Руководство Пользователя для Cisco Cisco Web Security Appliance S170
A-10
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Identity Services Engine Problems
–
Verify that the ISE Admin and pxGrid certificates—generated on the ISE server and
downloaded—have been uploaded to the WSA are present in the its certificate list.
downloaded—have been uploaded to the WSA are present in the its certificate list.
•
Expired certificates:
–
Confirm that certificates which were valid when uploaded have not expired.
Log Output Indicating Certificate Issue
The following ISE-service log snippet shows a client-connection timeout due to a missing or
invalid certificate.
invalid certificate.
These Trace-level log entries on the WSA show that after 30 seconds the attempts to connect to the ISE
server are terminated.
server are terminated.
Network Issues
•
If connection to the ISE server fails during the Start Test on the Identity Services Engine page
(
(
), check connectivity to the configured ISE server on ports 443
and 5222.
Port 5222 is the official client-to-server Extensible Messaging and Presence Protocol (XMPP) port,
and is used for connection to the ISE server; it is also used by applications such as Jabber and Google
Talk. Note that some firewalls are configured to block port 5222.
and is used for connection to the ISE server; it is also used by applications such as Jabber and Google
Talk. Note that some firewalls are configured to block port 5222.
Tools that can be used to check connectivity include
tcpdump
.
Other ISE Server Connectivity Issues
The following issues can cause failure when the WSA attempts to connect with the ISE server:
•
Licenses on the ISE server have expired.
•
The pxGrid node status is “not connected” on the ISE server’s Administration > pxGrid Services
page. Be sure Enable Auto-Registration is selected on this page.
page. Be sure Enable Auto-Registration is selected on this page.
•
Outdated WSA clients (specifically “test_client” or “pxgrid_client”) are present on the ISE server.
These need to be deleted; see Administration > pxGrid Services > Clients on the ISE server.
These need to be deleted; see Administration > pxGrid Services > Clients on the ISE server.
•
The WSA is attempting to connect to the ISE server before all its services are up and running.