Cisco Cisco Web Security Appliance S170 Guía Del Usuario
A-9
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Identity Services Engine Problems
Network Issues
•
If connection to the ISE server fails during the Start Test on the Identity Services Engine page
(
(
), check connectivity to the configured ISE server
on ports 443 and 5222.
Port 5222 is the official client-to-server Extensible Messaging and Presence Protocol (XMPP) port,
and is used for connection to the ISE server; it is also used by applications such as Jabber and Google
Talk. Note that some firewalls are configured to block port 5222.
and is used for connection to the ISE server; it is also used by applications such as Jabber and Google
Talk. Note that some firewalls are configured to block port 5222.
Tools that can be used to check connectivity include
telnet
and
tcpdump
.
ISE Server Connectivity Issues
The following issues can cause failure when the WSA attempts to connect with the ISE server:
•
Licenses on the ISE server have expired.
•
The pxGrid node status is “not connected” on the ISE server’s Administration > pxGrid Services
page. Be sure Enable Auto-Registration is selected on this page.
page. Be sure Enable Auto-Registration is selected on this page.
•
Outdated WSA clients (specifically “test_client” or “pxgrid_client”) are present on the ISE server.
These need to be deleted; see Administration > pxGrid Services > Clients on the ISE server.
These need to be deleted; see Administration > pxGrid Services > Clients on the ISE server.
•
The WSA is attempting to connect to the ISE server before all its services are up and running.
Some changes on the ISE server, such as certificate updates, require the ISE server or services
running on it to restart. Any attempt to connect to the ISE server during this time will fail; however,
eventually the connection will succeed.
running on it to restart. Any attempt to connect to the ISE server during this time will fail; however,
eventually the connection will succeed.
ISE-related Critical Log Messages
This section contains explanations for ISE-related critical Log messages on the WSA:
•
Tue Mar 24 03:56:47 2015 Critical: ISEService: Unable to load configuration!! Config
file /data/ise/ise_service.ini not found
The ‘thirdparty’ process failed to generate the configuration file
/data/ise/ise_service.ini
.
Check the ‘thirdparty’ logs.
•
Tue Mar 24 03:56:47 2015 Critical: ISEService: Unable to load configuration from:
/data/ise/ise_service.ini!! Error …
Check contents of
/data/ise/ise_service.ini
or
ise_service.ini.factory
file.
•
Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: Waiting for client connection
timed out
The WSA’s ISE process failed to connect to the ISE server for 30 seconds.
•
Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: WSA Client cert/key missing.
Please check ISE config
The WSA Client certificate and key were not uploaded or generated on the WSA’s Identity Service
Engine configuration page.
Engine configuration page.
•
Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: ISE service exceeded maximum
allowable disconnect duration with ISE server
The WSA’s ISE process could not connect to the ISE server for 120 seconds and exited.
•
Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: Subscription to updates failed …
The WSA’s ISE process could not subscribe to the ISE server for updates.