cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1058
Views
5
Helpful
3
Replies
Beginner

Cisco Security manager Integration with Cisco ISE for Security group Tag resolution

Hi,

 

I am trying to  integrate Cisco CSM to ISE so that I can resolve the security group tags from CSM.

I understand that in order to to be able to retrieve the group tags with a search name/tag in "Security group selector" we need to configure ISE Settings under "CSM >Tools >Security Manager Administration > ISE Settings"

This is as per Cisco's Documention for CSM:

https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/syspage.html#34637

 

However, when I enter the ISE IP and Credentials in this page and click on Test Connectivity, it fails and give an error message "Unable to establish the connection. Please verify that the IP address, username, password are correct. 

 

My first thought was that CSM was failing to communicate with ISE. So, I checked if there was any firewall block for this communication. There wasn't any firewall block for this. I did a packet capture and found that CSM is trying to communicate with ISE on port 443. After the initial TCP handshake, I get a handshake failure for TLS v1.2 from ISE and then the connection is torn down.

 

I am trying to understand if there is any configuration needed on ISE for this? Any help would be appreciated. 

 

Thank you,

Rohit.

3 REPLIES 3
Hall of Fame Master

Re: Cisco Security manager Integration with Cisco ISE for Security group Tag resolution

It could be a bug / TLS compatibility issue. I'd recommend opening a TAC case since the ISE compatibility matrices don't list CSM (any version) as compatible despite what the CSM documentation indicates.

 

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

 

We had the same thing a while back with ISE and Prime Infrastructure. ISE (2.0 if I recall correctly) locked down TLS to 1.2 only while PI was still only able to talk TLS 1.1. It wasn't until PI (3.0 or 3.1 if I recall correctly) added TLS 1.2 support that integration worked once again.

 

Highlighted
Contributor

Re: Cisco Security manager Integration with Cisco ISE for Security group Tag resolution

CSCvg18306

Hall of Fame Master

Re: Cisco Security manager Integration with Cisco ISE for Security group Tag resolution

Thanks for providing the BugID @Peter Koltl