TLS/SSL Weak Message Authentication Code Cipher Suites for PSN node

ajaykumar-rath · ‎09-30-2024

We have recently upgraded our distributed ISE deployment from 3.2 to 3.3-patch3. After that, we have disabled the weak TLS/SSL ciphers and restarted the services. After that, all the PAN , MNT and PSN nodes in the deployment got remediated except one PSN node. All the nodes were restarted after the patching.

+ Deployment is healthy and all the nodes are showing Green

+ verify the Services and all looks good

Could you please suggest what could be the reason for this? Do we have to re-sync the PSN node from the deployment to check if it can be remediated or any other solution available to resolve this issue.

I have attached the Vulnerability scan report for that PSN node

Vulnerability Reported - TLS/SSL Weak Message Authentication Code Cipher Suites

ISE deployment Version - 3.3 - Patch 3

Arne Bier · ‎09-30-2024

You can try a manual sync. If that doesn't work, then de-register the node and re-register it again. That should take care of the issue. In the worst case, you can also de-register the node, shutdown and delete the VM, and then build a new one. Of course that is a lot of work, but it's guaranteed to work, in case there was something wrong during the 3.2 to 3.3 upgrade and/or patching. I don't see a vulnerability report attached to your posting.

ajaykumar-rath · ‎09-30-2024

Thanks Arne .

I have attached the vulnerability report. we are using Physical SNS3715 ISE appliance in our environment.

I will try to re-sync the node. If that is not helpful, then i will try to de-register and re-register it again. will update with the result.