Руководство Пользователя для Cisco Cisco Web Security Appliance S170
A-9
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Identity Services Engine Problems
Identity Services Engine Problems
•
•
•
Tools for Troubleshooting ISE Issues
The following can be useful when troubleshooting ISE-related issues:
•
The ISE test utility, used to test the connection to the ISE server, provides valuable
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
•
ISE and Proxy Logs; see
.
•
ISE-related CLI commands
iseconfig
and
isedata
, particularly
isedata
to confirm security group
tag (SGT) download. See
for additional information.
•
The Web Tracking and Policy Trace functions can be used to debug policy match issues; for
example, a user that should be allowed is blocked, and vice versa. See
example, a user that should be allowed is blocked, and vice versa. See
for additional information.
•
•
For checking certificate status, you can use the
openssl
Online Certificate Status Protocol (
ocsp
)
utility, available from
ISE Server Connection Issues
Certificate Issues
The WSA and the ISE server(s) use certificates to mutually authenticate for successful connection. Thus,
each certificate presented by one entity should be recognizable by other. For example, if the WSA’s
Client certificate is self-signed, the same certificate must be present in the trusted certificates list on the
appropriate ISE server(s). Correspondingly, if the WSA Client certificate is CA-signed, then the CA root
certificate must be present on the appropriate ISE server(s). Similar requirements apply to the ISE
server-related Admin and pxGrid certificates.
each certificate presented by one entity should be recognizable by other. For example, if the WSA’s
Client certificate is self-signed, the same certificate must be present in the trusted certificates list on the
appropriate ISE server(s). Correspondingly, if the WSA Client certificate is CA-signed, then the CA root
certificate must be present on the appropriate ISE server(s). Similar requirements apply to the ISE
server-related Admin and pxGrid certificates.
Certificate requirements and installation are described in
If you encounter certificate-related issues, check the following:
•
If using CA-signed certificates:
–
Verify that the root CA signing certificate(s) for the Admin and pxGrid certificates are present
on the WSA.
on the WSA.
–
Verify that the root CA signing certificate for the WSA Client certificate is present in the
trusted-certificates list on the ISE server.
trusted-certificates list on the ISE server.
•
If using self-signed certificates:
–
Verify that the WSA Client certificate—generated on the WSA and downloaded—has been
uploaded to the ISE server and is present in the ISE servers trusted-certificates list.
uploaded to the ISE server and is present in the ISE servers trusted-certificates list.