Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2749
Views
25
Helpful
5
Replies

Cisco Security manager Integration with Cisco ISE for Security group Tag resolution

rohitbhanu009
Level 1
Level 1

‎11-01-2017 09:22 AM - edited ‎02-21-2020 06:37 AM

Hi,

 

I am trying to  integrate Cisco CSM to ISE so that I can resolve the security group tags from CSM.

I understand that in order to to be able to retrieve the group tags with a search name/tag in "Security group selector" we need to configure ISE Settings under "CSM >Tools >Security Manager Administration > ISE Settings"

This is as per Cisco's Documention for CSM:

https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/syspage.html#34637

 

However, when I enter the ISE IP and Credentials in this page and click on Test Connectivity, it fails and give an error message "Unable to establish the connection. Please verify that the IP address, username, password are correct. 

 

My first thought was that CSM was failing to communicate with ISE. So, I checked if there was any firewall block for this communication. There wasn't any firewall block for this. I did a packet capture and found that CSM is trying to communicate with ISE on port 443. After the initial TCP handshake, I get a handshake failure for TLS v1.2 from ISE and then the connection is torn down.

 

I am trying to understand if there is any configuration needed on ISE for this? Any help would be appreciated. 

 

Thank you,

Rohit.

1 person had this problem
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-02-2017 07:43 PM

It could be a bug / TLS compatibility issue. I'd recommend opening a TAC case since the ISE compatibility matrices don't list CSM (any version) as compatible despite what the CSM documentation indicates.

 

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

 

We had the same thing a while back with ISE and Prime Infrastructure. ISE (2.0 if I recall correctly) locked down TLS to 1.2 only while PI was still only able to talk TLS 1.1. It wasn't until PI (3.0 or 3.1 if I recall correctly) added TLS 1.2 support that integration worked once again.

 

Peter Koltl
Level 7
Level 7

‎09-04-2018 03:11 AM

CSCvg18306

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Peter Koltl

‎09-04-2018 03:26 AM

Thanks for providing the BugID @Peter Koltl

0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Marvin Rhoads

‎07-30-2021 01:24 PM - edited ‎08-01-2021 11:17 AM

Gents

i have similar problem with CSM 4.19 & ISE 2.1.

i took capture & found ISE talks to CSM with TLS1.2 but it always finish with session setup failure after Test button submission

i cant access bug id. so what is the pill to heal it?

Preview file
180 KB

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to andy!doesnt!like!uucp

‎08-02-2021 12:50 AM

selfresolved. A&UG for CSM 4.20:

ISE Version

Beginning with version 4.18, Cisco Security Manager supports integration of only ISE version 2.3.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card