Guest

Preview Tool

Cisco Bug: CSCvv58971 - ISE integration fails when ISE PPAN certificate contains unreachable CDP

Last Modified

Oct 11, 2020

Products (1)

  • Cisco DNA Center

Known Affected Releases

DNAC-Cyclops DNAC2.1.1.3

Description (partial)

Symptom:
In Cisco DNA Center, functionality that depends on integration with ISE is broken and the System 360 page shows ISE as "unavailable".

The network-design service's logs show the following:
2020-09-02 07:59:54,306 |   INFO | pool-12-thread-1          |  | c.c.a.c.s.trust.CiscoISEManager | ----------------------------------------------- | 
2020-09-02 07:59:54,306 |   INFO | pool-12-thread-1          |  | c.c.a.c.s.trust.CiscoISEManager | Updating ISE server trust status | 
2020-09-02 07:59:54,306 |   INFO | pool-12-thread-1          |  | c.c.a.c.s.trust.CiscoISEManager | ----------------------------------------------- | 
2020-09-02 07:59:54,388 |   WARN | pool-12-thread-1          |  | c.c.a.c.e.f.ISEHttpClientFactory | Unable to find OCSP URL in server certificate. Reason: Missing fields while retreiving Authority information access | 
2020-09-02 07:59:54,391 |   INFO | pool-12-thread-1          |  | c.c.a.c.e.f.ISEHttpClientFactory | Server certificate has a valid OCSP/CRL URL: true | 

and a few lines further down:

2020-09-02 07:59:54,659 |  ERROR | pool-12-thread-1          |  | c.c.a.c.e.c.CloseableHttpClientUtils | IOException:  | 
java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder

Conditions:
This occurs when ALL of the following conditions are met:
(1) Cisco DNA Center 2.1 is used. This does not affect Cisco DNA Center 1.3 or earlier.
(2) ISE has an admin certificate that contains two or more CDP (CRL Distribution Points) and does not contain an OCSP responder URL.  
(3) One (or both) of the CDP uses an LDAP URI -OR- uses an HTTP URI which is unreachable from Cisco DNA Center
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.