cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1665
Views
0
Helpful
6
Replies
Highlighted
Beginner

FMC 6.2 ISE 2.2 integration

Hi all , 

intergration between FMC and ISE fails when testing .

i see the below errors in the logs after a successful ssl handshake : 

 

Captured Jabberwerx log:2017-10-13T10:37:52 [ INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://ISE-1.cn.aura:8910/pxgrid/mnt/sd/getSessionListByTime'
Captured Jabberwerx log:2017-10-13T10:37:52 [ ERROR]: curl_easy_perform() failed: (6) Couldn't resolve host name at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240

 

it seems a dns resolving problem but the FMC resolve ISE hostname .

a detailed log file is attached .


thank you for your help .

6 REPLIES 6
Beginner

Re: FMC 6.2 ISE 2.2 integration

do you have any solution for this problem?
Beginner

Re: FMC 6.2 ISE 2.2 integration

the problem disappeared after I sync the two (FMC and ISE) with the same ntp server

Beginner

Re: FMC 6.2 ISE 2.2 integration

now i have this problem.currently i'm using self sign certificate on ISE and import to FMC.

Queried 1 bulk download hostnames:ISE.ddpg.com:8910
...successfully connected to ISE server.
Starting bulk download
Captured Jabberwerx log:2017-11-13T07:36:45 [    INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://ISE.ddpg.com:8910/pxgrid/mnt/sd/getSessionListByTime'
Starting SSL Handshake, SSL state:before/connect initialization
Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x5A0860370000000071E91C75D3E246CE', issued by 'CN = ISE.ddpg.com', to 'CN = ISE.ddpg.com'
...because SSL negotiation encountered error: self signed certificate
...while validating this entry in the certificate chain: Certificate with Serial Number '0x5A0860370000000071E91C75D3E246CE', issued by 'CN = ISE.ddpg.com', to 'CN = ISE.ddpg.com'
Sending SSL alert:unknown CA
Sending SSL alert:close notify
Captured Jabberwerx log:2017-11-13T07:36:45 [   ERROR]: curl_easy_perform() failed: (60) Peer certificate cannot be authenticated with given CA certificates at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240
bulk download iter next failed REST errorPeer certificate cannot be authenticated with given CA certificates
Failed to validate bulk download.
disconnecting pxgrid

Beginner

Re: FMC 6.2 ISE 2.2 integration

It seems like a certification authentication problem, did you checked ISE/FMC docs about the integration using self signed certs?
it is recommended to use CA certs, you can generate one using the csr file retrieved from your ISE.
certs must be for both server and client authentication (in the enhanced key usage) .

Don't forget to upload the root certificate too .

Beginner

Re: FMC 6.2 ISE 2.2 integration

actually i found out what is the problem. the CN for FMC side i need to set FQDN. so FMC and ISE only can communicate. thanks for your help too

Beginner

Re: FMC 6.2 ISE 2.2 integration

Good :)