cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1717
Views
5
Helpful
11
Replies
Highlighted
Beginner

Unable to manage ipep node from ISE policy manager after installation

Hi,

We are in the process of deploying Cisco ISE in bridge mode for inline posture assessment and profiling of Cisco ASA SSL VPN clients.

We are able to register ipep successfully in policy node, however after configuring the ipep in inline bridge mode we are unable to reach ipep from policy node.

Also we are not able to ping the trusted and untrusted ip of ipep node (which is same as it is bridge mode) from ISE or for that matter any other device in same vlan.

However, if we place a laptop and assign it the same ip as on ipep we are able to ping it.

Please suggest what could be the reason here.

Cisco ISE Version - 1.1.1

11 REPLIES 11
Highlighted
Beginner

Please refer the steps given in following given link, in order to configure Cisco ISE IPEP in bridge mode.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html

Highlighted

Are the administration node and ipn in bridged mode on the same subnet? If so, then the inline node expects all hosts on its network (except the default gateway) to reside behind its untrusted interface.

Please provide more information regarding your setup.

Tarik Admani
*Please rate helpful posts*

Highlighted

Hi Tarik,

Thank you for your post. I remembered that in clean access configuration if you use CAS in VGW mode you have the same limitation. In this mode CAS send all traffic out on the Untrusted interface unless you have a specific route (like def GW) for that traffic. So after setting iPEP to bridge mode it will search for the admin node via UT interface and it will not find that.

Regards,

Miki

Highlighted
Participant

Please review the below link it will be  help you to understand how to configure inline posture in Routed mode  and Transparent mode (Briged mode).

www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html#wp1161590

Highlighted

I re-imaged my sns-3415 box to ise-ipep-1.2.0-899.i386.iso. After the installation, the box is not reachable. Following are my queries:

1) After the installation the gig 0 interface is not at all reachable. Even from the console CLI i cant ping the gateway.

2) By default the box boots in maintenance mode, how can we switch mode to routed or bridged mode.

I am following Cisco ISE 1.2 user guide. Any response is really appreciable.

Highlighted

Guys,

To give you heads-up, if you install the ise-ipep image for sns-3415 box, port 0 is actually gig1 and port 2 is gig 2.

Above Issue raised by me is fixed now.

Highlighted

Hi, I installed ISE 1.2.1 IPEP image on a SNS-3415 and the interface mapping is still wrong.

I had connected Gi0 to the network and didn't had any management/IP connectivity on the appliance.

After some tests, I noticed that only when shutting down Gi2 from CLI the physical Gi0 would come down.

So the first onboard interface (Gi0) is mapped as Gi2 in CLI.

 

Later edit: 

https://tools.cisco.com/bugsearch/bug/CSCup47501

It seems to be a know (fatal if you ask me) bug.

Highlighted
Participant

Please find the link below for the best practice.

https://supportforums.cisco.com/docs/DOC-24412

Highlighted

Hi can you check and see if it is a certificate issue, if you are using the default self signed certificate for the ipep, you will have to export using the command line and import in the administration node's trusted CA authority, the release notes and the user guides for 1.2 provides the commands how to to accomplish this.

You can also generate a CSR and have it submitted to your internal or external CA depending on your preference. You can then import into the CLI as well.

Thanks,

Tarik Admani
*Please rate helpful posts*

Highlighted
Cisco Employee

Starting with 1.2.1  IPEP image, for SNS 3415 appliance, there is a change in the way you could cable your IPEP node.

The reason for this is the defect  "CSCun02007: IPEP slow data transfer rate and packet loss with traffic bursts" . The fix for this bug was to swap the NIC's . By default SNS3415 comes with 4 ports , the traditional gi0 and gi1 are on-board intel adapters and gi3 and gi4 are PCI adapters that come with Broadcom drivers. The above bug was causing throughput issues with ipep and hence these NIC's were swapped to use the Boradcom based NIC's instead of Intel.

 

So when you cable your set up on 1.2.1 ipep for 3415, you will use the gi3 and gi4 as your new Gi0 and Gi 1, For HA , you will use the other 2 ports (originally gi0 and gi1). However on the  ADE OS software there is no change, you will still configure IP address to gi0 and gi1. The only change is the physical cabling.

 

Overall , old gi0 and gi1 is now gi3 and 4 while the old gi3 and 4 are now Gi0 and Gi1. 

 

Regards,

 

Gurudatt pai

ISE escalation Engineer |CCIE #28227

SAMPG, Cisco systems.

Highlighted

Thanks for the update!

Still, it would be nice if this kind of modifications would be present in the release notes.

The same applies for Inline Posture Node in general. Like for bridge mode, you don't have to insert any static route for RAVPN IP pools, or if you don't use vlan mapping you'd get in trouble with BPDUs.

Regards,

Octavian

Content for Community-Ad