Let’s see how DNA and ISE talk together… and when it goes wrong.

What versions are we on? DNA 1.1 / 1.2.6 ISE 2.3 / 2.4.

DNAC to ISE Diagram.

ERS gets the policies and updates them as needed when you make policy changes on DNA. PXGrid is the push, it pushes changes to DNAC related to SGTs. Making policy changes in ISE will not push to DNAC.

ISE ERS API - The policy downloader.

ISE offers it’s API called ERS. This is the API DNA exchanges policy information with DNA. Tags are exchanged through PXGrid. You must have it enabled,

Here’s how to confirm ERS is enabled on ISE.

just be what you need to clear bad state and bring it online.

DNA to ISE Health and Troubleshooting

Your primary symptom with PXGrid down is going to be that your SGTs do not show up on the DNA system when you add them to ISE they are not in sync. If this is offline it means that it cannot subscribe to PXGrid.

Here’s what DNA shows in System 360 about the health of ISE API and PXGrid. Warning: It’s sometimes wrong from experience. I trust the ISE side.

Here’s what Pxgrid should show you on ISE when DNA is active. Notice the word “online” - that is the important part. The second part is that there are 2 Subscriptions under Capability. If your service in online but those are missing, you need to rebuild your DNA integration(under DNA - Authentication Servers, just enter the password and hit save. The password is the CLI Authentication of the user that you are integrating with)

If PXGrid DNAC shows offline, the simplest test is to delete the PXGrid subscription from ISE, and then go to DNAC and re-enter credentials under the ISE integration section here. It will rebuild the DNAC PXGrid in the process. It won’t change any preshared keys or affect your inventory or fabric. Also, this process relies on a CLI login to the ISE server to setup some trusts, it’s not all API. Enter the password in the circled area. The others are just sanitized IPs.

If that doesn’t fix it, we have to go deeper.

Deeper into DNA’s Identity Service

The process of DNA connecting to ISE ERS API are in a docker container on DNA called identity-manager-pxgrid-service. Here’s how to kick start DNA and tail some logs of what’s going on. Let’s restart it, and tail it’s logs to follow as it makes ERS queries, and tries to connect to PXGrid.

$ magctl service restart identity-manager-pxgrid-service

Now, let’s tail the logs as it restarts

$ magctl service logs -rf identity-manager-pxgrid-service

After about 10 minutes… wait for it… it will start downloading from the ERS API and connecting to PXGrid. Here’s where it’s connecting to ERS, this is your policy data download.

2018-12-04 17:30:07,346 |   INFO | Thread-58                 | identity-manager-pxgrid-service | c.c.a.common.ers.client.ErsGetAll | Making GET api call: /ers/config/sgacl?page=1&size=50 | 
2018-12-04 17:30:07,690 |   INFO | Thread-58                 | identity-manager-pxgrid-service | c.c.a.common.ers.client.ErsClient | responseStatus for ersOperation GET is 200 |

You might see something like this - It’s downloading the ISE Policy SGT Matrix to sync with the DNA Policy module.

2018-12-18 20:45:28,558 |   INFO | SimpleAsyncTaskExecutor-2 | identity-manager-pxgrid-service | c.c.e.i.p.i.u.ISEEgressMatrixCellStore | duplicate cell ISEEgressMatrixCell [sourceSgtId=89d1f960-44bc-11e8-95d6-005056be5733, destinationSgtId=b7455555-6b4a-11e8-95d6-005056be5733, iseSgAcls=[com.cisco.enc.identitymanager.policy.ise.model.ISESgAcl [aclContent=deny ip, id=92955550-8c01-11e6-996c-525400b48521, name=Deny IP, ipversion=null, used=false, create=false]], id=feb5d031-6e74-11e8-a178-005056b555558, name=MerakiAPs-Wifi_Client, description=APIC-EM pushed  cell for source MerakiAPs and destination Wifi_Client, create=false, used=false, update=false, isPolicyEnabled=true] | 

Or PXGrid trying to connect and getting refused.

2018-12-18 21:04:22,218 |   INFO | Thread-89                 | identity-manager-pxgrid-service | c.c.e.i.u.PxGridReconnectionManager | Reconnecting to Host: primaryserver.local.com | 
2018-12-18 21:05:22,218 |   INFO | Thread-89                 | identity-manager-pxgrid-service | c.c.e.i.u.PxGridReconnectionManager | Reconnecting to Host: secondaryserver.local.com | 
2018-12-18 21:05:22,218 |   INFO | Thread-89                 | identity-manager-pxgrid-service | c.c.e.i.ConnectionListener | Connecting to ISE 10.99.99.11 with id: 596b7967-c7a6-4d12-9c8d-855555b816d91 | 
2018-12-18 21:05:22,231 |   INFO | Thread-89                 | identity-manager-pxgrid-service | c.c.e.i.u.PxGridReconnectionManager | Retry connect failed: The following addresses failed: 'secondaryserver.local.com:5222' failed because java.net.ConnectException: Connection refused (Connection refused) | 

These can give you the right direction to continue troubleshooting in, or may resolve your issue.