cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1127
Views
0
Helpful
4
Replies

ise server unreachable from Prime Infrastructure 3.0

ALAN MURRAY
Level 1
Level 1

Hi,

Our customer has recently upgraded Prime to version 3.0 and we now notice that the ise server configured is showing as unreachable. We removed one of the two that were configured and attempted to re-add it - no luck, tells us it is timing out and we should check network connectivity or the user account status.

Both the ise servers and pi are on the same subnet - ise servers are 0.64 and 0.65 and pi is 0.240

I can log on to both ise servers using the credentials I using when adding them to pi and the account is a superuser on ise

I can telnet on port 443 from pi to the ise server I am trying to add.

I'm currently downloading the logs from pi but given the amount of time this is taking I suspect there will be a lot for me to troll through.

Does anyone have any ideas?

Thanks

Alan

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

I can't help too much because I had this issue only once.

It was CPI 3.0 and ISE2.0. There was a TLS issue. 

I upgraded to CPI3.1 and ISE2.1 and everything is working fine

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

Hi

I can't help too much because I had this issue only once.

It was CPI 3.0 and ISE2.0. There was a TLS issue. 

I upgraded to CPI3.1 and ISE2.1 and everything is working fine

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks to both Francesco and Marvin for the quick response. I'll work with the customer to schedule the necessary upgrade(s).

Alan

You're very welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads
Hall of Fame
Hall of Fame

Francisco has it right - various versions have had incompatibiilty issues due to the respective TLS versions not matching when the product does strict checking/enforcement. The PI GUI gives you the (un)informative and misleading message you mentioned.

If you do a packet capture (easiest from your ISE server using the option) during the attempted exchange you will see the TLS mismatch being reported in the frame decode.

You will be much better off with PI 3.1.x for other reasons as well - just go ahead and get it up to the latest patch and it should all clear up.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: