Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
0
Replies

WLC (software) cannot get SGT tags from CTS SXP listener

Lucifer
Level 1
Level 1

‎02-20-2019 07:08 AM - edited ‎03-08-2019 05:24 PM

Greetings, 

 

I have deployed the software version of a WLC, everything seems fine however, end points does not get ISE security tags, I found that the WLC is not establishing the connection (I edit the IP's below): 

 

 

(Cisco Controller) >show cts sxp connections

Total num of SXP Connections..................... 1

SXP State........................................ Enable

Peer IP            Source IP           Connection Status      

---------------    ---------------     -----------------

x.x.x.x                          x.x.x.x                     Off   

 

 

The debug from the WLC showing the following:

 

 

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: sxp_process_message_event = CTS_SXPMSG_TIMER_EXPIRY

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: ph_retry_open_timer

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: ph_retry_open_timer retry timer stopped

*SXP CORE: Feb 20 14:48:51.383: SXP-INTERNAL: cdb_get_next_entry

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: cdb_get_next_entry: cdb_access_end is 0 and cdb_entry_index is 2

 

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: retry conn setup; conn index = 1

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: sh_re_setup_conn conn_index = 1

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: conn_cleanup <-1>

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: sxp_socket_open vrf:, tablied:0x0 src_ip =  10.100.83.231

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: SXP SCM: socket open fd = 78

*SXP CORE: Feb 20 14:48:51.383: SXP-INTERNAL: sxp_fd_hash_table_entry_add -- fd_ht index is  --0 and cur_dll_entry 0x7f6fa871bb58

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: sxpStoreConnectionfd: storing fd 78 at 1 in global socket

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: ph_send_open <1> fd: 78

*SXP CORE: Feb 20 14:48:51.383: SXP-INTERNAL: sxp_fd_hash_table_entry_find cdbp 1

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: sxp_socket_upd_md5_option peer IP  Address is 150.0.0.10

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: get_conn_passwd_info

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: SXP SCM: before setsockopt status:0, fd:78;errno = 115, Operation now in progress

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: SXP SCM: setsockopt status:0, fd:78;errno = 115, Operation now in progress

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: SXP SCM: setsockopt status:0, my_listen_fd:77;errno = 115, Operation now in progress

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: SXP SCM: socket_connect result:-1, fd:78;errno = 115, Operation now in progress

*SXP CORE: Feb 20 14:48:51.383: SXP-CONNECTION: SXP SCM: socket_connect in progress

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: SXP SCM: select rc :0, fd:78

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: SXP SCM: connect timeout rc:0, fd:78;

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: conn_cleanup <78>

*SXP CORE: Feb 20 14:48:53.391: SXP-INTERNAL: sxp_fd_hash_table_entry_find cdbp 1

*SXP CORE: Feb 20 14:48:53.391: SXP-INTERNAL: sxp_fd_hash_table_entry_find cdbp 1

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: conn_cleanup: Closed the sock FD <78> cdbp 0x7f6f442daf68

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: Removing SXP fd <78> from Global DB for ci 1, ver:2

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: free_conn_buffers

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: conn_cleanup retry timer started

*SXP CORE: Feb 20 14:48:53.391: SXP-INTERNAL: cdb_get_next_entry

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: cdb_get_next_entry: cdb_access_end is 1 and cdb_entry_index is 2

 

*SXP CORE: Feb 20 14:48:53.391: SXP-CONNECTION: ph_retry_open_timer retry timer started

 

 

 

The listener is a our distribution switch 

 

DS-WiFi-CR05R026#sh cts sxp connections | b x.x.x.x

Peer IP          : x.x.x.x

Source IP        : x.x.x.x

Conn status      : Off (Speaker) :: Off (Listener)

Conn version     : 4

Local mode       : Both

Connection inst# : 1

TCP conn fd      : -1(Speaker) -1(Listener)

TCP conn password: default SXP password

Duration since last state change: 0:00:00:45 (dd:hr:mm:sec) :: 0:00:00:45 (dd:hr:mm:sec)

 

 

Logs from the listener switch:

 

*Feb 20 07:39:09.602: %TCP-6-BADAUTH: No MD5 digest from x.x.x.x (49720) to x.x.x.x(64999) tableid - 0

*Feb 20 07:40:37.309: %CTS-3-SXP_CONN_STATE_CHG_OFF: Connection <x.x.x.x, x.x.x.x>-1 state changed from Pending_On to Off.

 

also note that there is an ASA FW between them, policy created to allow tcp/64999 bidirectional and followed the instruction in the below article to allow the cts sxp passing through the fw:

 

https://community.cisco.com/t5/security-documents/sxp-through-a-cisco-asa-firewall/ta-p/3647544

 

Thanks guys for your in advanc 

   

 

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card