cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2974
Views
25
Helpful
5
Replies

Cisco Security manager Integration with Cisco ISE for Security group Tag resolution

rohitbhanu009
Level 1
Level 1

Hi,

 

I am trying to  integrate Cisco CSM to ISE so that I can resolve the security group tags from CSM.

I understand that in order to to be able to retrieve the group tags with a search name/tag in "Security group selector" we need to configure ISE Settings under "CSM >Tools >Security Manager Administration > ISE Settings"

This is as per Cisco's Documention for CSM:

https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/syspage.html#34637

 

However, when I enter the ISE IP and Credentials in this page and click on Test Connectivity, it fails and give an error message "Unable to establish the connection. Please verify that the IP address, username, password are correct. 

 

My first thought was that CSM was failing to communicate with ISE. So, I checked if there was any firewall block for this communication. There wasn't any firewall block for this. I did a packet capture and found that CSM is trying to communicate with ISE on port 443. After the initial TCP handshake, I get a handshake failure for TLS v1.2 from ISE and then the connection is torn down.

 

I am trying to understand if there is any configuration needed on ISE for this? Any help would be appreciated. 

 

Thank you,

Rohit.

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

It could be a bug / TLS compatibility issue. I'd recommend opening a TAC case since the ISE compatibility matrices don't list CSM (any version) as compatible despite what the CSM documentation indicates.

 

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

 

We had the same thing a while back with ISE and Prime Infrastructure. ISE (2.0 if I recall correctly) locked down TLS to 1.2 only while PI was still only able to talk TLS 1.1. It wasn't until PI (3.0 or 3.1 if I recall correctly) added TLS 1.2 support that integration worked once again.

 

Peter Koltl
Level 7
Level 7

CSCvg18306

Thanks for providing the BugID @Peter Koltl

Gents

i have similar problem with CSM 4.19 & ISE 2.1.

i took capture & found ISE talks to CSM with TLS1.2 but it always finish with session setup failure after Test button submission

i cant access bug id. so what is the pill to heal it?

selfresolved. A&UG for CSM 4.20:

ISE Version

Beginning with version 4.18, Cisco Security Manager supports integration of only ISE version 2.3.

Review Cisco Networking for a $25 gift card