Description of the issue
SXP connections between devices or switches and ISE is not in the "UP" state. The connection state is either "PENDING_ON" or "OFF".
Possible causes
- The local mode in the device SCP configuration is different from Peer Role in the SXP Devices section on ISE. For example, local mode configured on the device is listener and the Peer Role on ISE is both or speaker.
- You are unable to ping ISE from the device, especially when SCP is configured for a particular VRF.
Solution
Device-side checks
- Check the local mode configured on the device.sh
run | s sxp
The command output is as follows:
cts sxp enable
cts sxp connection peer peer-ipv4-addr [ source src-ipv4-addr ] password {
default
| none] mode { local | peer } {speaker | listener } [ vrf vrf-name ]
- Verify whether the SXP connection between the device and ISE is on.
sh cts sxp connections
Or, in the case of VRF:
sh cts sxp connections vrf <VRF name>
The output of thee command should show the connection status as "ON".
9500BR#sh cts sxp connections vrf WIRED
SXP : Enabled
Highest Version Supported: 4
Default Password : Not Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 172.18.202.4
Source IP : 20.20.20.254
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
Connection inst# : 1
TCP conn fd : 3
TCP conn password: none
Hold timer is running
Duration since last state change: 0:23:55:59 (dd:hr:mm:sec)
ISE-side Configuration
- On ISE, navigate to Workcenters > TrustSec > SXP.
- Configure the device by clicking Add. Make sure thee Peer role is the same as the local mode defined on the device.
After a few minutes, the status should show as ON.
For example,
Recommended Actions
If the SXP connection between the device and ISE is not in the UP state after the above-mentioned verification and configuration steps, open a TAC case to further troubleshoot the issue. Please provide the output of the verification commands while opening the case.