Cisco Cisco Web Security Appliance S670 User Guide
A-11
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Identity Services Engine Problems
•
The ISE test utility, used to test the connection to the ISE server, provides valuable
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
•
ISE and Proxy Logs; see
.
•
ISE-related CLI commands
iseconfig
and
isedata
, particularly
isedata
to confirm security group
tag (SGT) download. See
for additional information.
•
The Web Tracking and Policy Trace functions can be used to debug policy match issues; for
example, a user that should be allowed is blocked, and vice versa. See
example, a user that should be allowed is blocked, and vice versa. See
for additional information.
•
•
For checking certificate status, you can use the
openssl
Online Certificate Status Protocol (
ocsp
)
utility, available from
ISE Server Connection Issues
Certificate Issues
The WSA and the ISE server(s) use certificates to mutually authenticate for successful connection. Thus,
each certificate presented by one entity should be recognizable by other. For example, if the WSA’s
Client certificate is self-signed, the same certificate must be present in the trusted certificates list on the
appropriate ISE server(s). Correspondingly, if the WSA Client certificate is CA-signed, then the CA root
certificate must be present on the appropriate ISE server(s). Similar requirements apply to the ISE
server-related Admin and pxGrid certificates.
each certificate presented by one entity should be recognizable by other. For example, if the WSA’s
Client certificate is self-signed, the same certificate must be present in the trusted certificates list on the
appropriate ISE server(s). Correspondingly, if the WSA Client certificate is CA-signed, then the CA root
certificate must be present on the appropriate ISE server(s). Similar requirements apply to the ISE
server-related Admin and pxGrid certificates.
Certificate requirements and installation are described in
If you encounter certificate-related issues, check the following:
•
If using CA-signed certificates:
–
Verify that the root CA signing certificate(s) for the Admin and pxGrid certificates are present
on the WSA.
on the WSA.
–
Verify that the root CA signing certificate for the WSA Client certificate is present in the
trusted-certificates list on the ISE server.
trusted-certificates list on the ISE server.
•
If using self-signed certificates:
–
Verify that the WSA Client certificate—generated on the WSA and downloaded—has been
uploaded to the ISE server and is present in the ISE servers trusted-certificates list.
uploaded to the ISE server and is present in the ISE servers trusted-certificates list.
–
Verify that the ISE Admin and pxGrid certificates—generated on the ISE server and
downloaded—have been uploaded to the WSA are present in the its certificate list.
downloaded—have been uploaded to the WSA are present in the its certificate list.
•
Expired certificates:
–
Confirm that certificates which were valid when uploaded have not expired.
Log Output Indicating Certificate Issue
The following ISE-service log snippet shows a client-connection timeout due to a missing or
invalid certificate.
invalid certificate.