Solved: Re: TCP timeouts for ISE and MobileIron?

Martin Kling · ‎08-24-2017

Hi

We have a ISE 2.2 deployment that is integrated with MobileIron MDM solution. We have seen intermittent failures in the communication between the solutions (the manual check is always successful). Now we have found a possible cause for the problems as we have found "Deny TCP (no connection..)" logs in the firewall (ASA) that are separating the systems.

Do we have to tweek the tcp timeout values in the firewall to successfully integrate ISE and MobileIron? Does anyone have experience from this?

Thanks

CCIE #36669 (Security)
Cisco Fire Jumper

Martin Kling · ‎08-31-2017

The issue orginated from MobileIron. A upgrade from v9.1 to 9.4 solved the problem.

Thank you for your inputs

CCIE #36669 (Security)
Cisco Fire Jumper

View solution in original post

gbekmezi-DD · ‎08-24-2017

You shouldn’t have to. Are you seeing connections being terminated due to timeout? Do you have absolute timeouts configured in the ASA by chance?

Martin Kling · ‎08-25-2017

Thanks,

The firewall is not logging session termination and it is using default settings for tcp (no service-policy tweeks applied). Time out values:

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

CCIE #36669 (Security)
Cisco Fire Jumper

gbekmezi-DD · ‎08-25-2017

I would take a packet capture to better understand when this happens. Take a capture on the inside and outside with an ACL to limit the capture to this traffic. The next time you see the no connection message, look at the capture to determine if ISE, MobileIron, or the ASA is responsible for killing the connection. Also, depending on what level your logs are being generated at, you may not see the timeout message. You should probably increase the log level to debug while you are troubleshooting this problem.

George

Martin Kling · ‎08-31-2017

The issue orginated from MobileIron. A upgrade from v9.1 to 9.4 solved the problem.

Thank you for your inputs

CCIE #36669 (Security)
Cisco Fire Jumper

gbekmezi-DD · ‎08-31-2017

Thanks for closing the loop.

mike.jacobs · ‎01-17-2018

We are having a similar issue. We have ISE 2.1 patch 5 and MobileIron 9.2 in production and 9.5 for testing. The MDM setup in ISE for both MDM platforms reports successful tests, but when we compose conditions that check the 9.2 version for device status ISE just fails the call and moves on to new rules/conditions. The same checks to the 9.5 platform pass.

Does anyone have documentation regarding this bug or methodology for proving this bug condition?

Muthu Mani · ‎01-24-2018

Hi

There is know issue in Mobileiron API calls in Mobileiron 9.2 version and there was patch released by Mobileiron, the down side of the patch is when ever you reboot Mobileiron server the patch has to be re-applyed, and it is expected to fix in Mobileiron 9.5.

I tested ISE 2.1 with Mobileiron 9.2 and Mobileiorn patch and it worked for me

now i am testing ISE 2.1 with Mobileiron 9.5 so for it is not working, seems this combination worked for you , can you tell me what is the ISE and Mobileiron version you used including patch version please for both.

Thanks

V.Muthu