ISE 1.2 Posture Update Issue

Answered Question
Apr 28th, 2014
User Badges:

In ISE 1.2 below message is showing when we do a web posture update either manual or automatic.

"Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured".

It was working fine for long time and all of a sudden it stopped working
and no changes have made on the network side.
https://www.cisco.com/web/secure/pmbu/posture-update.xml is working in the browser.

Few customers had reported the same. Boxes are installed with latest patch version 7.

We can upload the updates through offline mode.

Correct Answer by mcrukshanfdo about 3 years 3 months ago

I have experienced the same issue. Both the posture update feed URLs 

1. https://www.cisco.com/web/secure/pmbu/posture-update.xml

2. https://www.perfigo.com/ise/posture-update.xml

give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.

A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.

The relevant pcap file is attached


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mcrukshanfdo Mon, 04/28/2014 - 13:39
User Badges:

I have experienced the same issue. Both the posture update feed URLs 

1. https://www.cisco.com/web/secure/pmbu/posture-update.xml

2. https://www.perfigo.com/ise/posture-update.xml

give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.

A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.

The relevant pcap file is attached


Attachment: 
descalante2007 Wed, 05/14/2014 - 16:34
User Badges:

Recently I had the same issue. The dump clearly indicates a problem with a certificate, so I was able to fix it re-enabling all the factory certificates in the Certificate Store.

First I tried re-enabling one by one, but as I got the same result I tried re-enabling all of them at the same time

 

Regards.

rtanner Tue, 03/08/2016 - 13:57
User Badges:

I had the same issue on ISE 1.3 and 1.4 just now.

I resolved it by adding the Root CA (Geotrust) into the trusted certificates. I had to put the URL in my browser to determine who had issued the cert in the first place, then went to their website to get it, since it wasn't in the ISE to begin with. 

Actions

This Discussion