cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2326
Views
5
Helpful
11
Replies

Unable to manage ipep node from ISE policy manager after installation

uditchughim
Level 1
Level 1

Hi,

We are in the process of deploying Cisco ISE in bridge mode for inline posture assessment and profiling of Cisco ASA SSL VPN clients.

We are able to register ipep successfully in policy node, however after configuring the ipep in inline bridge mode we are unable to reach ipep from policy node.

Also we are not able to ping the trusted and untrusted ip of ipep node (which is same as it is bridge mode) from ISE or for that matter any other device in same vlan.

However, if we place a laptop and assign it the same ip as on ipep we are able to ping it.

Please suggest what could be the reason here.

Cisco ISE Version - 1.1.1

11 Replies 11

mojuneja
Level 1
Level 1

Please refer the steps given in following given link, in order to configure Cisco ISE IPEP in bridge mode.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html

Are the administration node and ipn in bridged mode on the same subnet? If so, then the inline node expects all hosts on its network (except the default gateway) to reside behind its untrusted interface.

Please provide more information regarding your setup.

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Thank you for your post. I remembered that in clean access configuration if you use CAS in VGW mode you have the same limitation. In this mode CAS send all traffic out on the Untrusted interface unless you have a specific route (like def GW) for that traffic. So after setting iPEP to bridge mode it will search for the admin node via UT interface and it will not find that.

Regards,

Miki

manjeets
Level 3
Level 3

Please review the below link it will be  help you to understand how to configure inline posture in Routed mode  and Transparent mode (Briged mode).

www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html#wp1161590

I re-imaged my sns-3415 box to ise-ipep-1.2.0-899.i386.iso. After the installation, the box is not reachable. Following are my queries:

1) After the installation the gig 0 interface is not at all reachable. Even from the console CLI i cant ping the gateway.

2) By default the box boots in maintenance mode, how can we switch mode to routed or bridged mode.

I am following Cisco ISE 1.2 user guide. Any response is really appreciable.

Guys,

To give you heads-up, if you install the ise-ipep image for sns-3415 box, port 0 is actually gig1 and port 2 is gig 2.

Above Issue raised by me is fixed now.

Hi, I installed ISE 1.2.1 IPEP image on a SNS-3415 and the interface mapping is still wrong.

I had connected Gi0 to the network and didn't had any management/IP connectivity on the appliance.

After some tests, I noticed that only when shutting down Gi2 from CLI the physical Gi0 would come down.

So the first onboard interface (Gi0) is mapped as Gi2 in CLI.

 

Later edit: 

https://tools.cisco.com/bugsearch/bug/CSCup47501

It seems to be a know (fatal if you ask me) bug.

blenka
Level 3
Level 3

Please find the link below for the best practice.

https://supportforums.cisco.com/docs/DOC-24412

Hi can you check and see if it is a certificate issue, if you are using the default self signed certificate for the ipep, you will have to export using the command line and import in the administration node's trusted CA authority, the release notes and the user guides for 1.2 provides the commands how to to accomplish this.

You can also generate a CSR and have it submitted to your internal or external CA depending on your preference. You can then import into the CLI as well.

Thanks,

Tarik Admani
*Please rate helpful posts*

Gurudatt Pai
Cisco Employee
Cisco Employee

Starting with 1.2.1  IPEP image, for SNS 3415 appliance, there is a change in the way you could cable your IPEP node.

The reason for this is the defect  "CSCun02007: IPEP slow data transfer rate and packet loss with traffic bursts" . The fix for this bug was to swap the NIC's . By default SNS3415 comes with 4 ports , the traditional gi0 and gi1 are on-board intel adapters and gi3 and gi4 are PCI adapters that come with Broadcom drivers. The above bug was causing throughput issues with ipep and hence these NIC's were swapped to use the Boradcom based NIC's instead of Intel.

 

So when you cable your set up on 1.2.1 ipep for 3415, you will use the gi3 and gi4 as your new Gi0 and Gi 1, For HA , you will use the other 2 ports (originally gi0 and gi1). However on the  ADE OS software there is no change, you will still configure IP address to gi0 and gi1. The only change is the physical cabling.

 

Overall , old gi0 and gi1 is now gi3 and 4 while the old gi3 and 4 are now Gi0 and Gi1. 

 

Regards,

 

Gurudatt pai

ISE escalation Engineer |CCIE #28227

SAMPG, Cisco systems.

Thanks for the update!

Still, it would be nice if this kind of modifications would be present in the release notes.

The same applies for Inline Posture Node in general. Like for bridge mode, you don't have to insert any static route for RAVPN IP pools, or if you don't use vlan mapping you'd get in trouble with BPDUs.

Regards,

Octavian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: