Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
Bookmark
|
Subscribe
|
5105
Views
0
Helpful
0
Comments

Verify the SXP connection

teegeorg
Cisco Employee
Cisco Employee

on ‎06-10-2019 12:24 AM

Description of the issue

SXP connections between devices or switches and ISE is not in the "UP" state. The connection state is either "PENDING_ON" or "OFF".

Possible causes

  • The local mode in the device SCP configuration is different from Peer Role in the SXP Devices section on ISE. For example, local mode configured on the device is listener and the Peer Role on ISE is both or speaker.
  • You are unable to ping ISE from the device, especially when SCP is configured for a particular VRF.

Solution

Device-side checks

  1. Check the local mode configured on the device.sh 
    run | s sxp
    The command output is as follows: 
    cts sxp enable
    cts sxp connection peer peer-ipv4-addr [ source src-ipv4-addr ] password { default | none] mode { local | peer } {speaker | listener } [ vrf vrf-name ]

     

  2. Verify whether the SXP connection between the device and ISE is on. 
    sh cts sxp connections
    Or, in the case of VRF: 
    sh cts sxp connections vrf <VRF name>

    The output of thee command should show the connection status as "ON".

    9500BR#sh cts sxp connections vrf WIRED
SXP : Enabled
Highest Version Supported: 4
Default Password : Not Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 172.18.202.4
Source IP : 20.20.20.254
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
Connection inst# : 1
TCP conn fd : 3
TCP conn password: none
Hold timer is running
Duration since last state change: 0:23:55:59 (dd:hr:mm:sec)

     

ISE-side Configuration

  1. On ISE, navigate to WorkcentersTrustSec > SXP.
  2. Configure the device by clicking Add. Make sure thee Peer role is the same as the local mode defined on the device.

After a few minutes, the status should show as ON.

For example,

Recommended Actions

If the SXP connection between the device and ISE is not in the UP state after the above-mentioned verification and configuration steps, open a TAC case to further troubleshoot the issue. Please provide the output of the verification commands while opening the case.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
li.common.scroll-to.top