cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3460
Views
0
Helpful
0
Comments
teegeorg
Cisco Employee
Cisco Employee

Description of the issue

SXP connections between devices or switches and ISE is not in the "UP" state. The connection state is either "PENDING_ON" or "OFF".

Possible causes

  • The local mode in the device SCP configuration is different from Peer Role in the SXP Devices section on ISE. For example, local mode configured on the device is listener and the Peer Role on ISE is both or speaker.
  • You are unable to ping ISE from the device, especially when SCP is configured for a particular VRF.

Solution

Device-side checks

  1. Check the local mode configured on the device.sh
    run | s sxp
    The command output is as follows:
    cts sxp enable
    cts sxp connection peer peer-ipv4-addr [ source src-ipv4-addr ] password { default | none] mode { local | peer } {speaker | listener } [ vrf vrf-name ]

     

  2. Verify whether the SXP connection between the device and ISE is on.
    sh cts sxp connections
    Or, in the case of VRF:
    sh cts sxp connections vrf <VRF name>

    The output of thee command should show the connection status as "ON".

    9500BR#sh cts sxp connections vrf WIRED
    SXP : Enabled
    Highest Version Supported: 4
    Default Password : Not Set
    Default Source IP: Not Set
    Connection retry open period: 120 secs
    Reconcile period: 120 secs
    Retry open timer is not running
    Peer-Sequence traverse limit for export: Not Set
    Peer-Sequence traverse limit for import: Not Set
    ----------------------------------------------
    Peer IP : 172.18.202.4
    Source IP : 20.20.20.254
    Conn status : On
    Conn version : 4
    Conn capability : IPv4-IPv6-Subnet
    Conn hold time : 120 seconds
    Local mode : SXP Listener
    Connection inst# : 1
    TCP conn fd : 3
    TCP conn password: none
    Hold timer is running
    Duration since last state change: 0:23:55:59 (dd:hr:mm:sec)

     

ISE-side Configuration

  1. On ISE, navigate to WorkcentersTrustSec > SXP.
  2. Configure the device by clicking Add. Make sure thee Peer role is the same as the local mode defined on the device.

After a few minutes, the status should show as ON.

For example,

Recommended Actions

If the SXP connection between the device and ISE is not in the UP state after the above-mentioned verification and configuration steps, open a TAC case to further troubleshoot the issue. Please provide the output of the verification commands while opening the case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: