In this post I’ll cover the steps you can take to troubleshoot Cisco ISE posture update failures or client package download errors. You may see these errors on fully functioning system post major upgrade or after importing trusted root/intermediate certificate. Error messages will be different but they all will indicate some type of connectivity issue.
Posture update error
Client package download error
Components:
Cisco ISE: 2.0.0.306 Patch 1
At first, we need to rule out any network/security related issues.
- Verify Policy Administration Node (PAN) can resolve DNS and ping out
pan01/admin# ping www.cisco.com
PING e144.dscb.akamaiedge.net (104.70.53.180) 56(84) bytes of data.
64 bytes from 104.70.53.180: icmp_seq=1 ttl=58 time=1.37 ms
64 bytes from 104.70.53.180: icmp_seq=2 ttl=58 time=1.56 ms
64 bytes from 104.70.53.180: icmp_seq=3 ttl=58 time=1.35 ms
64 bytes from 104.70.53.180: icmp_seq=4 ttl=58 time=1.23 ms
- Verify PAN can access www.cisco.com on port 80
pan01/admin# telnet www.cisco.com port 80
Trying 104.70.53.180…
Connected to www.cisco.com.
Escape character is ‘^]’.
q
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 216
Expires: Fri, 20 Nov 2015 21:21:46 GMT
Date: Fri, 20 Nov 2015 21:21:46 GMT
Connection: close
- Verify ISE proxy settings under Administration > System > Settings > Proxy.
I do not have any but if you do make sure they are correct.
- Run packet capture on Internet firewall while attempting the update.
Confirm packets are making to the firewall, being properly NATed and two-way communication established.
Once all the network and security settings verified it is time to take packet capture on the PAN under Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump. Start capture while attempting service update and save it after it fails.
Packet analysis with Wireshark can be intimidating but not this time. Zoom into conversation on Wireshark by going to Statistics > Conversation > IPv4. Select conversation between PAN IP and public IP address, there should only be a few. Right click, select Apply as Filter > Selected > A<>B.
Filtering by conversation pair on Wireshark may reveal an interesting fact about untrusted certificate. As you can see the error is very intuitive and simple to spot.
Going directly to IP from web browser will reveal common name www.perfigo.com (old Cisco NAC) and signing authority Thawte SSL CA – G2.
Now it is time to check this certificate under Administration > System > Certificates > Trusted Certificates and validate the settings. Most likely it will be missing Trust for authentication of Cisco Services check box.
If all the settings are correct just export this certificate and re-import it back into PAN. Make sure and check Trust for authentication of Cisco Services check box. Manually restart the services on PAN from the command line with command application stop ise and application start ise.
Takeaways:
- Always check network and security settings before going deep into debugs and packet captures
- Wireshark is your friend. Sometimes it does not take much to spot the answer.