Cisco ISE update errors

In this post I’ll cover the steps you can take to troubleshoot Cisco ISE posture update failures or client package download errors. You may see these errors on fully functioning system post major upgrade or after importing trusted root/intermediate certificate. Error messages will be different but they all will indicate some type of connectivity issue.

Posture update error

ISE posture update error

Client package download error

ISE download remote resource error

Components:
Cisco ISE: 2.0.0.306 Patch 1

At first, we need to rule out any network/security related issues.

  • Verify Policy Administration Node (PAN) can resolve DNS and ping out

pan01/admin# ping www.cisco.com

PING e144.dscb.akamaiedge.net (104.70.53.180) 56(84) bytes of data.

64 bytes from 104.70.53.180: icmp_seq=1 ttl=58 time=1.37 ms

64 bytes from 104.70.53.180: icmp_seq=2 ttl=58 time=1.56 ms

64 bytes from 104.70.53.180: icmp_seq=3 ttl=58 time=1.35 ms

64 bytes from 104.70.53.180: icmp_seq=4 ttl=58 time=1.23 ms

  • Verify PAN can access www.cisco.com on port 80

pan01/admin# telnet www.cisco.com port 80

Trying 104.70.53.180…

Connected to www.cisco.com.

Escape character is ‘^]’.

q

HTTP/1.0 400 Bad Request

Server: AkamaiGHost

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 216

Expires: Fri, 20 Nov 2015 21:21:46 GMT

Date: Fri, 20 Nov 2015 21:21:46 GMT

Connection: close

  • Verify ISE proxy settings under Administration > System > Settings > Proxy.

I do not have any but if you do make sure they are correct.

ISE proxy settings

  • Run packet capture on Internet firewall while attempting the update.

Confirm packets are making to the firewall, being properly NATed and two-way communication established.

Once all the network and security settings verified it is time to take packet capture on the PAN under Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump. Start capture while attempting service update and save it after it fails.

Packet analysis with Wireshark can be intimidating but not this time.  Zoom into conversation on Wireshark by going to Statistics > Conversation > IPv4. Select conversation between PAN IP and public IP address, there should only be a few. Right click, select  Apply as Filter > Selected > A<>B.

Wireshark conversation filter

Filtering by conversation pair on Wireshark may reveal an interesting fact about untrusted certificate. As you can see the error is very intuitive and simple to spot.

ISE posture feed certificate error

Going directly to IP from web browser will reveal common name www.perfigo.com (old Cisco NAC) and signing authority Thawte SSL CA – G2.

ISE perfigo certificate

Now it is time to check this certificate under Administration > System > Certificates > Trusted Certificates and validate the settings. Most likely it will be missing Trust for authentication of Cisco Services check box.

ISE trusted certificate settings

If all the settings are correct just export this certificate and re-import it back into PAN. Make sure and check Trust for authentication of Cisco Services check box. Manually restart the services on PAN from the command line with command application stop ise and application start ise.

Takeaways:

  • Always check network and security settings before going deep into debugs and packet captures
  • Wireshark is your friend. Sometimes it does not take much to spot the answer.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar