@ryanbess the list of ports are under the External Identity Sources and Resources (Outbound) section of the guide below
https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7...
@John Bautista is ESP blocked between the peers (a packet capture will confirm this)?
192.100.0.0/16 is not a private network, I assume you meant a public network.
@John Bautista so one side the encaps counters are increasing, are the decaps counters increasing on the other side? Provide the output of "show crypto ipsec sa" from both sides for comparison.
Is this static route correct? route Site_B 192.100.0.0 2...
@CCC3 only replacing the admin certificate requires the ISE application services to restart. Renewing the EAP authentication certificate will not require downtime.