24-2018 11:17 PM
Hi
There is know issue in Mobileiron API calls in Mobileiron 9.2 version and there was patch released by Mobileiron, the down side of the patch is when ever you reboot Mobileiron server the patch has to be re-applyed, and it is expected to fix in Mobileiron 9.5.
I tested ISE 2.1 with Mobileiron 9.2 and Mobileiorn patch and it worked for me
now i am testing ISE 2.1 with Mobileiron 9.5 so for it is not working, seems this combination worked for you , can you tell me what is the ISE and Mobileiron version you used including patch version please for both.
Thanks
V.Muthu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide