I am trying to integrate Cisco CSM to ISE so that I can resolve the security group tags from CSM.
I understand that in order to to be able to retrieve the group tags with a search name/tag in "Security group selector" we need to configure ISE Settings under "CSM >Tools >Security Manager Administration > ISE Settings"
This is as per Cisco's Documention for CSM:
However, when I enter the ISE IP and Credentials in this page and click on Test Connectivity, it fails and give an error message "Unable to establish the connection. Please verify that the IP address, username, password are correct.
My first thought was that CSM was failing to communicate with ISE. So, I checked if there was any firewall block for this communication. There wasn't any firewall block for this. I did a packet capture and found that CSM is trying to communicate with ISE on port 443. After the initial TCP handshake, I get a handshake failure for TLS v1.2 from ISE and then the connection is torn down.
I am trying to understand if there is any configuration needed on ISE for this? Any help would be appreciated.
It could be a bug / TLS compatibility issue. I'd recommend opening a TAC case since the ISE compatibility matrices don't list CSM (any version) as compatible despite what the CSM documentation indicates.
We had the same thing a while back with ISE and Prime Infrastructure. ISE (2.0 if I recall correctly) locked down TLS to 1.2 only while PI was still only able to talk TLS 1.1. It wasn't until PI (3.0 or 3.1 if I recall correctly) added TLS 1.2 support that integration worked once again.