Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1181
Views
1
Helpful
7
Replies

ISE ERS API returns 502

ivanbadikov
Level 1
Level 1

‎09-26-2023 01:05 AM

Hello,

I've been tasked to create a script that replicates MAB entries from one deployment to another using the ciscoisesdk. In my case I have 3 source sites with 1 ISE node each and a target site with 2 ISE nodes in a distributed deployment. All of the nodes are running ISE 3.1. I followed the proper steps to enable the ERS API - enabling the API and creating an ERS admin account.

On the source nodes I have no problem using the API, everything works as expected. My problem is with the destination nodes. When I or the script make an API call to the destination node I always get the error:

{
"message": "An invalid response was received from the server",
"code": 502
}

 

The API call that I'm making is:

curl --location 'https://{primary_node}/ers/config/endpoint?filter=staticGroupAssignment.EQ.true' --header 'Accept: application/json' --header 'Authorization: Basic {credentials}' -k

I setup a Debug profile where the components ers, api-gateway and apiservices are all set to DEBUG, but in the respective logs there is no mentioning of the error. I tried digging through Google but I couldn't find any info regarding why this happens and I'm running out of ideas how to troubleshoot this... Any help will be much appreciated!

Thanks in advance,

Ivan

 

 

 

Labels:
0 Helpful
7 Replies 7

Marcel Zehnder
Spotlight
Spotlight

‎09-26-2023 02:09 AM

Hi @ivanbadikov ERS API by default runs on port 9060, also the basic auth should be base64 encoded, try this:

curl -k -u YOUR_USERNAME:YOURPASSWORD "https://YOURNODE:9060/ers/config/endpoint?filter=staticGroupAssignment.EQ.true"
0 Helpful

ivanbadikov
Level 1
Level 1
In response to Marcel Zehnder

‎09-26-2023 02:50 AM

Regarding the auth - my credentials are base64 encoded. When calling the API on port 9060 I get: 
curl: (7) Failed connect to {ise_node}:9060; Connection refused
From the API Setting page:

 

The ERS and OpenAPI services are HTTPS-only REST APIs that operate over port 443.
Currently, ERS APIs also operate over port 9060. However, port 9060 might not be supported for ERS APIs in later Cisco ISE releases. We recommend that you only use port 443 for ERS APIs.
0 Helpful

Marcel Zehnder
Spotlight
Spotlight
In response to ivanbadikov

‎09-26-2023 03:53 AM

Sorry, I missed the port note.

0 Helpful

ivanbadikov
Level 1
Level 1

‎09-26-2023 02:54 AM

Another this I just notices. When I navigate to https://{ise_node}/ers/sdk I get the following screen:

ivanbadikov_0-1695721981669.png

 

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎09-26-2023 05:31 AM

This query works for me on ISE 3.3:

curl --include --insecure --location \
  --header 'Accept: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET "https://$ISE_HOSTNAME/ers/config/endpoint?filter=staticGroupAssignment.EQ.true"

HTTP/1.1 200

Be careful with your use of ' (single-quotes) vs " (double-quotes) since "'s allow variable interpolation but ''s do not.

We have examples in ISE ERS API Examples including Get All Endpoints in a Specifc Endpoint Identity Group. I also have many other curl examples in the ReadMe file @ https://github.com/1homas/20221004_ISE_REST_APIs_Introduction

If you are seeing "Application Server initializing..." it is because your ISE node is booting or restarting and the services that run the GUI and REST APIs are not yet available.

 

 

ivanbadikov
Level 1
Level 1
In response to thomas

‎09-26-2023 06:23 AM

Tried it your way and still get a 502... Seeing the "Application server is initializing." screen is strange to me because the GUI is working properly. Is there a way to check the status of the REST service or maybe restart it without restarting the whole ISE?

I think it's something related to the REST service because if I make the API call to the secodnary node it goes through without a problem. 

0 Helpful

chyps
Level 1
Level 1

‎08-22-2024 02:07 PM

Experienced similar issue today. Processes all looked good (running) and web UI accessible, but ERS API stopped accepting requests on Primary PAN. Direct API calls from custom application and Postman resulted in a Connection Refused. Attempt to access the ers/sdk page from browser showed same Application Initializing message shown earlier in this thread.  Server application services were running and the Web UI accessible. API admin account was enabled. For good measure, disabled and re-enabled admin account to ensure not an issue with account lockout but still unable to connect via API. Even tried accessing secondary PAN (also enabled for API) but received same error.  Disabled and re-enabled the ERS API from Administration > System > Settings to see if something stuck but same result. Both nodes in the Deployment showed Active and in sync.

Ended up rebooting Primary PAN and API error resolved, but only Primary PAN API access was working again. To be thorough, I tried API against secondary PAN and again received connection error. Again, verified app server running under CLI (sh app status ise). Rebooted Secondary PAN, and once services back up the API was responding again. For reference, the servers were running ISE 3.1 P5.

0 Helpful
Customers Also Viewed These Support Documents