ISE ERS API returns 502

ivanbadikov · ‎09-26-2023

Hello,

I've been tasked to create a script that replicates MAB entries from one deployment to another using the ciscoisesdk. In my case I have 3 source sites with 1 ISE node each and a target site with 2 ISE nodes in a distributed deployment. All of the nodes are running ISE 3.1. I followed the proper steps to enable the ERS API - enabling the API and creating an ERS admin account.

On the source nodes I have no problem using the API, everything works as expected. My problem is with the destination nodes. When I or the script make an API call to the destination node I always get the error:

{
"message": "An invalid response was received from the server",
"code": 502
}

The API call that I'm making is:

curl --location 'https://{primary_node}/ers/config/endpoint?filter=staticGroupAssignment.EQ.true' --header 'Accept: application/json' --header 'Authorization: Basic {credentials}' -k

I setup a Debug profile where the components ers, api-gateway and apiservices are all set to DEBUG, but in the respective logs there is no mentioning of the error. I tried digging through Google but I couldn't find any info regarding why this happens and I'm running out of ideas how to troubleshoot this... Any help will be much appreciated!

Thanks in advance,

Ivan

Marcel Zehnder · ‎09-26-2023

Hi @ivanbadikov ERS API by default runs on port 9060, also the basic auth should be base64 encoded, try this:

curl -k -u YOUR_USERNAME:YOURPASSWORD "https://YOURNODE:9060/ers/config/endpoint?filter=staticGroupAssignment.EQ.true"

ivanbadikov · ‎09-26-2023

Regarding the auth - my credentials are base64 encoded. When calling the API on port 9060 I get:
curl: (7) Failed connect to {ise_node}:9060; Connection refused
From the API Setting page:

The ERS and OpenAPI services are HTTPS-only REST APIs that operate over port 443.
Currently, ERS APIs also operate over port 9060. However, port 9060 might not be supported for ERS APIs in later Cisco ISE releases. We recommend that you only use port 443 for ERS APIs.

Marcel Zehnder · ‎09-26-2023

Sorry, I missed the port note.

ivanbadikov · ‎09-26-2023

Another this I just notices. When I navigate to https://{ise_node}/ers/sdk I get the following screen:

thomas · ‎09-26-2023

This query works for me on ISE 3.3:

curl --include --insecure --location \
  --header 'Accept: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET "https://$ISE_HOSTNAME/ers/config/endpoint?filter=staticGroupAssignment.EQ.true"

HTTP/1.1 200

Be careful with your use of ' (single-quotes) vs " (double-quotes) since "'s allow variable interpolation but ''s do not.

We have examples in ISE ERS API Examples including Get All Endpoints in a Specifc Endpoint Identity Group. I also have many other curl examples in the ReadMe file @ https://github.com/1homas/20221004_ISE_REST_APIs_Introduction

If you are seeing "Application Server initializing..." it is because your ISE node is booting or restarting and the services that run the GUI and REST APIs are not yet available.

ivanbadikov · ‎09-26-2023

Tried it your way and still get a 502... Seeing the "Application server is initializing." screen is strange to me because the GUI is working properly. Is there a way to check the status of the REST service or maybe restart it without restarting the whole ISE?

I think it's something related to the REST service because if I make the API call to the secodnary node it goes through without a problem.