10-13-2017 04:35 AM - edited 02-21-2020 06:29 AM
Hi all ,
intergration between FMC and ISE fails when testing .
i see the below errors in the logs after a successful ssl handshake :
Captured Jabberwerx log:2017-10-13T10:37:52 [ INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://ISE-1.cn.aura:8910/pxgrid/mnt/sd/getSessionListByTime'
Captured Jabberwerx log:2017-10-13T10:37:52 [ ERROR]: curl_easy_perform() failed: (6) Couldn't resolve host name at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240
it seems a dns resolving problem but the FMC resolve ISE hostname .
a detailed log file is attached .
thank you for your help .
11-12-2017 12:32 PM
11-12-2017 01:00 PM
the problem disappeared after I sync the two (FMC and ISE) with the same ntp server
11-12-2017 11:56 PM
now i have this problem.currently i'm using self sign certificate on ISE and import to FMC.
Queried 1 bulk download hostnames:ISE.ddpg.com:8910
...successfully connected to ISE server.
Starting bulk download
Captured Jabberwerx log:2017-11-13T07:36:45 [ INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://ISE.ddpg.com:8910/pxgrid/mnt/sd/getSessionListByTime'
Starting SSL Handshake, SSL state:before/connect initialization
Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x5A0860370000000071E91C75D3E246CE', issued by 'CN = ISE.ddpg.com', to 'CN = ISE.ddpg.com'
...because SSL negotiation encountered error: self signed certificate
...while validating this entry in the certificate chain: Certificate with Serial Number '0x5A0860370000000071E91C75D3E246CE', issued by 'CN = ISE.ddpg.com', to 'CN = ISE.ddpg.com'
Sending SSL alert:unknown CA
Sending SSL alert:close notify
Captured Jabberwerx log:2017-11-13T07:36:45 [ ERROR]: curl_easy_perform() failed: (60) Peer certificate cannot be authenticated with given CA certificates at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240
bulk download iter next failed REST errorPeer certificate cannot be authenticated with given CA certificates
Failed to validate bulk download.
disconnecting pxgrid
11-13-2017 12:24 AM
It seems like a certification authentication problem, did you checked ISE/FMC docs about the integration using self signed certs?
it is recommended to use CA certs, you can generate one using the csr file retrieved from your ISE.
certs must be for both server and client authentication (in the enhanced key usage) .
Don't forget to upload the root certificate too .
11-13-2017 01:18 AM
11-13-2017 01:22 AM
Good :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide